Edit tour

Windows Analysis Report
WinSitu-5.7.8.0.msi

Overview

General Information

Sample name:	WinSitu-5.7.8.0.msi
Analysis ID:	1545012
MD5:	7bbc1c706fa3dc23782db860555f1cda
SHA1:	a7597fb7d007a4b82d8626c25bcbed2b5d28d1ed
SHA256:	7c52536c77cc7a3ebea7273084d70305349503e84649682c3ead73317a775ef3
Infos:

Detection

Score:	36
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Infects executable files (exe, dll, sys, html)

Sample is not signed and drops a device driver

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Msiexec Execute Arbitrary DLL

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 6356 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\WinSitu-5.7.8.0.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6452 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 5000 cmdline: "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx" MD5: 9D09DC1EDA745A5F87553048E57620CF)

USBInst.exe (PID: 7004 cmdline: "C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe" MD5: 196C5F7AB6FB7D1B6B32813449CC9511)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

Sigma detected: Suspicious Msiexec Execute Arbitrary DLL

Source: Process started

Author: frack113: Data: Command: "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx", CommandLine: "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msiexec.exe, NewProcessName: C:\Windows\SysWOW64\msiexec.exe, OriginalFileName: C:\Windows\SysWOW64\msiexec.exe, ParentCommandLine: C:\Windows\system32\msiexec.exe /V, ParentImage: C:\Windows\System32\msiexec.exe, ParentProcessId: 6452, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx", ProcessId: 5000, ProcessName: msiexec.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\InSitu\WinSitu\Software License.rtf

Jump to behavior

Source:	Binary string: d:\difx\source\base\pnp\dfx\dpinst\obj\amd64\DpInst.pdb source: DPInstx64.exe.1.dr
Source:	Binary string: c:\develo~1\cdm\coinst\ftcserco\objfre_wnet_amd64\amd64\ftcserco.pdb source: ftcserco.dll0.1.dr
Source:	Binary string: C:\legacysoftware\WinSitu Desktop\Code\Release\ParseVuSituDataFileDll.pdb** source: ParseVuSituDataFileDll.dll.1.dr
Source:	Binary string: c:\develo~1\cdm\coinst\ftcserco\objfre_wnet_x86\i386\ftcserco.pdb source: ftcserco.dll.1.dr
Source:	Binary string: c:\Development\CDM\d2xxdll\Release\FTD2XX.pdb source: ftd2xx.dll.1.dr
Source:	Binary string: c:\develo~1\cdm\coinst\ftcserco\objfre_wnet_amd64\amd64\ftcserco.pdbH source: ftcserco.dll0.1.dr
Source:	Binary string: C:\legacysoftware\WinSitu Desktop\Code\Release\ParseVuSituDataFileDll.pdb source: ParseVuSituDataFileDll.dll.1.dr
Source:	Binary string: f:\binaries.x86ret\bin\i386\mfc140u.i386.pdb source: mfc140u.dll.1.dr
Source:	Binary string: c:\Users\waynekp\Documents\Visual Studio 2005\Projects\USBInst\code\Release\USBInst.pdb source: USBInst.exe, 00000007.00000000.2532713732.0000000000434000.00000002.00000001.01000000.00000004.sdmp, USBInst.exe, 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: d:\difx\source\base\pnp\dfx\dpinst\obj\amd64\DpInst.pdb8 source: DPInstx64.exe.1.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfcm140u.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140u.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfcm140.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

Code function: 7_2_0040F0B4 __EH_prolog3,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,

7_2_0040F0B4

Source: ParseVuSituDataFileDll.dll.1.dr	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
Source: MSIB1C3.tmp.1.dr	String found in binary or memory: http://www.in-situ.com/Support

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

Code function: 7_2_00408B41 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,

7_2_00408B41

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftdibus.sys

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6bacb2.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{77911F23-6E44-405E-BC55-34D549DB64B2}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB1C3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\concrt140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vcruntime140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\msvcp140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vccorlib140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_853F67D554F05449430E7E.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_288987BFEB08B712E2C981.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_A89184D00202F7F1765B04.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_9512E0AD78DB887D16D994.exe	Jump to behavior

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_0040A308	7_2_0040A308
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_0042F020	7_2_0042F020
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_0041E1C9	7_2_0041E1C9
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_004201F0	7_2_004201F0
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_0042E41E	7_2_0042E41E
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_004274A9	7_2_004274A9
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_0041E59D	7_2_0041E59D
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_00424719	7_2_00424719
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_004307EA	7_2_004307EA
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_0042E960	7_2_0042E960
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_0041E9A9	7_2_0041E9A9
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_0041DCF6	7_2_0041DCF6
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_0041EDC9	7_2_0041EDC9
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_0042DEDC	7_2_0042DEDC

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: String function: 0040BF96 appears 31 times
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: String function: 0041F7C1 appears 137 times
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: String function: 0042018C appears 50 times
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: String function: 0041F7F4 appears 39 times

Source: USBInst.exe.1.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: classification engine

Classification label: sus36.spre.winMSI@6/112@0/0

Source: LogoVerificationReport.pdf.1.dr

Initial sample: http://winqual.microsoft.com

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

Code function: 7_2_00405F11 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3_catch,FindResourceW,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,

7_2_00405F11

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\InSitu

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\Documents\WinSitu Data

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFE080A742D8EFE46F.TMP

Jump to behavior

Source: Yara match

File source: C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx, type: DROPPED

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

Key opened: HKEY_USERSS-1-5-18\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\WinSitu-5.7.8.0.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe "C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe "C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iopc2.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Section loaded: textshaping.dll	Jump to behavior

Source: Win-Situ 5.lnk.1.dr	LNK file: ..\..\..\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_A89184D00202F7F1765B04.exe
Source: Win-Situ 5.lnk0.1.dr	LNK file: ..\..\..\..\..\..\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_9512E0AD78DB887D16D994.exe
Source: Win-Situ 5 Release Notes.lnk.1.dr	LNK file: ..\..\..\..\..\..\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_288987BFEB08B712E2C981.exe

Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: I Agree
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: WinSitu-5.7.8.0.msi

Static file information: File size 36761088 > 1048576

Source:	Binary string: d:\difx\source\base\pnp\dfx\dpinst\obj\amd64\DpInst.pdb source: DPInstx64.exe.1.dr
Source:	Binary string: c:\develo~1\cdm\coinst\ftcserco\objfre_wnet_amd64\amd64\ftcserco.pdb source: ftcserco.dll0.1.dr
Source:	Binary string: C:\legacysoftware\WinSitu Desktop\Code\Release\ParseVuSituDataFileDll.pdb** source: ParseVuSituDataFileDll.dll.1.dr
Source:	Binary string: c:\develo~1\cdm\coinst\ftcserco\objfre_wnet_x86\i386\ftcserco.pdb source: ftcserco.dll.1.dr
Source:	Binary string: c:\Development\CDM\d2xxdll\Release\FTD2XX.pdb source: ftd2xx.dll.1.dr
Source:	Binary string: c:\develo~1\cdm\coinst\ftcserco\objfre_wnet_amd64\amd64\ftcserco.pdbH source: ftcserco.dll0.1.dr
Source:	Binary string: C:\legacysoftware\WinSitu Desktop\Code\Release\ParseVuSituDataFileDll.pdb source: ParseVuSituDataFileDll.dll.1.dr
Source:	Binary string: f:\binaries.x86ret\bin\i386\mfc140u.i386.pdb source: mfc140u.dll.1.dr
Source:	Binary string: c:\Users\waynekp\Documents\Visual Studio 2005\Projects\USBInst\code\Release\USBInst.pdb source: USBInst.exe, 00000007.00000000.2532713732.0000000000434000.00000002.00000001.01000000.00000004.sdmp, USBInst.exe, 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: d:\difx\source\base\pnp\dfx\dpinst\obj\amd64\DpInst.pdb8 source: DPInstx64.exe.1.dr

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

Code function: 7_2_00429D42 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson,

7_2_00429D42

Source: mfc140.dll.1.dr	Static PE information: section name: .didat
Source: mfc140u.dll.1.dr	Static PE information: section name: .didat
Source: DPInstx86.exe.1.dr	Static PE information: section name: Shared
Source: DPInstx64.exe.1.dr	Static PE information: section name: Shared
Source: ftser2k.sys.1.dr	Static PE information: section name: PAGESRP0
Source: ftser2k.sys.1.dr	Static PE information: section name: PAGESER
Source: vcruntime140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536.1.dr	Static PE information: section name: _RDATA
Source: msvcp140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536.1.dr	Static PE information: section name: .didat
Source: vccorlib140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536.1.dr	Static PE information: section name: minATL
Source: ftser2k.sys0.1.dr	Static PE information: section name: PAGESRP0
Source: ftser2k.sys0.1.dr	Static PE information: section name: PAGESER

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_004201D1 push ecx; ret		7_2_004201E4
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_0041F899 push ecx; ret		7_2_0041F8AC

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfcm140u.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfc140u.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	System file written: C:\Windows\SysWOW64\mfcm140.dll	Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftdibus.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftser2k.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftser2k.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftdibus.sys	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftlang.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftcserco.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\ftd2xx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\ParseVuSituDataFileDll.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftser2k.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\InSitu\PostLevelCorrection.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInstx86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 6bacb7.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vcruntime140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftser2k.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vccorlib140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftbusui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 6bacb4.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftserui2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\WinSitu.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftbusui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftserui2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 6bacb5.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftlang.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\msvcp140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftdibus.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftd2xx64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftcserco.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftdibus.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\InSitu\LowFlow.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInstx64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\concrt140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftd2xx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 6bacb6.rbf (copy)	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\msvcp140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vcruntime140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vccorlib140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\concrt140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\concrt140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vcruntime140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\msvcp140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vccorlib140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\InSitu\WinSitu\Software License.rtf

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\In-Situ Inc	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\In-Situ Inc\Win-Situ 5 Release Notes.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\In-Situ Inc\Win-Situ 5.lnk	Jump to behavior

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_00401380 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		7_2_00401380
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_00406358 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,		7_2_00406358

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftlang.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftcserco.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\ftd2xx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\ParseVuSituDataFileDll.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftser2k.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\InSitu\PostLevelCorrection.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInstx86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 6bacb7.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vcruntime140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftser2k.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vccorlib140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftbusui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 6bacb4.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftserui2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\WinSitu.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftbusui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftserui2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 6bacb5.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftlang.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\msvcp140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftdibus.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftd2xx64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftcserco.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftdibus.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\InSitu\LowFlow.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInstx64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\concrt140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftd2xx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 6bacb6.rbf (copy)	Jump to dropped file

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

API coverage: 6.7 %

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

Code function: 7_2_0040F0B4 __EH_prolog3,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,

7_2_0040F0B4

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

Code function: 7_2_0042166F VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,

7_2_0042166F

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

Code function: 7_2_0041D7E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_0041D7E4

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

Code function: 7_2_00429D42 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson,

7_2_00429D42

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

Code function: 7_2_0041D5FB GetStartupInfoW,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,___crtGetCommandLineW,___crtGetEnvironmentStringsW,__wsetargv,__amsg_exit,__wsetenvp,__amsg_exit,__cinit,__amsg_exit,__wwincmdln,

7_2_0041D5FB

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_0042838B _raise,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0042838B
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_0041D7E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0041D7E4
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_00421869 SetUnhandledExceptionFilter,	7_2_00421869
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: 7_2_00423BAF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00423BAF

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx"			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe "C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe"			Jump to behavior

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

Code function: 7_2_0042AE9C cpuid

7_2_0042AE9C

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: _wcscpy_s,__snprintf_s,GetLocaleInfoW,PathFindFileNameW,GetModuleHandleW,GetProcAddress,LoadLibraryExW,	7_2_00402FD2
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	7_2_0043157C
Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	Code function: GetLocaleInfoA,	7_2_0042CEFB

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

Code function: 7_2_004229D2 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

7_2_004229D2

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

Code function: 7_2_004294E3 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

7_2_004294E3

Source: C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

Code function: 7_2_00403264 __EH_prolog3,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,ConvertDefaultLocale,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,GetModuleFileNameW,GetVersion,RegOpenKeyExW,RegQueryValueExW,_sscanf,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,RegCloseKey,GetModuleHandleW,EnumResourceLanguagesW,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,

7_2_00403264

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Spearphishing Link	1 Native API	1 Windows Service	1 Windows Service	32 Masquerading	1 Input Capture	2 System Time Discovery	1 Taint Shared Content	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	1 Replication Through Removable Media	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	11 Process Injection	11 Process Injection	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	35 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WinSitu-5.7.8.0.msi	0%	ReversingLabs
WinSitu-5.7.8.0.msi	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
6bacb4.rbf (copy)	0%	ReversingLabs
6bacb5.rbf (copy)	0%	ReversingLabs
6bacb6.rbf (copy)	0%	ReversingLabs
6bacb7.rbf (copy)	0%	ReversingLabs
C:\Program Files (x86)\Common Files\InSitu\LowFlow.exe	0%	ReversingLabs
C:\Program Files (x86)\Common Files\InSitu\PostLevelCorrection.dll	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\ParseVuSituDataFileDll.dll	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInst.exe	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInstx64.exe	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInstx86.exe	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftbusui.dll	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftcserco.dll	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftd2xx64.dll	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftdibus.sys	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftlang.dll	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftser2k.sys	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftserui2.dll	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftbusui.dll	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftcserco.dll	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftd2xx.dll	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftdibus.sys	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftlang.dll	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftser2k.sys	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftserui2.dll	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\WinSitu.exe	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\ftd2xx.dll	0%	ReversingLabs
C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\concrt140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\msvcp140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vccorlib140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vcruntime140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140u.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfcm140.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfcm140u.dll	0%	ReversingLabs

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.in-situ.com/Support	MSIB1C3.tmp.1.dr	false		unknown
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd	ParseVuSituDataFileDll.dll.1.dr	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545012
Start date and time:	2024-10-30 01:07:56 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WinSitu-5.7.8.0.msi
Detection:	SUS
Classification:	sus36.spre.winMSI@6/112@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 28 Number of non-executed functions: 111
Cookbook Comments:	Found application associated with file extension: .msi Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
6bacb5.rbf (copy)	windisc.exe	Get hash	malicious	Discord Token Stealer	Browse
	EgnyteConnectWin.msi	Get hash	malicious	Unknown	Browse
	EgnyteDesktopApp_3.15.3_136.msi	Get hash	malicious	Unknown	Browse
	EgnyteConnectWin.msi	Get hash	malicious	Unknown	Browse
	fud.exe	Get hash	malicious	Unknown	Browse
	tVf866r8BJ.exe	Get hash	malicious	Unknown	Browse
	loki.exe	Get hash	malicious	Unknown	Browse
	https://egnyte-cdn.egnyte.com/webedit/win/en-us/2.4.6/EgnyteWebEdit_2.4.6_35.msi?_ga=2.221598877.401481166.1655739507-312143159.1655739507&_gac=1.222439145.1655739974.CjwKCAjwtcCVBhA0EiwAT1fY75KXVtu-7HAQFqjCHzk8rIPCNofxIgrD0o1uBai_HySqtgiTerIt1BoCP2gQAvD_BwE	Get hash	malicious	GhostRat	Browse
	8RVyaW3YT4.exe	Get hash	malicious	Unknown	Browse
	o6NoeQUUX0.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

6bacb4.rbf (copy)

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4705056
Entropy (8bit):	7.05731700691555
Encrypted:	false
SSDEEP:	98304:J9xt9uDvWEuw9RPnmxQipCGecmmi4gFLOAkGkzdnEVomFHKnPHP:Rw/e3pCGecmp4gFLOyomFHKnPHP
MD5:	F20805208EC4FF6C1E1EFF26F07DA820
SHA1:	32797FC5F177068922CC11655C6686A89E9EC397
SHA-256:	DB4609E6056F1A2B1B4628082FAE0DBA537C6CEC2AC05E68DC2CDC725C22205A
SHA-512:	9CECF79301369467E3365D7481A966C0CD219932C3E3842173E2C8E929F0141D05D4C358FBC117E50CDC7B8A52690E409ADBDD75F9F90541E859675C6C9B8F0C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......OZ;,.;U..;U..;U.....;U.....;U.....;U.....;U..C...;U.0eT~.;U.0eV~.;U.0eQ~.;U.0eP~.;U.....;U..;T..?U.0e\~.:U.0eU~.;U.0e...;U.0eW~.;U.Rich.;U.........................PE..L...D..Z.........."!......-......... .).......-..............................0H.......G...@A........................ .-..............p/...............G. ?....E.....0~..8...................h~..........@.....................,......................text.....-.......-................. ..`.data.........-.......-.............@....idata...T.......V..................@..@.didat.......P/.....................@....tls.........`/.....................@....rsrc........p/.....................@..@.reloc........E......tD.............@..B................................................................................................................................................................................

6bacb5.rbf (copy)

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4775200
Entropy (8bit):	7.037261707280988
Encrypted:	false
SSDEEP:	98304:uWtxN76QDEsuJXsm75DBC/qupepFAFLOAkGkzdnEVomFHKnPq/:u8lumeRBC/quKAFLOyomFHKnPq/
MD5:	DA766AC8D3E3AF30407A1EB96E03BAF7
SHA1:	353CB2C8F893E769E069BC0FBCF4FE632D457326
SHA-256:	01C7C858A5A4AE74690FDDE79AC994BD7085820238C133CC653D60B6F0658A52
SHA-512:	A482D5A9EC51DEC4C025C3126C54D3BEBD54A258120506F360A0FB6E11CC183A64BC1FAF162291B3204479A3EFAE2EEA1166CBCAE6894041A29CD262D28E6949
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: windisc.exe, Detection: malicious, Browse Filename: EgnyteConnectWin.msi, Detection: malicious, Browse Filename: EgnyteDesktopApp_3.15.3_136.msi, Detection: malicious, Browse Filename: EgnyteConnectWin.msi, Detection: malicious, Browse Filename: fud.exe, Detection: malicious, Browse Filename: tVf866r8BJ.exe, Detection: malicious, Browse Filename: loki.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 8RVyaW3YT4.exe, Detection: malicious, Browse Filename: o6NoeQUUX0.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........Z;-K;U~K;U~K;U~..~J;U~..~J;U~..~I;U~..~^;U~BC.~_;U~peT.I;U~peV.@;U~peQ.G;U~peP.\;U~..~X;U~K;T~.8U~pe\..:U~peU.J;U~pe.~J;U~peW.J;U~RichK;U~........................PE..L...h..Z.........."!.........................P................................I.......I...@A............................L...../......@0...............H. ?....E.....`...8...................,4......p...@............./.............................text.............................. ..`.data...$...........................@....idata..fS..../..T..../.............@..@.didat....... 0......./.............@....tls.........00......./.............@....rsrc........@0......./.............@..@.reloc........E.......E.............@..B................................................................................................................................................................................

6bacb6.rbf (copy)

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95008
Entropy (8bit):	6.483846276891073
Encrypted:	false
SSDEEP:	1536:lKaK/ssrqmwbkwYn9Q6JLfeC31CxJTjSvEjbFEXAVOVzHxc:lKPEsiYndJLfeC31GTjoEjbyX0Wu
MD5:	7E7BF3239A4FC0408E7E41F70E3C2D3E
SHA1:	B556E1AC737246AAD5C534479B52190FE25C61C0
SHA-256:	6C644970EF988B99ADB2981C421DCFD3C824F9B48F551B1EE83C4C6F168BB737
SHA-512:	F62584FF27EC8FFC458A17157487ED34851C0E175119DAE40C4263FC2238ED388CDF1E8FA4EBFA4E47DE7A775A66AF2A290F09665D8596D8DE953E127E2A9475
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........y..y..yz<hy..y..5y..y...x..y...x..y...x..y..5y..yz<my..y..y..y...x..y...x..y..Yy..y...x..yRich..y........PE..L......Z.........."!.....D...........R.......`......................................4.....@..........................0......`1.......p...............4.. ?..........0f..8....................&.......e..@............`..L...........Pc..H............text....C.......D.................. ..`.rdata.......`.......H..............@..@.data........@......."..............@....tls.........P.......&..............@....gfids..T....`.......(..............@..@.rsrc........p.....................@..@.reloc..............................@..B........................................................................................................................................................................................................................

6bacb7.rbf (copy)

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.458979771637682
Encrypted:	false
SSDEEP:	1536:wU26ddhAg3kTWF1Wah39Ai31CxPUDwODtho51Vbim:wUrduWFR9Ai31UUDXho5Pum
MD5:	D1896E52F5C118B37CAC9F5FBCEADD14
SHA1:	480B5664AC64934D10AB2C423AC5636AF7C7E65E
SHA-256:	9A4CCBCFAF1B2D5A19C35085B6688CD96C3CD02D5A42857531DFB78FA576C444
SHA-512:	C1A01AB3BC902D41343A88B7BC3EDA812EC65AF9667866DFFCB5E156589388F0CF4997F414C229ABDD7A75BE74C0C419A1ACE48AC4B8E18E5555370940FEB4F9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........y..y..yz<hy..y..5y..y...x..y...x..y...x..y..5y..yz<my..y..y..y...x..y...x..y..Yy..y...x..yRich..y........PE..L...5..Z.........."!.....D...........R.......`............................................@..........................0.......1.......p...............6.. ?..........0f..8....................&.......e..@............`..L...........Pc..H............text....C.......D.................. ..`.rdata.......`.......H..............@..@.data........@......."..............@....tls.........P.......&..............@....gfids..T....`.......(..............@..@.rsrc........p.....................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

C:\Config.Msi\6bacb3.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	32367
Entropy (8bit):	5.690473432505216
Encrypted:	false
SSDEEP:	384:CN8L7cv3HSjYqoKiDGJsKrtKgSg5gD4yIg9gQgkgYgMOtg9gHXQEg9g3gwgpJ7pU:C+L7CXSjZO6JskcEBKHx/o
MD5:	09CAAD5707FCA8F4311E9D55BAD84B3E
SHA1:	3DD8F6049F00ACF6120D899814DB652A3B1FDDB3
SHA-256:	FC35620BA3262836E5266177A62101C09AEE08329726B23EB8014C2AED74BB42
SHA-512:	BE52A9E98AACB54294F10F57C43FC18A3872968700AEC8FC4A7A07551AA8D63A142A8521A8C16F59FEDE8B534286B4CD1833CA54A3E87ECD4A912813E2254D2E
Malicious:	false
Preview:	...@IXOS.@.....@E.]Y.@.....@.....@.....@.....@.....@......&.{77911F23-6E44-405E-BC55-34D549DB64B2}..In-Situ Win-Situ 5..WinSitu-5.7.8.0.msi.@.....@ ....@.....@......_853F67D554F05449430E7E.exe..&.{8FC2E7A4-D62A-4678-921F-8927182D4AFD}.....@.....@.....@.....@.......@.....@.....@.......@......In-Situ Win-Situ 5......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{A20E98AF-1532-7D91-9166-B508329205DD}&.{77911F23-6E44-405E-BC55-34D549DB64B2}.@......&.{60B67299-9861-7B82-CDEA-5D7F9A82E4D1}&.{77911F23-6E44-405E-BC55-34D549DB64B2}.@......&.{DC5686B9-37F4-0FDB-3B13-22F375C4F314}&.{77911F23-6E44-405E-BC55-34D549DB64B2}.@......&.{50081DF8-D6F9-5681-0C57-B7C07EC57DC7}&.{77911F23-6E44-405E-BC55-34D549DB64B2}.@......&.{805C3E0E-A5AF-23B3-BD71-7F8AA0E12910}&.{77911F23-6E44-405E-BC55-34D549DB64B2}.@......&.{CD5F6671-2E13-040E-7EC0-787AEE8C3BCE}&.{77911F23-6E44-405E-BC55-34D549DB64B2}.@......&.{4DC389D0-8E

C:\Program Files (x86)\Common Files\InSitu\LowFlow.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10043392
Entropy (8bit):	6.80303381102934
Encrypted:	false
SSDEEP:	12288:NkofeeN23sAfJqNzjcaaaaT+N1wcIE8MyR2xqL7HYy2NI0Z8Yaf/rWlKlxkd:bfets1hcaaaaowcbVyoxqPYwYaf/aK30
MD5:	FFF6DA6AFB56202AD5D0F0F9FFEA5131
SHA1:	56A5FA9C972071CC73E11B22731E21A0143AC065
SHA-256:	283E5413CB5D86120819B1FEBF9FCEFC8E81CFFE6AF4628325AA7ABEEF715055
SHA-512:	8C5EEA0ABA808C12F47CA5CB86E6A2F666CB6AF84EC2D623FA3FF74CF0741229C683DC8D741B098DF9180417EFC2BD08DEB945992BC61B02C170AC4EEE6CDF0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m.Or..Or..Or...}.Nr..h.~.Kr..h.m.Gr..h.n.Xr..h.x.Kr...}^.Zr..Or...s..h.q.fr..h...Nr..Or..Nr..h.{.Nr..RichOr..........PE..L.....^Q.............................i............@..........................@...........................................................e..........................p................................f..@...............8............................text.............................. ..`.rdata..,...........................@..@.data............ ..................@....rsrc....e.......p..................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\InSitu\PostLevelCorrection.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3874816
Entropy (8bit):	6.846744933873619
Encrypted:	false
SSDEEP:	49152:8cN3s31T/IGPf1IbYys0Pczzt+mt23gXj3Tfr/72uqOKuKOKuaqx:lN3s3NjN
MD5:	7C45BB6FB91F436DDDB6E116493D0C75
SHA1:	78A7BD443B7F5BDC7FA0CC1997F117FAA356E809
SHA-256:	94E2074F24D5FA163BC90E5FA8C846528BE24CC558666B7769FD76C886414A6B
SHA-512:	50B164488CA99C04098C01BC1A9D1254B608C64D4E175E25520179AC21BDCE06115E087E0A7F7E03D6A5AEE203B6BE085116EBD8D92C1518E4EB62E5F79F2A67
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].s[<. [<. [<. ... Z<. \|.. ^<. \|.. R<. \|.. K<. \|.. _<. .3. N<. [<. s>. \|.. f<. \|.. Z<. \|.. Z<. [<. Z<. \|.. Z<. Rich[<. ........................PE..L....}(Z...........!..... ....1......3.......0............................... ;.....r.;.....................................$...........@................... 9......7..................................@............0...............................text............ .................. ..`.rdata.......0.......0..............@..@.data...h........0..................@....rsrc...@........*.................@..@.reloc..2.... 9...... 9.............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\AdministratorNotes.htm

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	HTML document, Non-ISO extended-ASCII text, with CRLF, NEL line terminators
Category:	dropped
Size (bytes):	35056
Entropy (8bit):	5.392734785793785
Encrypted:	false
SSDEEP:	768:48p5tivp5Up5tp54p5anQJ/ee0eKeg9eheBe/eZeZeme2ekeGeDeeeIe7:4yevp6pbpCpMSWe0eKeKeheBe/eZeZe6
MD5:	7591EA4A64B573A2039BFE6643323F9B
SHA1:	F30E4BD21C0D512279814DB837E4E14B578BB4A9
SHA-256:	C57BB99694FB0F3443943DFCE0B93897CD65807AC274CF94C17773D8DDC0628F
SHA-512:	6038ED82FB25360DD7186ABDA3148A160F2B6866CBE36C86CAFFD38BA0677A68E0E301A3B6C695C04491BEAACF9AE2D33A64233DCF005CB543A2611C7D5688CB
Malicious:	false
Preview:	<html xmlns:v="urn:schemas-microsoft-com:vml"..xmlns:o="urn:schemas-microsoft-com:office:office"..xmlns:w="urn:schemas-microsoft-com:office:word"..xmlns:m="http://schemas.microsoft.com/office/2004/12/omml"..xmlns="http://www.w3.org/TR/REC-html40">....<head>..<meta http-equiv=Content-Type content="text/html; charset=windows-1252">..<meta name=ProgId content=Word.Document>..<meta name=Generator content="Microsoft Word 12">..<meta name=Originator content="Microsoft Word 12">..<link rel=File-List href="AdministratorNotes_files/filelist.xml">.. [if gte mso 9]><xml>.. <o:DocumentProperties>.. <o:Author>bbonner</o:Author>.. <o:LastAuthor>OWNER</o:LastAuthor>.. <o:Revision>6</o:Revision>.. <o:TotalTime>10</o:TotalTime>.. <o:Created>2009-10-22T20:54:00Z</o:Created>.. <o:LastSaved>2013-08-07T20:44:00Z</o:LastSaved>.. <o:Pages>1</o:Pages>.. <o:Words>492</o:Words>.. <o:Characters>2811</o:Characters>.. <o:Company>In-Situ</o:Company>.. <o:Lines>23</o:Lines>.. <o:Paragraphs>6</o:Paragr

C:\Program Files (x86)\InSitu\WinSitu\Help_WS5.chm

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	14977443
Entropy (8bit):	7.999072294964284
Encrypted:	true
SSDEEP:	393216:SNNX5zceCiw13qK83ADB++LS17Yii/zTZwlkwMcpdso82:SNNX5zcP3e3AI0IYiotwya3I2
MD5:	E107F63A0FA69A24177D781FD67108B8
SHA1:	D4125A7C6B52E6A25D6F0BF2C1EBE87903126757
SHA-256:	E32FCFF8820D65972701AB7D5C3F04CAE082C80FC5825AE6240611D01224F287
SHA-512:	4B10F6880B3BF5ADDEF7C78CA7F41358EB952FDC111FA83ECCE0CA9424578948EC184DD14F328F5E2A706E0F9CE6A4FCFBB20C5486A7D943A86D66EAD7E4F0DF
Malicious:	false
Preview:	ITSF....`..................\|.{.......".....\|.{......."..`...............x.......T`.......`..............................ITSP....T...........................................j..].!......."..T...............PMGLH................/..../#IDXHDR......./#ITBITS..../#STRINGS....Y.F./#SYSTEM..n.1./#TOPICS......./#URLSTR......X./#URLTBL.....l./#WINDOWS...e. ./_Temp.hhc.....^./Data/Alias.xml...z=./Data/HelpSystem.xml..._.(./Data/SkinBlueSkin/..../Data/SkinBlueSkin/About.png....G.o!/Data/SkinBlueSkin/AddComment.gif....&.M&/Data/SkinBlueSkin/AddComment_over.gif...g.-*/Data/SkinBlueSkin/AddComment_selected.gif......6+/Data/SkinBlueSkin/AddSearchToFavorites.gif.....`0/Data/SkinBlueSkin/AddSearchToFavorites_over.gif.....J4/Data/SkinBlueSkin/AddSearchToFavorites_selected.gif.....\./Data/SkinBlueSkin/Book.gif...^{./Data/SkinBlueSkin/BookOpen.gif...e.;)/Data/SkinBlueSkin/BrowsesequenceIcon.gif.....U./Data/SkinBlueSkin/Comment.gif.....E#/Data/SkinBlueSkin/CommentReply.gif...f.F$/Data/SkinBl

C:\Program Files (x86)\InSitu\WinSitu\ParseVuSituDataFileDll.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	391168
Entropy (8bit):	5.495302507319733
Encrypted:	false
SSDEEP:	6144:e/4sWYI436tLsFr1U3LPwSHViJpcXHbCwOC:s49Im7PwSViJOP
MD5:	2F9FD9738426245026FAAE2D998FC278
SHA1:	840238E88CDD24E95392E0CEB10540AC32FF2243
SHA-256:	EE1EB8A855307797185EC39112B70D547A665C128A545799AA82834660301CC5
SHA-512:	0628C4194CD416C41FBC07A20A9D050E24262EE690BC65FCBD0AA863EFACC8333A0D0BB16FF353EB9BBD0077AAB3550282AE2CDBD03EFAEF1A1C32833B2EEEE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q_..5>.5>.5>.gV.?>.gV.7>.gV.$>.gV.1>.<F{.8>...#.7>.5>.G>.W.:>.W.4>.W..4>.5>..4>.W.4>.Rich5>.........PE..L....\w`...........!................r........................................0............@.........................P...l........................................+..p...p..............................@............................................text...w........................... ..`.rdata..............................@..@.data...............................@....rsrc...............................@..@.reloc...+.......,..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\RBT.H0-0.V103.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	102289
Entropy (8bit):	3.798909577045034
Encrypted:	false
SSDEEP:	1536:HBQKUu+kUHXPxtTLR15yfUSQ4tmiEuUOyAWz6FmNh6+AgKwBpizdtIhfuac3GGw:HOKEHPxtnR1UfDoisz6cQCpizsfsxw
MD5:	3B566DDA03C2070AACA725E10ED0D80B
SHA1:	6A014EEA993DF01983D7D93BAAADE4E215887974
SHA-256:	32F44AECE36383F21F0711305A2E7DCD986F02B1454EDD70FDEC73F505D2875F
SHA-512:	E6A1E5FD0381A771B6A32A5DC2AE8374A6CA4E8CFF823A0E58965961AEC8DA60993A27AF9711372B59B1E72E327E27637C5F16FE1F921032B8DFAB56B2E21012
Malicious:	false
Preview:	:0F0000F0001100670000000000018F9101000067..:020000040000FA..:1028000081206700F22C0A0A0A0A01FF949D000049..:102810000000722FC21301FAA04A22150232C25CD4..:1028200036170364CC7A6C19049612002823010031..:102830000105664000002923010001045E404E406E..:102840002A23020001044240E83F2C230300010434..:10285000E23FD23F2F2301000105CA3F0000302391..:1028600001000105C23F0000312301000105BA3F0C..:102870000000322301000105B43F000033230200B1..:102880000105AC3F0000352302000105A03F000018..:10289000372303000103903F3C3F3A23010000002F..:1028A000343FA03D3B23200001037C3D403D5B23A2..:1028B00020000102283DEA3C7B2304000102E43CA5..:1028C000C63C7F2304000102C03C963C83230400E5..:1028D0000102863C623C872302000102563C163C02..:1028E000892303000102F23BBC3B8C23020001055B..:1028F000B43B00008E2302000104AC3B8C3B9023D0..:1029000002000105843B00009223010001057E3B8B..:102910000000932301000105783B0000BE23010065..:102920000102723BD639BF2301000102D039BC3904..:10293000C02302000102B0399439C223030001020E..:102940008C397E39C5230300010276396039F02

C:\Program Files (x86)\InSitu\WinSitu\RDO PRO-X.H0-0.V108.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104224
Entropy (8bit):	3.8042083178646693
Encrypted:	false
SSDEEP:	1536:ozWlox5A6XsQyonCITRIkNyR9chgjLuJWziERrtrl5x0mevJxwc:BgQonpvyXQgPeEhtrlomWwc
MD5:	07ADF476B3FD9D04B74181919C230F5E
SHA1:	51DDD420E9C8729115E9515F0723B0BDBF7C4DAA
SHA-256:	351B3CA3ECEE58C9A8C2CB8D3031F697AE5CCD0B9B533AF35C183515A86E3FBB
SHA-512:	256E5C1BA91ABC5CFE9E33B4C113D426A9B1497B06E35C23EF55EB0B6DCCB30ED12B6E03709DDA57C00E27D40D501FEF9A914AAC0B847BECE075AE735EF0CA7F
Malicious:	false
Preview:	:0F0000F0001F006C0000000000019720010000BD..:020000040000FA..:102C00001C806C0064330A0A0A0A01FFBA910000B2..:102C10000000844F6A190132365EC41A029612000F..:102C2000282301000105C040000029230100010400..:102C3000B840A0402A230200010494404A402C23BB..:102C4000030001043A4008402F2301000105004021..:102C50000000302301000105F83F0000312301008E..:102C60000105EE3F0000322301000105E83F0000AE..:102C7000332302000105E43F000035230200010573..:102C8000E03F0000372303000103D23F00003A2356..:102C900001000100CA3FDA3E3B2320000103C03E91..:102CA000983E5B2320000102763E523E7B230400C7..:102CB00001024C3E363E7F2304000102303E1A3EA4..:102CC0008323040001020A3EF43D8723020001022F..:102CD000EA3DA63D8923030001027E3D7A3D8C2317..:102CE00002000105703D00008E23020001046E3DCC..:102CF00000009023020001056C3D000092230100BA..:102D00000105683D0000932301000105643D0000BA..:102D1000942308000102483D303DF02301000103E7..:102D20002A3DEE3CF12301000103E83C743CF22310..:102D3000010001036E3C383CF32301000103323CE7..:102D4000E83BF42301000105E63B0000F523010

C:\Program Files (x86)\InSitu\WinSitu\ReleaseNotes.htm

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	HTML document, Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	59062
Entropy (8bit):	5.326393373087345
Encrypted:	false
SSDEEP:	768:u8LY5Vm53xp5np5Qp5xp5p5CtOxJ6rXlcS+g8SP3j:uzXmlxp1pWpjpDhTElhpBj
MD5:	072DBC6F1D64A3848C3718ECBB3E9172
SHA1:	35F7C5A652B90A6BADF6BC229FE1F876ADC0DC56
SHA-256:	4B15B7ED1A987CE2780C3A9918E3E000923F06436F8C4795872BCEC170D27525
SHA-512:	3F3BE97F643348792CB4C71BE5B5813AB32073188969019FD751E9925FE3E37830644890AE57F200A5DD0171C8A0DA188BEA2C8005149E2B01F76732973F5451
Malicious:	false
Preview:	<html xmlns:v="urn:schemas-microsoft-com:vml"..xmlns:o="urn:schemas-microsoft-com:office:office"..xmlns:w="urn:schemas-microsoft-com:office:word"..xmlns:m="http://schemas.microsoft.com/office/2004/12/omml"..xmlns="http://www.w3.org/TR/REC-html40">....<head>..<meta http-equiv=Content-Type content="text/html; charset=windows-1252">..<meta name=ProgId content=Word.Document>..<meta name=Generator content="Microsoft Word 15">..<meta name=Originator content="Microsoft Word 15">..<link rel=File-List href="ReleaseNotes.fld/filelist.xml">..<title>Release Notes WS5</title>.. [if gte mso 9]><xml>.. <o:DocumentProperties>.. <o:Author>R. Forbes Guthrie</o:Author>.. <o:LastAuthor>Kristen Byers</o:LastAuthor>.. <o:Revision>4</o:Revision>.. <o:TotalTime>6</o:TotalTime>.. <o:LastPrinted>2005-06-13T19:21:00Z</o:LastPrinted>.. <o:Created>2018-08-29T02:19:00Z</o:Created>.. <o:LastSaved>2018-10-12T16:32:00Z</o:LastSaved>.. <o:Pages>1</o:Pages>.. <o:Words>224</o:Words>.. <o:Characters>1281</o:C

C:\Program Files (x86)\InSitu\WinSitu\Software License.rtf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Category:	dropped
Size (bytes):	7425
Entropy (8bit):	4.79057453534916
Encrypted:	false
SSDEEP:	96:MCAljqwFsv9rdenyQgSkyBFKGVXrUucVTTgeglYeZ5kZBhwnW2:SlWjgyQpeGJgf1TDgGA5kL6W2
MD5:	4EADF7281E098F2BB29FCAD68B509DBD
SHA1:	8364C1F4B6B6B3498A0FD0C027A6158B00F8BBF6
SHA-256:	2AFAFD7141C7390D13CAEC380300162265584AC85EED9116660B410066CEA6FB
SHA-512:	C89ECA6EA5860CB1686B389304034B8D3C4C44C1CFF1F7D1D255CB3BA7E363C585725BF5C783E10EF699E284C8EF8999205FE18BBF0B0A8ACE27619252B2BD53
Malicious:	false
Preview:	{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Arial;}}..{\colortbl ;\red0\green0\blue0;}..{\*\generator Riched20 10.0.17134}\viewkind4\uc1 ..\pard\widctlpar\li-90\qj\b\f0\fs16 1. Grant of License.\b0 In consideration of payment of the License Fee, which is a part of the price paid for this product as evidenced by the payment receipt (the \ldblquote Receipt\rdblquote ), IN-SITU, hereby, grants to the Licensee, a nonexclusive right to use and display IN-SITU\rquote s SOFTWARE and HARDWARE. The License granted covers all users on the above-mentioned SOFTWARE and HARDWARE. IN-SITU reserves all rights not expressly granted to Licensee. \ldblquote SOFTWARE\rdblquote means the software purchased by BUYER, together with the names Win-Situ\cf1\'99\cf0 and Pocket-Situ\cf1\'99, which are owned exclusively by IN-SITU. \ldblquote HARDWARE\rdblquote means the magnetic or physical media on which the software is recorded, including compa

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\CDM 2 08 02 Release Info.rtf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	147448
Entropy (8bit):	4.985481064958369
Encrypted:	false
SSDEEP:	768:eM/F5AcJlNRJvGYZs8iDZWXo3PrYb7VVHyC5bc6ImQ7/zE0aZa3d73dIIiXMjcja:eMd53lzZakAqPbUD9
MD5:	95858F6CAF588FD2F8BD867AA9C15F4C
SHA1:	1C559BCDAF836EAB6A477AA341186B9651978904
SHA-256:	1569323A09D24A372316462E5229CB1FADC253D7E6EBB000F0BA1C6B97C57AFB
SHA-512:	6A88F74B6F223E7ECDCB48C61F292C558C2263D062D6623AC128B1D24EE223F953CFB8C623C197313557869C614E98E82F5AAF11C74C6B6B33F12D2C4D445041
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang2057\deflangfe2057\themelang2057\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f3\fbidi \froman\fcharset2\fprq2{\\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\\panose 05000000000000000000}Wingdings;}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}..{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}{\f39\fbidi \fswiss\fcharset0\fprq2{\\panose 00000000000000000000}Verdana;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInst.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	5.13809712795561
Encrypted:	false
SSDEEP:	192:vPBKnylzlkpm8j+Z31+N5dto9psGS4MTcWdi6AkqlLE:HHmm8kEN5dto9OGhMTJs6KE
MD5:	D675B7C88C1D53209B7BF2C43F796CCB
SHA1:	712A14A0933739F91A027FA21C57E2105A2F8706
SHA-256:	853070380A3F23485A2D535135E8B73EE1BBDB501037BFC85F43D840547A22EA
SHA-512:	E1740DDB9A5AEFA4603AD124B8CEA40206757B23D951ED4AC254D6D1EBBF085861CE2D5AE6FED4661170F67E4FFCFDDC28B5EB5CCC8A502205F41ECA5078AE78
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C..."zW."zW."zW...W."zW...W."zW...W."zW...W."zWb-'W."zW."{W."zW...W."zW...W."zWRich."zW........................PE..L...]X.J............................&........ ....@..........................P..............................................d%..<....@...............................!..............................@$..@............ ...............................text...J........................... ..`.rdata..<.... ......................@..@.data........0......................@....rsrc........@....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInstx64.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	845736
Entropy (8bit):	5.911869545670581
Encrypted:	false
SSDEEP:	12288:XaeRl73Vde53ss/yC+JavFV07cfT+PeQqOTqtjGsJeCIGPf:XF373FsgWFVicfT+PLqOCjGcIGPf
MD5:	7CE61B7C402728CE373FBC0DC9214066
SHA1:	687E176263E778DE37F36D097754FD3B6BDD8E5F
SHA-256:	5B8F31594F208E1BD15BA972B13B3142E7EFB78560B8B3674AB6C09E589ECE4E
SHA-512:	EC06186912605263138D67B1ADB005295F7CB5D88018234B7D86B7755EC7AEF0630A38F2D4C04922AE201D01B7ECE7D5EE2E2740AEA4B89360037C5ED489FB4C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9Y..}8.O}8.O}8.OdA.O.8.O}8.O%9.O...Od8.O...O.8.O...Oe8.O...Oa8.O.7.O\|8.O...O\|8.ORich}8.O........................PE..d.....}C..........#......l...l......Pj............................................................... .......................................X.......p..........X....................................................................................................text....k.......l.................. ..`.data................p..............@....pdata..X............z..............@..@Shared.......`......................@....rsrc........p.......0..............@..@........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInstx86.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2916264
Entropy (8bit):	4.839275810320534
Encrypted:	false
SSDEEP:	24576:4BpOIebpPNPNPNPNPNPNPNPNPNPNPNPNPNPNPNPNPNPNPNPNPNPNPNP+:03ebpFFFFFFFFFFFFFFFFFFFFFFFW
MD5:	B3A3C7B35696991B106CD0CF882C6581
SHA1:	FA0446980ADB7DDD5C19CDD268F1BB4782C7B778
SHA-256:	63D0819DD9B671B84DB6E720ADDB32E5B7DCB6C6977A3623D23B4D7FE2B965CF
SHA-512:	D281568A467B48AC22D71166A8B6379404CBDD7F07D13F3A4D189F64181A10F49E3CCE90D81B6DC35BC44185AF418F20B595754B631C83AF30AA09868E250B6D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......).g.m...m...m...T.t...m...-...t.g.o.....\|...V.....i.J...W.l...S.l...Richm...........PE..L.....}C.................(...8&.....\|........@................................,.....DP-.......... .......................................'&..........d,.............`...............................H...@............................................text....'.......(.................. ..`.data....0...@.......,..............@...Shared...............:..............@....rsrc....'&......(&..<..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\LogoVerificationReport.pdf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PDF document, version 1.4, 1 pages
Category:	dropped
Size (bytes):	42808
Entropy (8bit):	7.44619754667014
Encrypted:	false
SSDEEP:	768:24umwvV2AQc5nx+CGec/cGH+34DOoAQBwITS/Cg/fhcJJJjLUH:24umesTq90EGe3kO/nITS/3nh4JJjLUH
MD5:	30FC02865244D8F994B82570D51B781D
SHA1:	74F6F8F531C95589CC8FF15FCDF3249E6527281D
SHA-256:	CDC202DB1F505225EF968515C999906C91431A7C421A297A01C4FBA8EA4B3301
SHA-512:	8FEBBCA8DD99FF9633672E97966A917656F4B15A0B8E9953F2C83C4A0256336B84D5DFCD868A7431E05CCAAA98FF5731B58498AAD100E1F210A394F87276E1C2
Malicious:	false
Preview:	%PDF-1.4.%.....1 0 obj <</Width 295/BitsPerComponent 8/Subtype/Image/Height 259/Filter/DCTDecode/Length 25517/ColorSpace/DeviceRGB/Type/XObject>>stream.......JFIF.....H.H......Exif..MM.*...................2.........J.i.........^...........>........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	319488
Entropy (8bit):	6.307650344157851
Encrypted:	false
SSDEEP:	6144:os0gprdKbJOcWA4FqJOQHebteo25HG88dcEP9:52JOy4FqJO+epeo2QIEP9
MD5:	196C5F7AB6FB7D1B6B32813449CC9511
SHA1:	B075BA916BED09EDDD5FBBAD47C7D5A74AA28D06
SHA-256:	BE766AEB67D829E4DE2650189ADEC7459503E5C402C70EFC552E0D869578FD8A
SHA-512:	8723453128F517266A6CA87CA97B6987518050161F7F46D741EDD639174C4D299FFAAD259C7D2287BD82AC85787DD21510809C0A3164B71E1CCE696DEC40FF8F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...{...{...{`.{...{`.{...{...{...{...{...{...{7..{...{7..{...{...{...{...{...{...{Rich...{........PE..L....etO.................0...................@....@.......................... ......^\|......................................0...........h........................... F..................................@............@..t.......@....................text....#.......0.................. ..`.rdata..:....@.......@..............@..@.data...xh.......0..................@....rsrc...h............@..............@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\Win-Situ.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 3 icons, 16x16, 24 bits/pixel, 32x32, 24 bits/pixel
Category:	dropped
Size (bytes):	11502
Entropy (8bit):	6.693850939797661
Encrypted:	false
SSDEEP:	96:49ych/bqtAjNg2IwGwwzC7KOjmg8i8i8i8i8i8i8i7GTq2fRJmQQHk1EWqvkbn3D:4H/bqteNgh+KOC8yq2fRJmQ3bfdjt
MD5:	3CA3A55ABEAE2FA61A85E82C8AE1EB90
SHA1:	04BA7D9D3BF1672CD453BCFC851886E335E09C70
SHA-256:	6C7014C24923BF342B0B37868086CB9B64FA33BE0B1A92E3B54EE103FD255D7A
SHA-512:	D7F61AC411E6CE85F63F550E25609FFECE80EBA4628EA4AAB92F55667B5CAF3218FFA1F333B3C9CD0D1D72386757880FD147B5F3ED8E953A0B0D7847CB8ECAE9
Malicious:	false
Preview:	..............h...6... ..............00..........F...(....... ................................A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..Q.O.O.N.N.L.K.I.G.E.C.C.`...A..A..J.I.I.H.F.D.B.?.<.}9.{6.z5.T...A..A..E.D.C.A.?.<.}8.z5.w0.t,.q(.o&.F.\|.A..A..q4._(.f,.l/.Z".U..f&.o'.h .X..J..K..g,.k.A..A..uT......z?........mL.W..V...y.......\|.mH.A..A..........`0..........>........kVwM4......A..A...........zg.........eG.;.tD$.zg.........A..A.......wM4.......kV.....yI)..........x.iQ.A..A......a-........^F.zg....ZB......l?#.kV....A..A........a=..n.....l.hI......]A.............A..A..~Z.~[.}.z..l......l..q....w.z\..f...A..A..............................A..A.........................................A..A...........................................A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A.................................................................(... ...@............................................A..A..A..A..A..A..A..

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\WinSituBanner.bmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PC bitmap, Windows 3.x format, 165 x 313 x 24, image size 155248, resolution 3780 x 3780 px/m, cbSize 155302, bits offset 54
Category:	dropped
Size (bytes):	155302
Entropy (8bit):	6.454402330172099
Encrypted:	false
SSDEEP:	1536:ZSQ6kqk//Ysssssssssssssssssssssssssssssssss/ssssssssssssssIEu68S:ZSZkqkQEu6atpNW/VJn
MD5:	2F3DCCB3683A40C5C23566204965A255
SHA1:	E8D754BFAF66C2FC0D3B12718BD9D1515F2BFCC3
SHA-256:	B3654053173F63B40059303ABE30457F387E2CC69ABF2EDCD7320E62F0289E79
SHA-512:	4E03F86EA07D0B7B1A26611738179ACE6AB4CC94B81F33B2FBA50D7E91C15207DDF7D51939E67063D797908EA4F3631268CE848498C4D2BD832B3713C5C89276
Malicious:	false
Preview:	BM.^......6...(.......9...........p^....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftbusui.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	108936
Entropy (8bit):	6.231831018446883
Encrypted:	false
SSDEEP:	3072:Dn4BmLe7izeEl9L0gHysfvCE9Cz7FzrxpK3i:DjGizeEPYgSsfvJmFSS
MD5:	F7A0AAED16041897F88E4C438A57E78C
SHA1:	36CD8E64C9535D743A451D223D3ADDF638334005
SHA-256:	72777139F330A2E7653C0B5D427B57172275EDD4535C5F743BB0ADE50037A0F5
SHA-512:	4246CFE369253B99152C4C6C4D9E296119817A30779AFD2BBFB35FB677F70CB4C98CE1A4AC65C13DDEE713F2F4B841AACAD724178C1F02CB9222181F83480F9F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xj..xj..xj...xj.....xj......xj..xk..xj....xj.....xj.....xj.....xj.Rich.xj.........PE..d...^..O.........." ................./...............................................S....................... ...................... f..h....Y..d............... ....................#............................................... ...............................text............................... ..`.rdata...F... ...H..................@..@.data....!...p.......\..............@....pdata.. ............n..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftcserco.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65416
Entropy (8bit):	5.86601004353579
Encrypted:	false
SSDEEP:	1536:PxRShQnixg3RolVTE7lkowJu3rIs7X6N+f7ra7Ck:PHShQnixg3RolVT6eowJu3rIs7qcf7O1
MD5:	C2885AC796B11AF0B3EB4F6D305C205E
SHA1:	74076EA76A2543D523BFC1E97695F7F9F70DE1BF
SHA-256:	94C3B96BDC73610CD926353C97B0918EC9515F7DA64F57F15240D3966A5C2D38
SHA-512:	11B8438457D3C3CEA226A02B1CEB83EEFB90459E538921B0F3B855783BBDAFBED20EFEB1F62164F2B866C181D58825C6CECF71707258E2031C4B7475CFF4AE86
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............................u.......u.......u.............u.......u.......u.......u......Rich....................PE..d...Q..O.........." .........6......,d.......................................@......hu....@.........................................`...Q.......x.... ..X....................0..`...0................................................................................text............................... ..`.data....&..........................@....pdata..............................@..@.rsrc...X.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftd2xx64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	256392
Entropy (8bit):	6.4186107800289
Encrypted:	false
SSDEEP:	6144:DKTiHGb29A/zEU0MJhcKJU+HRGyH8yQpelctV8B:LO3vP7R7H8y4ia8B
MD5:	BB854269ED4FCDD96DDAC2FD7938C5B3
SHA1:	C9F89E6D15AAB0A348611EED941E2A145830EB7D
SHA-256:	0A776A6191C81D3682BB8D6784B45FAEA858A3DBFBE4E1345386068E02FB7D60
SHA-512:	0CEC61B713315977363DFFA95A29CAA2A96E40892E14F1BCE24500A13AE62EC0AD8FCF1AC621AC578AE7CC5DB1222BB2A33DE5DC464610925A5AFC274AFB79C8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..s5T.s5T.s5T.!.T.s5T.!.T.s5T..NT.s5T.s4T.s5T.!.T.s5T.!.T.s5T.!.T.s5T.!.T.s5TRich.s5T................PE..d...e..O.........." ......................................................... ..............................................................<t..d................)...................................................................... ............................text............................... ..`.rdata.............................@..@.data....<..........................@....pdata...).......*..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftdibus.sys

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	75016
Entropy (8bit):	6.3062079656831385
Encrypted:	false
SSDEEP:	1536:eEhveYcl+0ElUJzLhGuxh1WPr6byfPvm4Q+Vma7C3I:HpVPTUVUTfP+4Q+Vv4I
MD5:	35FD2BB5131714E657B7AB3A78642854
SHA1:	69B32ABCDA0973721B6A1AD8D06BCB4BF63F8CC4
SHA-256:	C24AC6D4E0E76B39625FC9051E092439642C3A10122F712C11A562860703F27A
SHA-512:	351C7A6D41573175DCCFC4923DB7C3DEE1D752BF003F454CA3268320903E307664409EA08F72B2D1E8BE067CA4B2DECA96966A6692EEF570E9C17F98166BDBF1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B..\#..\#..\#..U[..^#..U[..]#..\#...#.....Y#.....^#..U[.._#..U[..]#..*...]#..U[..A#..U[..]#..U[..]#..Rich\#..........................PE..d...Y..O.........."........................................................................ ....................................................P.......x........................... ................................................................................text............................... ..h.rdata..............................@..H.data...?...........................@....pdata..............................@..HPAGE....D........................... ..`INIT................................ ....rsrc...x...........................@..B.reloc..<...........................@..B........................................................H.\$.H.t$ WATAUAVAWH.. ...H..........3.............@:.t..........@:..............t...H......H

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftlang.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	214920
Entropy (8bit):	5.8744859610938756
Encrypted:	false
SSDEEP:	3072:uTZpT25GLj5m0adkRplT0eDYI2XCICTrzwR/NK99ArJJ6s3LOkHo/TlKTQm:6iAv5TadiTT0en2XgTaMgcm
MD5:	5085BDD7167C74464F21E463FB0B7C0A
SHA1:	00F0255300336E8A57D27C0D6260656FD3D57829
SHA-256:	1D0F04C67DA0C6E62C236D90123CBB2E89709F1E960F24ED0BA07FA691F47F99
SHA-512:	C6898282371533FDF80CF95B431541169B551715DC2122C5318557EFBBE593D21195F6D26C7617A3EE4DA8E144FA755D95F128E886285874379EECDFF1C0EF08
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C?I..^'..^'..^'.....A^'......^'. .\..^'..^&.W^'.....%^'......^'......^'......^'.Rich.^'.........PE..d...Z..O.........." .....t......................................................................................................................(....@..$2... ..(....2...............................................................................................text....s.......t.................. ..`.rdata.. V.......X...x..............@..@.data...."..........................@....pdata..(.... ......................@..@.rsrc...$2...@...4..................@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftser2k.sys

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	85384
Entropy (8bit):	6.110892167857255
Encrypted:	false
SSDEEP:	1536:k8C7U7nhVo5polYXwUHJ7OY6A3xH9Q6OssXbeENqgUM9a7C5:TC7U3mbXfJKYb3vQ6CetkIU
MD5:	196C9BDDBEF9B6D0973F398BEF5B2EEE
SHA1:	C68AD88223AD70E6A7EE69DA6142D9A6AA4ECCEE
SHA-256:	D4F9C5CED1E33446B45BD2AFFA6E716B4332AF8716477A80437220AC20C6DFE0
SHA-512:	0E7B871A66FA43621E27568188CECC8895BBA4A417F624B5A65816B48565F71F3DEA6A9C90A393D87A9FC945965B9B92578E01FBC3B8E938159DD1907D78B634
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h...,..,..,..,..j..Z...)..Z......%.s./..%.e.-..Z...-..%.y....%.d.-..%.a.-..Rich,..................PE..d...K..O.........."..........:.......E.......................................................................................................F..<....P...#......,....8..............0...................................................0............................text...Pg.......h.................. ..h.rdata...............l..............@..H.data................t..............@....pdata..,............v..............@..HPAGESRP0f>.......@...~.............. ..`PAGESER.]B.......D.................. ..`INIT....X....@...................... ....rsrc....#...P...$..................@..B.reloc..<............6..............@..B........................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\amd64\ftserui2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55176
Entropy (8bit):	5.852456218433334
Encrypted:	false
SSDEEP:	768:e6RPLCnVp9v9kQnOiN1SCCkCB/uomgWfpeDx0p17o/iqlJ0bu3xQGK6FzxyLWHbt:e6SVVhnnD4WJBFo/i20bGdNEa7CTk
MD5:	036A6ED7A51E73AE2C0ACC6BD814E326
SHA1:	32CE8F5DF256CC01F79FBCCF88F43B7C5FE5A058
SHA-256:	278C9A9A7B0167507F750D67D278AC77D98FE06873E250BEDE9AE4177C69E8B8
SHA-512:	E2BE4EAF2ED591D18A938EF37115AFD13C430337603CB332D67CF72F81717708372DC53DB579F678970172BF95FBE04190B1FBF3A5B833EBFD7E3EA1C1BBEDBA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0...Q.\.Q.\.Q.\..\.Q.\.)H\.Q.\.)^\.Q.\.)Y\.Q.\.Q.\)Q.\.)N\.Q.\..\.Q.\.)O\.Q.\.)T\.Q.\...\.Q.\.)I\.Q.\.)L\.Q.\Rich.Q.\........PE..d...D..O.........." .........B.......Z...............................................8....@.................................................P............$......................0....................................................................................text...1........................... ..`.data...............................@....pdata..............................@..@.rsrc....$.......&..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\dpinst.xml

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	956
Entropy (8bit):	4.890287316164591
Encrypted:	false
SSDEEP:	24:3sOvSZaDChlfQFmQGQp3EVLrEHMjQOLuQ4WfCI5sLlW+i6ZnjQdbGy:c9ZaDCh12EVnEHMMI5SZn8hV
MD5:	5D109BB1D5497A9655D1A0B82CF27F91
SHA1:	3BEA771D844DCF3B50AB115B32F70737FDE68CED
SHA-256:	E8A4112617153CA6C25F67FDC80C6DCC99AD171A55D3A0A33193564AA095FD68
SHA-512:	A740EFD2C47291D589C91EAD4B74DB6BAF8ABBDBB3407FEDB3E0FB75CDB437EA58FAC9FF239531D63BCFDD599A59777E38FE1111B993A2527AB4422A3C425CAD
Malicious:	false
Preview:	<?xml version="1.0"?>..<dpInst>.. <dpinstTitle>In-Situ USB Device Drivers Installer</dpinstTitle>.. .. <welcomeTitle>Welcome to the TROLL USB Device Installer!</welcomeTitle>.. <welcomeIntro>This wizard will walk you through loading or updating the drivers for your TROLL USB device.</welcomeIntro>.. .. <eulaHeaderTitle>End User License Agreement</eulaHeaderTitle>.. <eulaYesButton>I &accept this EULA</eulaYesButton>.. <eulaNoButton>I do &not accept this EULA</eulaNoButton>.... <installHeaderTitle>Installing the software for your TROLL USB device...</installHeaderTitle>.... <finishTitle>Congratulations! You are finished installing your TROLL USB device.</finishTitle>.. <finishText>Enjoy using the TROLL USB Adapter.</finishText>.... <eula type="txt" path="eula.txt" />.. <icon>Win-Situ.ico</icon>.. <watermarkPath>WinSituBanner.bmp</watermarkPath>..</dpInst>..

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\ftd2xx.h

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	C source, ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	27161
Entropy (8bit):	5.532271329428793
Encrypted:	false
SSDEEP:	768:EETAUMAEaNS/tGt6ifF0LgMkO9G/KlGPOfTG:ZAUMAEj/owg9OsUy
MD5:	30C72676B95D747E80C54F096DD231BB
SHA1:	723E0F9D07683D3B689F7C8CAB94D6FB52EE4AFA
SHA-256:	90432B8FB114EF0AD4519588172C60D9ABFA477E4A68ABDE05A37E9052A6C338
SHA-512:	2C8BB036EBC8DFFFC09074107D6098B0FE5A9CB278D1DD389E98245F6A68A41B7D45D5A39F600D42B563DDD7F6DE8A11346EFEA6813CAEF6C039874BC7C4B939
Malicious:	false
Preview:	/*++....Copyright . 2001-2011 Future Technology Devices International Limited....THIS SOFTWARE IS PROVIDED BY FUTURE TECHNOLOGY DEVICES INTERNATIONAL LIMITED "AS IS"..AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES..OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL..FUTURE TECHNOLOGY DEVICES INTERNATIONAL LIMITED BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,..SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT..OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE, DATA, OR PROFITS OR BUSINESS INTERRUPTION)..HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR..TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,..EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.....FTDI DRIVERS MAY BE USED ONLY IN CONJUNCTION WITH PRODUCTS BASED ON FTDI PARTS.....FTDI DRIVERS MAY BE DISTRIBUTED IN ANY FORM AS LONG

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\ftdibus.cat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	12273
Entropy (8bit):	6.5233752905158475
Encrypted:	false
SSDEEP:	192:sTPTwVTxTNT6T9yTbTMJTsyTEOw7I22f2N252r2btxN5GE9+uQhjeyveCJSI1SGg:Gbo5VYa3CtwnjpvXPSGQZa3c
MD5:	5CA8640E6171A81F3203DB577C674493
SHA1:	393D217A384FCA9FA355A3389273055B6988059E
SHA-256:	C60F69484DFB97D81B5814F5B25844B892D5F0F20D7FE71C11FB9B3DD6BD8BFB
SHA-512:	496039B9271A29831A56481B8AFF1034B217D64AF15C7943A2FD6A84252D22188C6823A7AA6CA205582CE0897DFE181D19CD58BB3E372B7152BE8845AD31DEDC
Malicious:	false
Preview:	0./....H......../.0./....1.0...+......0..o..+.....7.....`0..\0...+.....7......PXg.O.N.w.......120424155006Z0...+.....7.....0..%0....R0.1.3.7.8.9.8.2.5.1.4.D.7.3.5.3.7.A.2.2.3.5.A.1.E.D.6.E.3.3.8.7.5.A.6.E.5.C.A.0...1..o08..+.....7...10(...F.i.l.e........f.t.d.2.x.x...d.l.l...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........7..QMsSz"5..n3.Zn\.0....R1.9.3.3.0.F.B.B.3.F.5.0.5.F.E.6.F.5.F.B.0.6.4.4.A.A.E.3.3.6.E.4.9.8.0.B.E.8.F.E...1..q0:..+.....7...1,0...F.i.l.e........f.t.d.i.b.u.s...s.y.s...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\ftdibus.inf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	5677
Entropy (8bit):	5.6827973704364805
Encrypted:	false
SSDEEP:	96:g6fT3tZVaffNDoepj5FmC8Oyi/ikI/on84ijVN4:3T3jVuf1Zptki/ito84ijVN4
MD5:	577772F78EBFD15E2EEF029284520725
SHA1:	4C8545EEB6143B6AD3858B5D1E0AEE76040B1435
SHA-256:	FE9A14CA08865506207D1458D9948801D88720DD1A4E8D02E65EC92D12E890FB
SHA-512:	30BA7C15E42ABEEAAAFE20EC6443C2D07AF4F9BEDA511B0357341918E00939D6D826EAB72A48BDD4C4B11BC4F39CCDE85936E800ACF9205F27D55F0827A19FA2
Malicious:	false
Preview:	; FTDIBUS.INF..; ..; Copyright . 2000-2012 Future Technology Devices International Limited..; ..; USB serial converter driver installation file for Windows 2000, XP, Server 2003, Vista, Server 2008,..; Windows 7 and Server 2008 R2 (x86 and x64)...; ..; ..; THIS SOFTWARE IS PROVIDED BY FUTURE TECHNOLOGY DEVICES INTERNATIONAL LIMITED ``AS IS'' AND ANY EXPRESS ..; OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS..; FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL FUTURE TECHNOLOGY DEVICES INTERNATIONAL LIMITED..; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, ..; BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS..; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT..; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWA

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\ftdiport.cat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	11369
Entropy (8bit):	6.620230572759899
Encrypted:	false
SSDEEP:	192:bTT3TSTPTRRT/Ti1TFyTEOw7I22f2N252r2btxN5GE9+uQhjeyveCJSI1SGQ60fc:bvjQbfLi9ewnjpvXPSGQZa3F+fI
MD5:	29A416E493DD79825C742A3E668B847F
SHA1:	0EFDBCB5E96F0C2519E4BAB3ACFF9710D0110630
SHA-256:	036E53AC494A2D8E6C69B510F96E9446E910C96F64BBBE8EB60B6A226EF03838
SHA-512:	63B033E9C1B28AF2F09ED2C2CA4785EFA5D8FD3A4AD98BFA18FB765C7AE8BFBFE15FEA5DDCD16A85F3266F0092B9CFB229CBD33BA154D12F547305FA2C2027BE
Malicious:	false
Preview:	0.,e...H........,V0.,R...1.0...+......0.....+.....7......0...0...+.....7......'.l..D.......}..120424155006Z0...+.....7.....0...0....R5.9.7.D.7.7.B.C.1.9.A.3.E.7.9.A.0.A.B.9.5.F.0.B.F.3.8.2.E.0.F.9.D.F.B.9.7.C.4.7...1..s0<..+.....7...1.0,...F.i.l.e........f.t.s.e.r.u.i.2...d.l.l...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........Y}w......_.....\|G0....R6.3.3.3.F.D.8.B.5.C.2.B.7.2.F.1.5.6.2.F.9.7.E.B.C.4.3.D.0.5.7.D.A.D.B.F.B.A.A.F...1..q0:..+.....7...1,0...F.i.l.e........f.t.s.e.r.2.k...s.y.s...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0d..+.....7...1V0T...O.S.A.t.t.r.......>2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\ftdiport.inf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	5591
Entropy (8bit):	5.65007976016586
Encrypted:	false
SSDEEP:	96:prfT3tZVaffNDoRKJlfIr59l+6Cgpb46YVeZgTlHkSIT:5T3jVuf1eKJlfI99o6Tb46YVeZgTFkSe
MD5:	C9E7B18F155D639F8EC1DEE75B776ADF
SHA1:	6849F67BACD4DA5A5B9D46803E6850D0BE8B3826
SHA-256:	DD6D037222813E2FC878CE9B3D7197A864201072C01622D9CBF5B8463CD6A05E
SHA-512:	4BD44DF659888F4FD96C5A06EF90E2018F60201B7A37EEB2D605872280C1A862A41DE7312491740EBDB45FE94885CA5ED4A5EB376E0CEF2491F60BD8500AEA19
Malicious:	false
Preview:	; FTDIPORT.INF..; ..; Copyright . 2000-2012 Future Technology Devices International Limited..;..; USB serial port driver installation file for Windows 2000, XP, Server 2003, Vista, Server 2008,..; Windows 7 and Server 2008 R2 (x86 and x64)...; ..; ..; THIS SOFTWARE IS PROVIDED BY FUTURE TECHNOLOGY DEVICES INTERNATIONAL LIMITED ``AS IS'' AND ANY EXPRESS ..; OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS..; FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL FUTURE TECHNOLOGY DEVICES INTERNATIONAL LIMITED..; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, ..; BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS..; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT..; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, E

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftbusui.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	105352
Entropy (8bit):	6.642588189655763
Encrypted:	false
SSDEEP:	1536:vRUKddjsKdfSeDZIdK4R2h3zA8JiNKev7iS3WBLbbRRpeEHa7Cc:pPdltDPbJilHKHbRRpid
MD5:	B1AEC925CCDDD3F6825C8B3874FDB896
SHA1:	38624538523780953193BDF6A507FFDF4E2C3B1A
SHA-256:	61032F868403855527E2FC91D176DA07213ED190F93A9F99EE9F0CFB783E59FC
SHA-512:	164E9946C89FF11C2DEADD7378A32A34DDC521B0B82304B69A1EF06CBA17D5462789B91F60F795A51BFCE9C55A4CEBBD96675950C519266193A445A5A7C40690
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.J.............EY......EO.....................EH......E^......EX......E].....Rich............................PE..L...a..O...........!.....$...^......U-.......@.......................................T............... ...............m..h....c..d....................................A...............................^..@............@...............................text....#.......$.................. ..`.rdata..X....@...0...(..............@..@.data...d....p.......X..............@....rsrc................f..............@..@.reloc.. ............v..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftcserco.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	69000
Entropy (8bit):	6.203170991728465
Encrypted:	false
SSDEEP:	1536:mwpJ3AxCnwhDpQ4Otgq3ZCa2gv80gKtMo4Ua7Cdm:mwpJ3AxCnwhNQvtgmCJgntM/1Sm
MD5:	FEF14208203EDFAC97135A75218D3722
SHA1:	A4A7C36B25C6DDF58E2B25F21402671371E9B978
SHA-256:	9FABDABC53B8174BF19D53F08CD838DB9AB6CB124360EC22C66473D1BB1C4577
SHA-512:	4A4BBCB5BA5B60D3D879B3AE50408C0D7B3FEAD8E1F84BCD20D2BB8118F16346B3363F1918D92121F16880D264D0DC044E2C70206BE3A1D248CF2C402042E251
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=k..S8..S8..S8s..8..S8..R8..S8...8..S8...8..S8...8..S8...8..S8...8..S8...8..S8Rich..S8................PE..L...T..O...........!.........0......7_....................................... ......\|.....@.........................0...Q.......x.......X............................................................E..@...............\|............................text............................... ..`.data...............................@....rsrc...X...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftd2xx.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	218504
Entropy (8bit):	6.732261151915334
Encrypted:	false
SSDEEP:	3072:vVH5V9aSUtlEG4WxlEPufXrYOjb9GJiV2PCISR9CGOX7cZqWu5B5XU612BG:NH5VUnt9Euf7bp2kR9BEjWmR2G
MD5:	EC44C778A64DCD18BC98A7316E4664F0
SHA1:	0BAF26D07AC076901F474AB50142F4812E986D66
SHA-256:	751258BB040197C7C10683A74B38A1B1AEF9C68CA9A58CE2168C8A62CB913371
SHA-512:	0E9FC117D9915D3A213FB06FE901C484849C63C683B29CBF7002B36FBAC24CCC6E56ED0F7F7188347146E2F030D24E8A8BE20FDD28C3C8BF6C2B0FD0276639FF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m...).x.).x.).x.7...:.x.7...X.x..[.. .x.).y.T.x.7.....x.7...(.x.7...(.x.7...(.x.Rich).x.........................PE..L...h..O...........!...........................................................................................................d....`...............@.......p..d...@...................................@............................................text... ........................... ..`.rdata...M.......N..................@..@.data....1... ......................@....rsrc........`......................@..@.reloc.......p.......$..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftdibus.sys

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	62216
Entropy (8bit):	6.504297134071196
Encrypted:	false
SSDEEP:	768:qdM9zBctm61d2uASN2l9k3y7Hkq4e0InFi+BQmfWAOfRD9/5nfLJg8o4LWHbCv:qytBw7EuAVlSukq/W+BI5DffLJJ1a7Cv
MD5:	D6E3667F5E2BC6AFC50308B480DE2999
SHA1:	C66FD9DA6755DEF80E1EE421B0ECBB8106723B90
SHA-256:	82EAAA4105FA1DF8FE516BEC815A7634DB6AABCD176726E63761AD315F2C43EF
SHA-512:	E1DB819ED14196A48CA22BB879C649D1FF14F06919BDB0C04795355ADEFE9BE295F61E335388E29FB5A8D3F8206B3711651397D08947BC605110912CA18121B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$.......................................................................................................................................................................................................................................................................................................................................................................................................E.................[.............. .............Rich..................PE..L...^..O............................>...............................................u......$................................P...d.......x...............................................................................x............................text............................... ..h.rdata..............................@..H.data...?...........................@...PAGE....................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftlang.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	201096
Entropy (8bit):	6.1223740898815375
Encrypted:	false
SSDEEP:	3072:+QAjOt32DQ1JinFy0R6RBGd9ArJJ6s3LOkHo/TlKTahk:+QARSfnMg2hk
MD5:	CDEAC2611E103A0F935189829CFC99A8
SHA1:	7C72EC6CD0C724D5B1526FB19BCD6C2020877A35
SHA-256:	C8D561A0F6E11970D1D70C790CFE78FA098788B12E57F54B715B110C615F806B
SHA-512:	C58D3AF33F51DA982F78358411174E97A2292CBD2F86325A3C82AB65D85EF4FE1DC76E92C2E68F4B988D328C5AFB48E332AC57B6AAB71EC778B5E812E48BD36A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Xr{B.............A.......A..V...;.n.........Q....A..>....A.......A.......A......Rich............PE..L...\..O...........!.....j...................................................@.................................................(.......$2................... ......p..................................@...............8............................text....h.......j.................. ..`.rdata...6.......8...n..............@..@.data...\|...........................@....rsrc...$2.......4..................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftser2k.sys

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73096
Entropy (8bit):	6.19038114859758
Encrypted:	false
SSDEEP:	1536:PDBkMoJPiLpBX0R3xwcfqiJuc3CnGtUIE4ldbv1oSFjukAa7CO:boJPiLpBX8tu+CnVIp3fjlz
MD5:	E4CF4C1F9E3D57A66850F484C08E9ECF
SHA1:	BABA8B919ED196029C4FACD4D3B6452A35275E91
SHA-256:	48F1E8D28C060EEB8E8C61D07B15DF62D2F172FA34F2BAE834C5C76F2A30F1C4
SHA-512:	D863DD046CC5486972B3E355E092CEEAA0362A5E445B8C673255FFAB3D989E1D8350E40DCE4A77EF2ADF3938B70246B76A05837B2EE4BFF53BEAD6273C9F45BA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a7..%V..%V..%V..,.Q.&V..%V..tV...Y.."V...Y..$V..,.G..V..,.P.$V..,.U.$V..Rich%V..................PE..L...O..O.....................4...............p...............................`.................................................P.... ...#...................P..H...Pq...............................q..@............p..D............................text..._V.......X.................. ..h.rdata..t....p.......\..............@..H.data...8............`..............@...PAGESRP0.2.......4...b.............. ..`PAGESER..4.......6.................. ..`INIT................................ ....rsrc....#... ...$..................@..B.reloc..J....P......................@..B................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\i386\ftserui2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52616
Entropy (8bit):	6.016004688607823
Encrypted:	false
SSDEEP:	768:fZULlkfxNK9cehhIILpkGIO+FHWAaW48p0oK6FzxEmKjLWHbCYT:xUqw+nCkGIO+FXl0odNSPja7CY
MD5:	346E8968E2563F2FC9BB9B0A01E5F9DF
SHA1:	4B86F7B460094C68CE72A57518B4FFC9F33E65E6
SHA-256:	2FA6BAB36BE094E225D3CF814A84CFB643819F4AF82B11A55F65B60ABB429BEC
SHA-512:	7A66DA623FCF8C53B33E18D4010C807481FFA56BE0EB18672783AD09FC21C74F098F6127A1FA732BD8DFD0903EA1852E2795D10EA3A4C64D49C46597A50A3C83
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........E....................C......R.........T....E......D......U......'.......B......G.....Rich....................PE..L...H..O...........!.....v...D.......Z..............................................%.....@.........................0.......Tz...........$..............................................................@............................................text....u.......v.................. ..`.data................z..............@....CRT................................@..@.rsrc....$.......&..................@..@.reloc..r...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\Win-Situ.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 3 icons, 16x16, 24 bits/pixel, 32x32, 24 bits/pixel
Category:	dropped
Size (bytes):	11502
Entropy (8bit):	6.693850939797661
Encrypted:	false
SSDEEP:	96:49ych/bqtAjNg2IwGwwzC7KOjmg8i8i8i8i8i8i8i7GTq2fRJmQQHk1EWqvkbn3D:4H/bqteNgh+KOC8yq2fRJmQ3bfdjt
MD5:	3CA3A55ABEAE2FA61A85E82C8AE1EB90
SHA1:	04BA7D9D3BF1672CD453BCFC851886E335E09C70
SHA-256:	6C7014C24923BF342B0B37868086CB9B64FA33BE0B1A92E3B54EE103FD255D7A
SHA-512:	D7F61AC411E6CE85F63F550E25609FFECE80EBA4628EA4AAB92F55667B5CAF3218FFA1F333B3C9CD0D1D72386757880FD147B5F3ED8E953A0B0D7847CB8ECAE9
Malicious:	false
Preview:	..............h...6... ..............00..........F...(....... ................................A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..Q.O.O.N.N.L.K.I.G.E.C.C.`...A..A..J.I.I.H.F.D.B.?.<.}9.{6.z5.T...A..A..E.D.C.A.?.<.}8.z5.w0.t,.q(.o&.F.\|.A..A..q4._(.f,.l/.Z".U..f&.o'.h .X..J..K..g,.k.A..A..uT......z?........mL.W..V...y.......\|.mH.A..A..........`0..........>........kVwM4......A..A...........zg.........eG.;.tD$.zg.........A..A.......wM4.......kV.....yI)..........x.iQ.A..A......a-........^F.zg....ZB......l?#.kV....A..A........a=..n.....l.hI......]A.............A..A..~Z.~[.}.z..l......l..q....w.z\..f...A..A..............................A..A.........................................A..A...........................................A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A.................................................................(... ...@............................................A..A..A..A..A..A..A..

C:\Program Files (x86)\InSitu\WinSitu\WinSitu.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22184960
Entropy (8bit):	7.256041458350044
Encrypted:	false
SSDEEP:	196608:eKtlYkgpI8Q1ohPHdHQETwUydTZuDNKjpkBPA:eKtlYhhP9HQE2HkB4
MD5:	A238B6A8D0A989059F971ABB6522E4DD
SHA1:	665F25724F850AE31DC98BCCD6B628F8A2333678
SHA-256:	E42DFA75E6BB964097BC880E5F8ABCA21BB529614093DA34452367B9704E8A4D
SHA-512:	10E42FA2FA8AB8DE0660C2895D3AD03C51BB099A1752BD086FFA9C13AB1329DE08F8426028AFA2AA4567F28DA68A7FE5071C82C6AE4E8A35BEF9DF2D68A5E048
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q...?[..?[..?[+..[..?[+..[..?[..;Z..?[..<Z..?[..:Z..?[..>Z..?[+..[..?[+..[..?[..>[[.?[...[..?[n.:Z..?[n.6Zf.?[n..[..?[..[..?[n.=Z..?[Rich..?[........PE..L...D]w`..................4..........W........4...@...........................T...........@.................................t.T.......X......................0M......L.T.....................L.......L.@.............4.P............................text...h.4.......4................. ..`.rdata.... ...4... ...4.............@..@.data...p.....T..v....T.............@....rsrc.........X......DV.............@..@.reloc......0M.......J.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\ftd2xx.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	218504
Entropy (8bit):	6.732261151915334
Encrypted:	false
SSDEEP:	3072:vVH5V9aSUtlEG4WxlEPufXrYOjb9GJiV2PCISR9CGOX7cZqWu5B5XU612BG:NH5VUnt9Euf7bp2kR9BEjWmR2G
MD5:	EC44C778A64DCD18BC98A7316E4664F0
SHA1:	0BAF26D07AC076901F474AB50142F4812E986D66
SHA-256:	751258BB040197C7C10683A74B38A1B1AEF9C68CA9A58CE2168C8A62CB913371
SHA-512:	0E9FC117D9915D3A213FB06FE901C484849C63C683B29CBF7002B36FBAC24CCC6E56ED0F7F7188347146E2F030D24E8A8BE20FDD28C3C8BF6C2B0FD0276639FF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m...).x.).x.).x.7...:.x.7...X.x..[.. .x.).y.T.x.7.....x.7...(.x.7...(.x.7...(.x.Rich).x.........................PE..L...h..O...........!...........................................................................................................d....`...............@.......p..d...@...................................@............................................text... ........................... ..`.rdata...M.......N..................@..@.data....1... ......................@....rsrc........`......................@..@.reloc.......p.......$..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2353624
Entropy (8bit):	6.602551309066182
Encrypted:	false
SSDEEP:	24576:waePTG3BqdX7jdqWO+OVDTZf6deAY68bMPl3WFZvzhYXp5skTTppU3Zv967lIg5i:nesqdXdqd+WX+I3irTTA
MD5:	445CBFE964F8D147276F104EBAB8D692
SHA1:	2186EF8E41FA20389329613E07F0F5D70B8E68A7
SHA-256:	985AC7CE5E167E6E3EDF7D4A4FB6A653B10DE5BF5D68197672F58887B68438FB
SHA-512:	C31B4B1B139780D36820BEC31172B6665CE83DD17DFAEB3A7489D1BD97D34E4579BC5EBF51CC5CA88C7F420A5DC57BF8D6774428186AC092F242E150DBB32283
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................8...........G.......P....@.......................... $....../$..........................................+....................#..........m..................................................................................CODE....47.......8.................. ..`DATA.....[...P...\...<..............@...BSS......................................idata...+.......,..................@....edata..............................@..P.reloc...m.......n..................@..P.rsrc................4..............@..P............. $.......#.............@..P................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\In-Situ Inc\Win-Situ 5 Release Notes.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	2625
Entropy (8bit):	2.6389197215849434
Encrypted:	false
SSDEEP:	24:8ABvtN7IgxABrh+MLVrm4dV3+MLVrbaCm0cSnawGT4WLVr:80z7PABrPLVr/dV35LVrbJncSRVWLVr
MD5:	41CC722B18CA571EE49AF7EEB8B8E17C
SHA1:	D335FBD22035DB1D9D6718C253FC352D5F783EF4
SHA-256:	2308ACC7105EE1B9664A8A7DE5EB680B8F7138BF8299C75852B0CB8E197726FF
SHA-512:	45C5AE8D705CAB2126071C55D615EDB35EB4791CF898C27DC333F68068CEE9E0105FFF03EBE7A990CA022F441DCAFD8ADE43603381ACCB9D0D5B26F7BE31551C
Malicious:	false
Preview:	L..................F.P...........................................................P.O. .:i.....+00.../C:\...................V.1.....DWQ`..Windows.@......OwH^Y......3.......................&.W.i.n.d.o.w.s.....\.1.....^YG...Installer.D......O.I^YG............................J..I.n.s.t.a.l.l.e.r.......1.....^YG...{77911~1..~......^YG.^YG..............................{.7.7.9.1.1.F.2.3.-.6.E.4.4.-.4.0.5.E.-.B.C.5.5.-.3.4.D.5.4.9.D.B.6.4.B.2.}.......2..'..^YG.!._28898~1.EXE..h......^YG.^YG.............................._.2.8.8.9.8.7.B.F.E.B.0.8.B.7.1.2.E.2.C.9.8.1...e.x.e.......f.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.7.9.1.1.F.2.3.-.6.E.4.4.-.4.0.5.E.-.B.C.5.5.-.3.4.D.5.4.9.D.B.6.4.B.2.}.\._.2.8.8.9.8.7.B.F.E.B.0.8.B.7.1.2.E.2.C.9.8.1...e.x.e.&.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.n.S.i.t.u.\.W.i.n.S.i.t.u.\.W.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.7.9.1.1.F.2.3.-.6.E.4.4.-.4.0.5.E.-.B.C.5.5.-.3.4.D.5.4.9.D.B.6.4.B.2.}.\._.2.8.8.9

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\In-Situ Inc\Win-Situ 5.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	2625
Entropy (8bit):	2.6502985850795717
Encrypted:	false
SSDEEP:	24:8ABvtN7IgxA7UwQ+ML0xwh4dV3+ML0xwol+y4OYLSnT4WL0xw:80z7PAkLGdV35LQl+OCSMWL
MD5:	144262FFCB7FEE27ACC7BBDDA63CA332
SHA1:	384D9DF0FB8DCCA70B412E4291341A01EFE579C7
SHA-256:	4CD1BD9E058B231777A37175C7A58A7829B33B6701BC4AFD2AEE5F823B27979D
SHA-512:	601B55522632F292C2D4182214F0A9D0C1328BF057571846CDD8BF3CD94261BA716C5EEC939E7521AB00ACCD6DE8F59431FD14A9CBAEEE3C09BCF350A9FD1BC8
Malicious:	false
Preview:	L..................F.P...........................................................P.O. .:i.....+00.../C:\...................V.1.....DWQ`..Windows.@......OwH^Y......3.......................&.W.i.n.d.o.w.s.....\.1.....^YG...Installer.D......O.I^YG............................J..I.n.s.t.a.l.l.e.r.......1.....^YG...{77911~1..~......^YG.^YG..............................{.7.7.9.1.1.F.2.3.-.6.E.4.4.-.4.0.5.E.-.B.C.5.5.-.3.4.D.5.4.9.D.B.6.4.B.2.}.......2..,..^YG.!._9512E~1.EXE..h......^YG.^YG.....f........................_.9.5.1.2.E.0.A.D.7.8.D.B.8.8.7.D.1.6.D.9.9.4...e.x.e.......f.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.7.9.1.1.F.2.3.-.6.E.4.4.-.4.0.5.E.-.B.C.5.5.-.3.4.D.5.4.9.D.B.6.4.B.2.}.\._.9.5.1.2.E.0.A.D.7.8.D.B.8.8.7.D.1.6.D.9.9.4...e.x.e.&.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.n.S.i.t.u.\.W.i.n.S.i.t.u.\.W.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.7.9.1.1.F.2.3.-.6.E.4.4.-.4.0.5.E.-.B.C.5.5.-.3.4.D.5.4.9.D.B.6.4.B.2.}.\._.9.5.1.2

C:\Users\Public\Desktop\Win-Situ 5.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	2607
Entropy (8bit):	2.6450195191255936
Encrypted:	false
SSDEEP:	24:8ABvtN7IgxAOK/+MLDA4dV3+MLDll+y4OYLSnqvR4WLD:80z7PAOKRLDNdV35LDll+OCSUuWLD
MD5:	86BFDC9B258DC1164201B756A701B1F3
SHA1:	E2F136DF8081DCF155E53635AD78123E97E4D484
SHA-256:	B96129B2AF5342BC286A6B6A262E38CB464409FA6FA5518154A47602AE626D12
SHA-512:	055DD432CB60E63A6DC99A6E25F52E31E9E51310D5609884A385702E8EFB599B4A44DDB79EC95719EA37D0AB3F41ABA700E41E4F689382524ED05AC9877E7381
Malicious:	false
Preview:	L..................F.P...........................................................P.O. .:i.....+00.../C:\...................V.1.....DWQ`..Windows.@......OwH^Y......3.......................&.W.i.n.d.o.w.s.....\.1.....^YG...Installer.D......O.I^YG............................J..I.n.s.t.a.l.l.e.r.......1.....^YG...{77911~1..~......^YG.^YG..............................{.7.7.9.1.1.F.2.3.-.6.E.4.4.-.4.0.5.E.-.B.C.5.5.-.3.4.D.5.4.9.D.B.6.4.B.2.}.......2..,..^YG.!._A8918~1.EXE..h......^YG.^YG.....e........................_.A.8.9.1.8.4.D.0.0.2.0.2.F.7.F.1.7.6.5.B.0.4...e.x.e.......].....\.....\.....\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.7.9.1.1.F.2.3.-.6.E.4.4.-.4.0.5.E.-.B.C.5.5.-.3.4.D.5.4.9.D.B.6.4.B.2.}.\._.A.8.9.1.8.4.D.0.0.2.0.2.F.7.F.1.7.6.5.B.0.4...e.x.e.&.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.n.S.i.t.u.\.W.i.n.S.i.t.u.\.W.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.7.9.1.1.F.2.3.-.6.E.4.4.-.4.0.5.E.-.B.C.5.5.-.3.4.D.5.4.9.D.B.6.4.B.2.}.\._.A.8.9.1.8.4.D.0.0.2.0.2.F

C:\Users\user\Documents\WinSitu Data\Firmware\AT400.H3-3.V127.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	263384
Entropy (8bit):	3.7690411821535044
Encrypted:	false
SSDEEP:	6144:vqOQ1/MBMOpvgSUYJydRtYxMCrW/B7YZDwd3vXgLr6lQfhVqrZjGENpjBwG0GW8X:BQ10BMOpvgSUYJydRtYxMCrW/B7C0d3d
MD5:	7FD7DB0F37C7BAEF97E90BA44ECE5735
SHA1:	7035691B3A039BCF5791C99F583CA463D6409C5F
SHA-256:	8FC5E9CB656BEDF69C3E93F5921F7C1E4B17D092E86F653460B77DC88378DAA0
SHA-512:	D45EBB9EE7D694AEAB31CAC4C5DA1BCA53A502A6488D52056DEB5021E3ECA7622AB6385930A69AE030E61D41D463E85279AB9B84E400970F2171C090E694C25B
Malicious:	false
Preview:	:0F0000F00012007F00030003000404D801000089..:020000040000FA..:1040000052E98300064031400031B013AC4A0C93B2..:104010000E243C40AC133D408B0BB013B8A03C4089..:10402000A6138D0036403E400500B013CAA0B01361..:10403000B84AB013B89A0404070401FF428E000086..:1040400000000000E44F0000601901013A23010064..:10405000030300000000AC50000001000100030356..:10406000D250000000000000020001000303E850ED..:10407000000000000000030002000303FE500000E7..:10408000000000000500020003033C510000000096..:1040900000000700020003037A5100000000000046..:1040A0003200020003030E73000000000000340021..:1040B00002000303267300000000000064000200F9..:1040C00003034E68000000000000660002000303C6..:1040D0008468000000000000680002000303E0683C..:1040E0000000000000006A0002000303000000005E..:1040F000546900006C0002000303846B00000000A0..:1041000000006E00020003033C70000048700000D5..:10411000700002000303727000007E7000007200E5..:1041200002000303A8700000B470000074000200D5..:104130000303DE700000EA70000076000200030353..:1041400014710000207100007800010003034A7

C:\Users\user\Documents\WinSitu Data\Firmware\AT500.H4-4.V142.enc.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	640363
Entropy (8bit):	7.999449341983096
Encrypted:	true
SSDEEP:	12288:e3N3MBa+gqqQ49k1MQR5WRKTG2irpGjzXk0x8c0hF4srg5IOLB:edgr7ZRcROilGf5Gc0h+3
MD5:	880C23CCC540A384513592DE885A67DD
SHA1:	589F9A2A98D8DA54DDBB2FD394A0E9B7863A6A9B
SHA-256:	3C2F3BD22658EF2560C66C9563F08295DA5189D08F2AAD15C84BCC862F0C4544
SHA-512:	5736C743D58F76C7578AA008805E1B6733F616CF61EF394C84A1E04352D25E7A21F86EEC8DE16546DA9E5C367A73A3DA87F10EBB9D5FCB58DF6715CCCBB5EBCC
Malicious:	false
Preview:	:0F0000F10021008E000400040009C56B0101000E....7.B....l._[D6)....F.....U.....Ko....\|]H.......&g.o........p..I.....KO5..i..)?.=K?......r@..d6a1.<.Q=..A{.}.%J...g0.`...g..o....ceF....m...A.~.....-:L.....4..t.F.d/..I..\}...qM.9.pY..1.Q.B.F<14.......\.l,4uC1z<qwo2_..u.9g.Ls....c.[.....m.....\.n`L....a)]t..d.E&.8"....Fk.W.x.F..........M..WSE..Q.._.C.....7.x...p..<............r..:+.......8..J^K<..q...#....f...u5..1>..x.....0#.-.Q..<".t.sR...q.^.g5.f:.:.r. y.EP..i.F..i....J/>...z'....P..i...........G<..2./#.M........CS...U.Zz.`..h."._...N...j...%..u&......v.{..O.h\aQe.9:...._.P.....JI.7.y...).k.G.%!onI.a.8.>....H.....9...\.....;c.....I...O/...........`.sR..}..;<......>.vfg.....l..y.U...@.B.eIe..~..1.P...,.....#......O.A......._....)&z.}...i.AT.g....... .7]IB...Mh....Z5:.e..ray.M....m......l...IrM..RQ......L.....(V,Z....G.t..@.R.d......J.....b.7......y.!:5n.Y.F..X.o.....a.....U$....V).tX.}....n.q./.E.X..av..BJ.......a........`ef.....A?F. !t..)..

C:\Users\user\Documents\WinSitu Data\Firmware\AT500V.H4-4.V142.enc.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	641275
Entropy (8bit):	7.999449420029236
Encrypted:	true
SSDEEP:	12288:z3N3MDItgHL0/0QSTPPfEzzYbqTyVkgaM5+ZEXZ+QS9cE2bTFiS:zdo/44e8MSXZ+QocEWRX
MD5:	5916304EA7FF13C2FFC1D28FC84E70D7
SHA1:	0584CF14C863308D09AC77EF2E081F4808AC0525
SHA-256:	B8278728552CB032F2253547594538A752551598AF82491384529D29BB365A4F
SHA-512:	5743CFB038A382F2647D8B6070C8D69FA70BF16363CA3590CECFD08612E04D77CF89D198BF6D452D4F29C4B5DEF9FADB1C0DC23F5F988DAF04BF908ADF872EF8
Malicious:	false
Preview:	:0F0000F10022008E000400040009C8FB0101007A....7.B....l._[D6)....F.....U.....Ko....\|]H.......&g.o........p..I.....KO5..i..)?.=K?......r@..d6a1.<.Q=..A{.}.%J...g0.`...g..o....ceF....m...A.~.....-:L.....4..t.F.d/..I..\}...qM.9.pY..1.Q.B.F<14.......\.l,4uC1z<qwo2_..u.9g.Ls....c.[.....m.....\.n`L....a)]t..d.E&.8"....Fk.W.x.F..........M..WSE..Q.._.C.....7.x...p..<............r..:+.......8..J^K<..q...#....f...u5..1>..x.....0#.-.Q..<".t.sR...q.^.g5.f:.:.r. y.EP..i.F..i....J/>...z'....P..i...........G<..2./#.M........CS...U.Zz.`..h."._...N...j...%..u&......v.{..O.h\aQe.9:...._.P.....JI.7.y...).k.G.%!onI.a.8.>....H.....9...\.....;c.....I...O/...........`.sR..}..;<......>.vfg.....l..y.U...@.B.eIe..~..1.P...,.....#......O.A......._....)&z.}...i.AT.g....... .7]IB...Mh....Z5:.e..ray.M....m......l...IrM..RQ......L.....(V,Z....G.t..@.R.d......J.....b.7......y.!:5n.Y.F..X.o.....a.....U$....V).tX.}....n.q./.E.X..av..BJ.......a........`ef.....A?F. !t..)..

C:\Users\user\Documents\WinSitu Data\Firmware\AT600.H4-2.V225.enc.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	722107
Entropy (8bit):	7.99948944601024
Encrypted:	true
SSDEEP:	12288:13N3M4r5HRcxXm6f1y/PRc3vJ5NNTi40bn39N8MM9yBq5LW/zqUFBZf7GZ:1dDotmgzvLiB89AF7tp4
MD5:	931C7170068193DA6ED050B8A1AEB1A4
SHA1:	E300833D6198ABA409B1E1BA4A7D1919C1494C1D
SHA-256:	A3E7CC4C666C61981146AB8020AC55966F8C15A6264C28A922F170A5C40D0DA8
SHA-512:	5906FDAFCE06CF551FA6FC767740BE49B6D84EBCDF63AC6303E8B049BE65BF63C65717BD8B4BBBEBD8E3FEC82DAE6FB90675C61F530071EB048836E9758B7A6B
Malicious:	false
Preview:	:0F0000F1000700E100020004000B04BB01010046....7.B....l._[D6)....F.....U.....Ko....\|]H.......&g.o........p..I.....KO5..i..)?.=K?......r@..d6a1.<.Q=..A{.}.%J...g0.`...g..o....ceF....m...A.~.....-:L.....4..t.F.d/..I..\}...qM.9.pY..1.Q.B.F<14.......\.l,4uC1z<qwo2_..u.9g.Ls....c.[.....m.....\.n`L....a)]t..d.E&.8"....Fk.W.x.F..........M..WSE..Q.._.C.....7.x...p..<............r..:+.......8..J^K<..q...#....f...u5..1>..x.....0#.-.Q..<".t.sR...q.^.g5.f:.:.r. y.EP..i.F..i....J/>...z'....P..i...........G<..2./#.M........CS...U.Zz.`..h."._...N...j...%..u&......v.{..O.h\aQe.9:...._.P.....JI.7.y...).k.G.%!onI.a.8.>....H.....9...\.....;c.....I...O/...........`.sR..}..;<......>.vfg.....l..y.U...@.B.eIe..~..1.P...,.....#......O.A......._....)&z.}...i.AT.g....... .7]IB...Mh....Z5:.e..ray.M....m......l...IrM..RQ......L.....(V,Z....G.t..@.R.d......J.....b.7......y.!:5n.Y.F..X.o.....a.....U$....V).tX.}....n.q./.E.X..av..BJ.......a........`ef.....A?F. !t..)..

C:\Users\user\Documents\WinSitu Data\Firmware\AT600V.H4-2.V225.enc.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	722059
Entropy (8bit):	7.9995259305477155
Encrypted:	true
SSDEEP:	12288:p3N3MRfeKFh0uGoRYvTxzBP9koBmHl2zpIGEBgBkSX91xYofzNW:pdHCdgzz22pIGEBgBX1Wo7NW
MD5:	0AB65A516CDDC70822B70678A349441C
SHA1:	EE9EA1225B4DC68A291A292E65C3DF3751807D73
SHA-256:	670DDD30BFEC40E9D63F6BFE0C0176D77F18841130BBC3A91DC8CF48CCC9AA00
SHA-512:	E77D7355AFB29A080E84C3836C0D5C2EEE7F7629BDC3BA3B2EA65DF07D0EEB9D36B7AE1741FDCB8B92B1D2359C30E07E82C3B409AD57C6DB81E7112B7D65BA38
Malicious:	false
Preview:	:0F0000F1001A00E100020004000B048B01010063....7.B....l._[D6)....F.....U.....Ko....\|]H.......&g.o........p..I.....KO5..i..)?.=K?......r@..d6a1.<.Q=..A{.}.%J...g0.`...g..o....ceF....m...A.~.....-:L.....4..t.F.d/..I..\}...qM.9.pY..1.Q.B.F<14.......\.l,4uC1z<qwo2_..u.9g.Ls....c.[.....m.....\.n`L....a)]t..d.E&.8"....Fk.W.x.F..........M..WSE..Q.._.C.....7.x...p..<............r..:+.......8..J^K<..q...#....f...u5..1>..x.....0#.-.Q..<".t.sR...q.^.g5.f:.:.r. y.EP..i.F..i....J/>...z'....P..i...........G<..2./#.M........CS...U.Zz.`..h."._...N...j...%..u&......v.{..O.h\aQe.9:...._.P.....JI.7.y...).k.G.%!onI.a.8.>....H.....9...\.....;c.....I...O/...........`.sR..}..;<......>.vfg.....l..y.U...@.B.eIe..~..1.P...,.....#......O.A......._....)&z.}...i.AT.g....... .7]IB...Mh....Z5:.e..ray.M....m......l...IrM..RQ......L.....(V,Z....G.t..@.R.d......J.....b.7......y.!:5n.Y.F..X.o.....a.....U$....V).tX.}....n.q./.E.X..av..BJ.......a........`ef.....A?F. !t..)..

C:\Users\user\Documents\WinSitu Data\Firmware\Aqua TROLL 100.V201.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	129598
Entropy (8bit):	3.799976081118133
Encrypted:	false
SSDEEP:	1536:aUwyCrow8Xy7V6jydiskujMIUe3CoBUpHtamSuo3KGMgVxCjaQcPOWKgWQL06+8s:esk4p23CSnihG7KN5g1LP+8C4y
MD5:	4EA178A81FCA70736CD10473DF4A9E9D
SHA1:	F2E87E4E00298C662E72C29266C132C395775A14
SHA-256:	C41701EE810510A89EC4FC24FCCED4CCE8EE49ADC71B28CA2530358285AB7EF7
SHA-512:	CECD92227707AD094A3C10EEAD9FEB5A1D2269768BF7D41166CAE064E42344D40959CCD2341460CDA568196B5A0F812B920AFD5C8DA5E3CE949DF8FE819FF244
Malicious:	false
Preview:	:0C0000F0000A00C9000000040001FA3EF4..:020000040000FA..:102800004206C900F22F0A0A0A0A01FFC6BD0000EB..:1028100000006233C21301FA7850241502321A63A1..:1028200038180364B886961A04961200282301000B..:102830000105DC440000292301000104D444C44400..:102840002A2302000104B8447E442C23030001041F..:1028500078444E442F2301000105464400003023F4..:10286000010001053E44000031230100010534440C..:1028700000003223010001052C4400003323020034..:10288000010524440000352302000105184400001E..:102890003723030001030844B4433A230100000036..:1028A000AC431A423B2320000103F641C0415B23A5..:1028B00020000102A84164417B23040001025E4123..:1028C00040417F23040001023A411C41832304005C..:1028D00001020C41E840872302000102DC409C40D9..:1028E000892303000102784042408C230200010545..:1028F0003C4000008E230200010436401640902325..:10290000020001051040000092230100010508406B..:10291000000093230100010500400000BE230100D8..:102920000102FA3F5E3EBF2301000102583E443ED1..:10293000C023020001023A3E1E3EC22303000102F0..:10294000163E083EC52303000102003EEA3DF02387..:

C:\Users\user\Documents\WinSitu Data\Firmware\Aqua TROLL 200.V201.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	138103
Entropy (8bit):	3.802922706051575
Encrypted:	false
SSDEEP:	3072:ja1/RCd4W87vI55Q7NO8HHmObBC6Gc2DKluyOZQL89NOYP:jM/3WkQDsODW06XBwyOZQLMOYP
MD5:	BEADEB862B97A7822C50291A63D0ADD5
SHA1:	4E696B547BC8702182F17625C5A475EEEDDEAE9D
SHA-256:	9184C93D67809B7ACAE6C3081B3EDBA06C8FD0C88DAD7E7DBFDCA160BE667B05
SHA-512:	CB8AB39C504F0F504BAE754B22399B1AB2912378AA8555EA970FB7585DD838406D82784917F9CCC7A475A37816B38DF97FCCD83E2B53E6BD645FAFFB64516A05
Malicious:	false
Preview:	:0C0000F0000500C90000000400021B779E..:020000040000FA..:10280000DE08C900C4300A0A0A0A01FF9AC900009A..:1028100000005034C21301FAEC53241502329666BC..:10282000381803648A8AA61A049612002823010025..:102830000105CC450000292301000104C445B4452D..:102840002A2302000104A8456E452C23030001043D..:1028500068453E452F230100010536450000302321..:10286000010001052E45000031230100010524452A..:1028700000003223010001051C4500003323020043..:10288000010514450000352302000105084500003C..:10289000372303000103F844A4443A230100000055..:1028A0009C440A433B2320000103E642B0425B23E1..:1028B00020000102984254427B23040001024E4250..:1028C00030427F23040001022A420C428323040089..:1028D0000102FC41D841872302000102CC418C4116..:1028E000892303000102684132418C230200010563..:1028F0002C4100008E230200010426410641902352..:102900000200010500410000922301000105F8408A..:102910000000932301000105F0400000BE230100E8..:102920000102EA404E3FBF2301000102483F343F0D..:10293000C023020001022A3F0E3FC223030001020E..:10294000063FF83EC52303000102F03EDA3EF023C5..:

C:\Users\user\Documents\WinSitu Data\Firmware\BT500.H3-2.V213.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	109174
Entropy (8bit):	3.8089111064020535
Encrypted:	false
SSDEEP:	3072:kFLwGHRFLOO6Zu/Xpza1pprho8o1m7KGAS2:kHHpguJOprhVo1IKG72
MD5:	340B2E019E00CDE5503CB0C27E7FC579
SHA1:	362C4F1549BCDCFECB01D73D914D6240252CFF14
SHA-256:	522A8F392CD5988B77FD83AAAEC2EFB9ADEC3DEEB26979667557FCD63F807064
SHA-512:	CA3C10670E10DD1D5A7629D8E44F71277A1E8C046BD43DD7506CCB3513157FE9218545E4C03AB0B1C4A925ACD0BC54F27572F7990BA32F86C56175ACE70B9008
Malicious:	false
Preview:	:0F0000F0000300D5000200030001AA7601000002..:020000040000FA..:10280000F14ED500062831400025B01202910C93FC..:102810000E243C4006123D40560DB01236B93C40E5..:1028200000123D4036283E400500B01248B9B012B3..:102830001691B0124AB30A0A030301FF0E2D853523..:10284000019199E2B69F48F14A0BDC91B98E09B12A..:10285000282301000100B6440500000029230100DF..:102860000100AE44040096442A23020001008A4479..:10287000040066442C23030001005E440400464427..:102880002F23010001003E44050000003023010019..:1028900001003644050000003123010001002E44F0..:1028A000050000003223010001002844050000005B..:1028B00033230200010020440500000035230200FC..:1028C00001001444050000003723030001000C44FC..:1028D0000400B2433A230100000060A50000C0419B..:1028E0003B2320000100A64103007E415B23200022..:1028F00001006041020016417B23040001001041E9..:102900000200F2407F2304000100EC400200C240BC..:10291000832304000100B640020092408723020096..:1029200001008840020062408923030001004E40FC..:10293000020018408C23020001000C40050000003A..:102940008E2302000100F03F0400E03F9023020

C:\Users\user\Documents\WinSitu Data\Firmware\BT500.H5-4.V306.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	107914
Entropy (8bit):	3.8143707527525486
Encrypted:	false
SSDEEP:	3072:mRJJYH9S2CG0JB8XtgcpxX7uwBZO6QatYD:mRJiYJOfp3BZXS
MD5:	2F2152C5661F00C3EC1D8DF463BB0D49
SHA1:	140553971CB847B9162E6C665D48A95C201CF655
SHA-256:	C8AC44E70458123E6B36BAD9F633F8A15AFC8EE19575DCF82E4F7ADE72FFEE4E
SHA-512:	E5B4689EF99AFE1B527BA099DB2C531C975ECF97120224C1E8502CDED4AA94F10E3FE0B51E89D67FA795A6327BA62097143BBDEE46DDD25E295ED2059E2AFDE1
Malicious:	false
Preview:	:0F0000F000030132000400050001A58A01000091..:020000040000FA..:1028000036CF3201062831400025B0122A900C93B1..:102810000E243C4006123D40530DB01282B73C409E..:1028200000123D4036283E400500B01294B7B01269..:102830003E90B0129CB10A0A030301FF0E2D8535AC..:10284000019199E2B69F48F14A0BDC91B98E09B12A..:10285000282301000100E8440500000029230100AD..:102860000100E0440400C8442A2302000100BC44E3..:10287000040098442C230300010090440400784491..:102880002F230100010070440500000030230100E7..:10289000010068440500000031230100010060448C..:1028A000050000003223010001005A440500000029..:1028B00033230200010052440500000035230200CA..:1028C00001004644050000003723030001003E4498..:1028D0000400E4433A2301000000B2A30000F241E7..:1028E0003B2320000100D8410300B0415B232000BE..:1028F00001009241020048417B2304000100424153..:10290000020024417F23040001001E410200F44024..:10291000832304000100E8400200C4408723020032..:102920000100BA40020094408923030001007C406A..:10293000020046408C23020001003A4005000000DE..:102940008E23020001001E400400FE3F9023020

C:\Users\user\Documents\WinSitu Data\Firmware\Baro TROLL 100.V104.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	139768
Entropy (8bit):	3.666110592594915
Encrypted:	false
SSDEEP:	3072:pIMdWgu0XTNE/HqmzHRH2N38ndv7nud5FNZK72v:pIMYzHEwdvDev7
MD5:	94B955C007660263D04FA6EF58C41FEF
SHA1:	339D2C2CD0F3F672E5BAD0546FF42476C2FEB015
SHA-256:	7B4B7501D00C1531CA22A9856F9AEF190AF0481BE6914B0219372F7A43B7EED7
SHA-512:	EB9E10C4A9505D17E370D4C489730DC56CA61A1146A20EED954335B7503A665F60374D50E35A25EDC7D030FC3E71270C50EB6F0EF6B58C2E60E24D9040DB3D58
Malicious:	false
Preview:	:0C0000F00009006800000000000221F878..:020000040000FA..:102800002FAF6800DC2C0A0A0A0A01FF9E9B000019..:1028100000003C2FC21301FA0C4922150232525B10..:10282000B61603643679EC180496120028230100CA..:1028300001056A3F0000292301000104623F523F65..:102840002A2302000104463F0C3F2C23030001040D..:10285000063FD83E2F2301000105D03E0000302363..:1028600001000105C83E0000312301000105C03E02..:102870000000322301000105BA3E000033230200AC..:102880000105B23E0000352302000105A63E00000E..:10289000372303000103963E403E3A230100000027..:1028A000383EA43C3B2320000103823C3C3C5B239C..:1028B00020000102263CF23B7B2304000102EC3B9A..:1028C000CE3B7F2304000102C83B9E3B83230400D0..:1028D00001028E3B6A3B8723020001025E3B1E3BE6..:1028E000892303000102023BCC3A8C23020001053C..:1028F000C43A00008E2302000104BC3A9C3A9023A3..:1029000002000105943A00009223010001058E3A6D..:102910000000932301000105883A0000BE23010056..:102920000102823AE638BF2301000102E038CC38C8..:10293000C02302000102C038A438C22303000102F0..:102940009C388E38C5230300010286387038F02386..:

C:\Users\user\Documents\WinSitu Data\Firmware\Baro TROLL 500.V119.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	139768
Entropy (8bit):	3.689845815651265
Encrypted:	false
SSDEEP:	3072:00/KMAazgwLARxzy4F1PT0a7kI3kvKTu4ZK72z:t/KIEWw5fw7C/
MD5:	27BAF23ED8E0E7CEE96F156768687FFA
SHA1:	821E272F34B6858CFED1302A33305232C79769C0
SHA-256:	B783EAB63B3CFDC66E6887D688F3C389DD2FCF7EFBBF4EE6A3EF7F20EF1B64CC
SHA-512:	D4D39362420B3F7943810058C15CC7D98E6F59B2352C439DDCA20292118A3F41A1E9C443C2F377DCC7DE9E1D7F46BE33741DF7D0C4BF2B074D59636638A67200
Malicious:	false
Preview:	:0C0000F00003007700000000000221F86F..:020000040000FA..:102800002F7477000A2830407EAC31400025B0128A..:1028100070860C930F243C4006143E40820CB0128C..:102820007AB23C4000123E403C2830120502B01201..:102830008CB22153B0127886B012A4AC0A0A0303FA..:102840000100C1814001C0804101C0804100C181BF..:102850004001C0804100C1814000C1814001C08071..:102860004101C0804100C1814000C1814001C08060..:102870004100C1814001C0804101C0804100C1814F..:102880004001C0804100C1814000C1814001C08041..:102890004100C1814001C0804101C0804100C1812F..:1028A0004000C1814001C0804101C0804100C18120..:1028B0004001C0804100C1814000C1814001C08011..:1028C0004101C0804100C1814000C1814001C08000..:1028D0004100C1814001C0804101C0804100C181EF..:1028E0004000C1814001C0804101C0804100C181E0..:1028F0004001C0804100C1814000C1814001C080D1..:102900004100C1814001C0804101C0804100C181BE..:102910004001C0804100C1814000C1814001C080B0..:102920004101C0804100C1814000C1814001C0809F..:102930004100C1814001C0804101C0804100C1818E..:102940004000C0C101C30302C2C60607C705C5C413..:

C:\Users\user\Documents\WinSitu Data\Firmware\Baro TROLL 500.V202.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	139768
Entropy (8bit):	3.7733583611895964
Encrypted:	false
SSDEEP:	3072:MQvZv9cn46fcUFPw6JMh+qtJy9cw6Vx972m:M1ntS+qtu+Vl
MD5:	7B0A684630CDD4DE8135960D6349C019
SHA1:	4DAF51118BF01F529902617155023E2BFC8FAC3F
SHA-256:	872E86CD40E1924D544B1124B71DA780F40979A378B53E305784B02FB14937A5
SHA-512:	CAF2FE0E067B30B19DBAD48B6FF0B4E07823C1FE5C13AF432F2446036FA7667037CF1C3BAE738F11D425EEA8DD031892EDD4E06FA9D990BF8B6682A38E5B5B75
Malicious:	false
Preview:	:0C0000F0000300CA00010001000221F81A..:020000040000FA..:102800004D13CA00062831400025B012FA8F0C93F0..:102810000F243C4006143E40530DB0125EB93C40BC..:1028200000123E403C2830120502B01270B921530C..:10283000B0120E90B0128EB930407EB90A0A03036E..:102840000100C1814001C0804101C0804100C181BF..:102850004001C0804100C1814000C1814001C08071..:102860004101C0804100C1814000C1814001C08060..:102870004100C1814001C0804101C0804100C1814F..:102880004001C0804100C1814000C1814001C08041..:102890004100C1814001C0804101C0804100C1812F..:1028A0004000C1814001C0804101C0804100C18120..:1028B0004001C0804100C1814000C1814001C08011..:1028C0004101C0804100C1814000C1814001C08000..:1028D0004100C1814001C0804101C0804100C181EF..:1028E0004000C1814001C0804101C0804100C181E0..:1028F0004001C0804100C1814000C1814001C080D1..:102900004100C1814001C0804101C0804100C181BE..:102910004001C0804100C1814000C1814001C080B0..:102920004101C0804100C1814000C1814001C0809F..:102930004100C1814001C0804101C0804100C1818E..:102940004000C0C101C30302C2C60607C705C5C413..:

C:\Users\user\Documents\WinSitu Data\Firmware\Bluetooth Communication Device.H2-1.V255.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	124221
Entropy (8bit):	3.70125761934094
Encrypted:	false
SSDEEP:	3072:o0H2sdJzO90VeKL/++R34TCXRvj3oupFGKK3fECk:BzOSAznTCXFb1TJX
MD5:	1FA9E93CAD0AE7E235218A1953838B7C
SHA1:	DC2B0B0FE58DDF14F4ABD7F73E07E2619155493F
SHA-256:	50F58A557D00BFA621330C629EFDBE8447D12EA2A2E294203D078DA95D1C47B8
SHA-512:	59299B666BBF281DA218E8E7E0E4C9E3039A71E664C638A085DDBDAEAB730D655383959C4B53D4DFA0EA2C2534D96E034D8065291B584730216C95A1E9444D84
Malicious:	false
Preview:	:0F0000F0800300FF000100020001E53D01000058..:020000040000FA..:10400000C273FF00064031400031B11304260C9307..:1040100014243C4054193D407316B113D6243C403F..:10402000A6138D0042403E40AD05B1134A2C8C00D2..:104030005A5C8D00825CB113DC13B113480FB113CD..:10404000522C0000000000000000000010001400CE..:1040500016001100150017003200520092000100F6..:104060000300050007002100230025002700300081..:104070003100330034003500360037004100430082..:10408000450047005000540055005600570081007D..:1040900083008500870090009100930094009500B4..:1040A00096009700A100A300A500A700B000B100F2..:1040B000B200B300B400B500B600B700C100C30041..:1040C000C500C700D100D200D300D400D500D6006F..:1040D000D7000000000000000000000010001400E5..:1040E0001600110015001700320052009200010066..:1040F00003000500070021002300250027003000F1..:1041000031003300340035003600370041004300F1..:1041100045004700500054005500560057008100EC..:104120008300850087009000910093009400950023..:1041300096009700A100A300A500A700B000B10061..:10414000B200B300B400B500B600B700C100C30

C:\Users\user\Documents\WinSitu Data\Firmware\Bluetooth.V6104.dfu

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1906516
Entropy (8bit):	6.346119549118836
Encrypted:	false
SSDEEP:	24576:I83XVsP2F0smb98atvp9cEp/E96Ha+8qAMq2Zl/ucs0F4yfGId4Wnp:pUqatvH3l8qAMqAucXp
MD5:	FED28B56FEA90FC671709C465F4F052E
SHA1:	D643E7E078B8228F00DBD0530ABD29809D3C076E
SHA-256:	D79E581BC2DE3499F4A9A4BB5931D134C4E667FF4288A1BDDBADBF3CD6ADD889
SHA-512:	4F9A32EEC0A3DB9AA2E44FE6C8A4100D6FCEE768BA2A3706DDEEE37137D2BFBB28D81255D0A940E35ED4A3BD269F9DA0070992D3BD26E50D84721F738424E9AC
Malicious:	false
Preview:	CSR-dfu2..D.....Melody Audio V6.1.4 1493828294 ....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................H...4..................................................................................................................................................................................................................................................................................................................2A...N....$..................

C:\Users\user\Documents\WinSitu Data\Firmware\ConTROLL PRO AC-L.V111.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	305385
Entropy (8bit):	3.76769479454763
Encrypted:	false
SSDEEP:	6144:2x6/hC5iQaT+c9KesBScnDNpqQelu0jA8t:GChTQaT+ccBSbluWAK
MD5:	96CDA246938D9BC1100DEA5AAA0CB20A
SHA1:	587BAC705DF3160C4F8DCE3173A2FE97135D2BB5
SHA-256:	FBBCBFE26703C63D1629E8600B7CC17223B9347AA41F32B7CE789C3686498BEF
SHA-512:	3647CED1209CD2CBEF335A637FB3D77995D365C8CAAECA947AC6C75358773D2085B337F12E85B58E2345FFF96A30F3005EC42BE3E04FBA33C99EEEACED04B504
Malicious:	false
Preview:	:0C0000F08000006F000000000004A8E980..:020000040000FA..:103A0000C2466F00063A31400031B113EEE80C9324..:103A10000E243C4078133D40A819B11348E23C40C5..:103A200072133D40823D3E400500B113D8EAB11308..:103A30006CC8B113CCEAB1C0F0000000B013843CF4..:103A4000B1131EE6B013DE3C00138043B6D610401F..:103A5000B4D69043AED61040ACD6A043A6D6104004..:103A6000A4D6B04003009CD610409AD6A04294D66B..:103A7000104092D6B04005008AD6104088D6B0409B..:103A8000060080D610407ED6B040070076D61040A3..:103A900074D6B0426ED610406CD610522E01001370..:103AA0000D3C073C00130013B040090056D61040EF..:103AB00054D6B0400A004CD610404AD6B0400B0055..:103AC00042D6104040D6B0400C0038D6104036D612..:103AD000B0400D002ED610402CD6B0400E0024D69B..:103AE000104022D610521E010013233C1D3C173CEF..:103AF000113C0B3C053CB0400F0008D6104006D6E8..:103B0000B0401000FED51040FCD5B0401100F4D5F7..:103B10001040F2D5B0401200EAD51040E8D5B040D0..:103B20001300E0D51040DED5B0401400D6D51040CB..:103B3000D4D5B0401500CCD51040CAD5B040160041..:103B4000C2D51040C0D5B0401700B8D51040B6D58A..:

C:\Users\user\Documents\WinSitu Data\Firmware\ConTROLL PRO AC-L.V221.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	515901
Entropy (8bit):	3.7781153277342323
Encrypted:	false
SSDEEP:	12288:2uVMBda8zjgOb5njpEwy5gLLLU8GLDqKW57:cnj+SLU8nJ
MD5:	1ACCD8B84AA96EF9AE7203A1DAE9EBD7
SHA1:	3C1A4BB400C56B154BA6817A1CCEEB25F515A066
SHA-256:	56C0D44F3731296B54827B645534E670873CC4E6243988DE440CC296E48B9E1B
SHA-512:	9E33B835631D4F9A011142354CE59F2D3760EA0C99010FC06A96FF2BC6C7118F4B8EFCB60C2AF75496A8DC988194F602723D67F3A73C2F1E8BB88010AE13E060
Malicious:	false
Preview:	:0C0000F0800000DD000100010007DF3D82..:020000040000FA..:10680000EEF8DD0006683140005CB21332060C93EE..:106810000E243C40001F3D406E24B31336943C4090..:10682000FA1E8D0036683E400500B3134894B2133B..:106830003A06B313B48D0404070401FF2E7B030052..:106840000000000000610200F0230101C208020004..:10685000A621020278120300BE2C03033862020054..:10686000F0250404282301000105F622020000009F..:10687000000029230100010402230200102302006A..:106880002A230200010434230200482302002C239F..:1068900003000104702302007C2302002F23010067..:1068A0000105A023020000000000302301000105C3..:1068B000B623020000000000312301000105CC23B3..:1068C000020000000000322301000105E223020063..:1068D00000000000332302000105EC230200000049..:1068E000000035230200010504240200000000001E..:1068F00037230300010310240200000000003A23A4..:106900000100010034240200402402003B23200047..:106910000103B6260200DA2602005B2320000102F2..:10692000162702003A2702007B2304000102722787..:1069300002007E2702007F2304000102A627020036..:10694000B2270200832304000102DA270200E627AF..:

C:\Users\user\Documents\WinSitu Data\Firmware\ConTROLL PRO AC.V110.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	305385
Entropy (8bit):	3.7548764753393202
Encrypted:	false
SSDEEP:	6144:l4fWpFYGcGr65s63VDDq29Znc5Lhj3CCN0ao96:l4fWpF9cGr65s63VDDb9ZncJhj3CCNbB
MD5:	896932C71E1FF4BB81AE5423CB13D8BF
SHA1:	63247CAF2B6AD7292992C890BDF5A8AE1A97F3F7
SHA-256:	79EAA27AB3565C2BB3C1900256F5655333F45F20F573D9B48D386AC56393D560
SHA-512:	27C17D40F2503932015F2AEE1D0EACEEF2E06BF21BB76BC2EA4CEA575EDA505DC1EB4097508D1E467C5E7220024CBC993149FD277758393BE2322A94F6A86F9C
Malicious:	false
Preview:	:0C0000F08001006E000000000004A8E980..:020000040000FA..:103A0000B8706E00063A31400031B1134ECC0C93C1..:103A10000E243C4078133D404618B11326C63C4066..:103A200072133D40823D3E400500B11326CEB113D6..:103A3000A4AEB1131ACEB1C0F0000000B013843CA4..:103A4000B113CAC9B013DE3C00138043B6D6104090..:103A5000B4D69043AED61040ACD6A043A6D6104004..:103A6000A4D6B04003009CD610409AD6A04294D66B..:103A7000104092D6B04005008AD6104088D6B0409B..:103A8000060080D610407ED6B040070076D61040A3..:103A900074D6B0426ED610406CD610522E01001370..:103AA0000D3C073C00130013B040090056D61040EF..:103AB00054D6B0400A004CD610404AD6B0400B0055..:103AC00042D6104040D6B0400C0038D6104036D612..:103AD000B0400D002ED610402CD6B0400E0024D69B..:103AE000104022D610521E010013233C1D3C173CEF..:103AF000113C0B3C053CB0400F0008D6104006D6E8..:103B0000B0401000FED51040FCD5B0401100F4D5F7..:103B10001040F2D5B0401200EAD51040E8D5B040D0..:103B20001300E0D51040DED5B0401400D6D51040CB..:103B3000D4D5B0401500CCD51040CAD5B040160041..:103B4000C2D51040C0D5B0401700B8D51040B6D58A..:

C:\Users\user\Documents\WinSitu Data\Firmware\ConTROLL PRO AC.V221.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	487776
Entropy (8bit):	3.7737414509662077
Encrypted:	false
SSDEEP:	12288:2Qk9hjMFYLJ8SCi/KEF+rYMXp6Lqdn4XegV0A:+6rQg4XN
MD5:	0D228030699C80F27CE77C07708588FF
SHA1:	E65D4B5D79C291FFACBE958BD04BAC2DB3DFC27B
SHA-256:	6AE19B18954EEA66EB8ECAFAF93CC405EB1E68C552219DD0543046857438D1E5
SHA-512:	1C9F7D73A9E1F2053F05ED06958B8103114050C0AEFB54DE46A6D560F9B963FDBB7FE2A5E8EAC060095CE35022780E788B6EC0F822F10AC13270832ADCE521D2
Malicious:	false
Preview:	:0C0000F0800100DD0001000100077160CC..:020000040000FA..:106800003F88DD0006683140005CB2138A050C93B6..:106810000E243C40001F3D400C23B313A4703C40A9..:10682000FA1E8D0036683E400500B313B670B213F1..:106830009205B313226A0404070401FFC057030042..:1068400000000000D2470200CE2301011A08020016..:10685000A621020294F202009A2C030306490200C8..:10686000CE2504042823010001055A1E0200000061..:106870000000292301000104661E0200741E0200AC..:106880002A2302000104981E0200AC1E02002C23E1..:1068900003000104D41E0200E01E02002F230100A9..:1068A0000105041F02000000000030230100010563..:1068B0001A1F020000000000312301000105301FF3..:1068C000020000000000322301000105461F020003..:1068D00000000000332302000105501F02000000E9..:1068E00000003523020001055C1F020000000000CB..:1068F000372303000103681F0200000000003A2351..:10690000010001008C1F0200981F02003B232000A1..:1069100001030E220200322202005B23200001024A..:106920006E220200922202007B2304000102CA228E..:106930000200D62202007F2304000102FE22020090..:106940000A230200832304000102322302003E23B3..:

C:\Users\user\Documents\WinSitu Data\Firmware\ConTROLL PRO DC-L.V111.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	305385
Entropy (8bit):	3.7677392810278643
Encrypted:	false
SSDEEP:	6144:6x6/hC5iQaT+c9KesB+cnDNpqQulu0jA8t:6ChTQaT+ccB+bluWAK
MD5:	5700CAB951E44B2E07AAA74B27B58A1B
SHA1:	FEB4630D43B94EE1777D9B3C451C9934F7430986
SHA-256:	DF9391970723C3F12B7C760F8D1A0EBE26740ADE75EB673818978AB4EDB7C183
SHA-512:	D355442D7A4D1B09C3798790079C6B4F37B5FFAC43D7E3FBA0CACB7418C71697E926A7B9F45B4241CED78ECBCD5A95951D60A57592AEC1FE734956658EC004C6
Malicious:	false
Preview:	:0C0000F08002006F000000000004A8E97E..:020000040000FA..:103A0000C8466F00063A31400031B113EEE80C931E..:103A10000E243C4078133D40A819B11348E23C40C5..:103A200072133D40823D3E400500B113D8EAB11308..:103A30006CC8B113CCEAB1C0F0000000B013843CF4..:103A4000B1131EE6B013DE3C00138043B6D610401F..:103A5000B4D69043AED61040ACD6A043A6D6104004..:103A6000A4D6B04003009CD610409AD6A04294D66B..:103A7000104092D6B04005008AD6104088D6B0409B..:103A8000060080D610407ED6B040070076D61040A3..:103A900074D6B0426ED610406CD610522E01001370..:103AA0000D3C073C00130013B040090056D61040EF..:103AB00054D6B0400A004CD610404AD6B0400B0055..:103AC00042D6104040D6B0400C0038D6104036D612..:103AD000B0400D002ED610402CD6B0400E0024D69B..:103AE000104022D610521E010013233C1D3C173CEF..:103AF000113C0B3C053CB0400F0008D6104006D6E8..:103B0000B0401000FED51040FCD5B0401100F4D5F7..:103B10001040F2D5B0401200EAD51040E8D5B040D0..:103B20001300E0D51040DED5B0401400D6D51040CB..:103B3000D4D5B0401500CCD51040CAD5B040160041..:103B4000C2D51040C0D5B0401700B8D51040B6D58A..:

C:\Users\user\Documents\WinSitu Data\Firmware\ConTROLL PRO DC-L.V221.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	514866
Entropy (8bit):	3.7733048558250726
Encrypted:	false
SSDEEP:	12288:IuVh0OyD5Uwo0EwJOvmG3AdBDcKFRFXQA:uoQtdBDcC
MD5:	BF0BD873640FED2E615A1F0C03B8AD69
SHA1:	4AA4C231062EC57751914635B7A638DE05526F2E
SHA-256:	98BFBFDFE518B720642D5290BFCA6C376135C74B5EA44BDA02ED3E3CE9C0B3D7
SHA-512:	0CCB8EF577B224AAF963F46E5D2D067D49A9475D98F3EC1AA9352D2D57EAA43F12097B8F19AD960D7F1848391F93B0D0CA72A45CDD20177BC9D63A9828023A97
Malicious:	false
Preview:	:0C0000F0800200DD000100010007DB328F..:020000040000FA..:106800002636DD0006683140005CB2134E060C935C..:106810000E243C40001F3D406E24B313C6923C4002..:10682000FA1E8D0036683E400500B313D892B213AD..:106830005606B313448C0404070401FFBE79030019..:1068400000000000E65D0200F0230101DE08020006..:10685000A621020208110300BE2C0303465F0200BA..:10686000F0250404282301000105DC1F02000000BC..:106870000000292301000104E81F0200F61F0200A6..:106880002A23020001041A2002002E2002002C23D9..:106890000300010456200200622002002F230100A1..:1068A00001058620020000000000302301000105E0..:1068B0009C20020000000000312301000105B220ED..:1068C000020000000000322301000105C820020080..:1068D00000000000332302000105D2200200000066..:1068E0000000352302000105EA200200000000003C..:1068F000372303000103F6200200000000003A23C2..:10690000010001001A210200262102003B23200081..:1069100001039C230200C02302005B23200001022C..:10692000FC230200202402007B23040001025824DF..:106930000200642402007F23040001028C24020070..:1069400098240200832304000102C0240200CC2406..:

C:\Users\user\Documents\WinSitu Data\Firmware\LT400.H3-2.V213.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	117679
Entropy (8bit):	3.816300296398946
Encrypted:	false
SSDEEP:	3072:OynSYi6v7Mqur/nJYpFtmrb1Un0Hs5PxPf5:4Yi6W2zgf1AP5B
MD5:	90A73557865E391361D7CE618B72A7D7
SHA1:	EE571D0F672815A8E3E7119A0C722F9243835786
SHA-256:	78210A88E772FCCA7A0B7CDBEDB0F5C3DA2D496E88B3819162FA8C452975B208
SHA-512:	76B6ED7460CE221D46882B2221062DED1DA95F0A9E98A48D946B3B0DF899DBCFB578C65FD4B6EADD80BB4EE93828FE0D0DA464ADEC4FA5D0468B8C33EE7E77BC
Malicious:	false
Preview:	:0F0000F0001E00D5000200030001CBAF0100008D..:020000040000FA..:102800004AE9D500062831400025B012009C0C93FF..:102810000E243C4006123D40E60DB0120AC53C4075..:1028200000123D4036283E400500B0121CC5B012D3..:10283000149CB012CABE0A0A030301FF0E2D85358F..:10284000019199E2B69F48F14A0BDC91B98E09B12A..:10285000282301000100C4460500000029230100CF..:102860000100BC460400A4462A2302000100984649..:10287000040074462C23030001006C4604005446F7..:102880002F23010001004C46050000003023010009..:1028900001004446050000003123010001003C46D0..:1028A000050000003223010001003446050000004D..:1028B0003323020001002C460500000035230200EE..:1028C00001002046050000003723030001001846E0..:1028D0000400BE453A23010000005EB00000CC4376..:1028E0003B2320000100B24303008A435B23200006..:1028F00001006C43020022437B23040001001C43BF..:102900000200FE427F2304000100F8420200DA4286..:10291000832304000100CE4202009E42872302006E..:102920000100944202006E428923030001005A42D2..:10293000020024428C23020001001842050000001E..:102940008E2302000100FC410400EC419023020

C:\Users\user\Documents\WinSitu Data\Firmware\LT400.H5-4.V306.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	116329
Entropy (8bit):	3.8174868319174142
Encrypted:	false
SSDEEP:	3072:mymEdy5FN26oSWzIYHzu9XNsiWCVJWD6rK:8ERKyNbWEDx
MD5:	394EBDA2413EAC8A0719A9F5DDB258D4
SHA1:	E35F9AA522487A9F85D198800E33F3E29BF180C0
SHA-256:	A12B6A312F66818DD3061E0298BCE5D6AEFDBB634C1B9135BC45FD9A9D58B214
SHA-512:	3726CD1A153686BDF0E71F0C756788116EF04BB3587425F20B09D7D7EC7E704DD0C27B51A25FD653D6546E7AF01A216FC50527C2FB174EAC41AF3A9ABB875C05
Malicious:	false
Preview:	:0F0000F0001E0132000400050001C66901000076..:020000040000FA..:1028000025523201062831400025B012FE9A0C9361..:102810000E243C4006123D40E30DB0122CC33C4058..:1028200000123D4036283E400500B0123EC3B012B3..:10283000129BB012F2BC0A0A030301FF0E2D85356C..:10284000019199E2B69F48F14A0BDC91B98E09B12A..:10285000282301000100F44605000000292301009F..:102860000100EC460400D4462A2302000100C846B9..:102870000400A4462C23030001009C460400844667..:102880002F23010001007C460500000030230100D9..:1028900001007446050000003123010001006C4670..:1028A000050000003223010001006446050000001D..:1028B0003323020001005C460500000035230200BE..:1028C0000100504605000000372303000100484680..:1028D0000400EE453A230100000086AE0000FC43F0..:1028E0003B2320000100E2430300BA435B232000A6..:1028F00001009C43020052437B23040001004C432F..:1029000002002E437F2304000100284302000A43F3..:10291000832304000100FE420200CE42872302000E..:102920000100C44202009E42892303000100864246..:10293000020050428C2302000100444205000000C6..:102940008E23020001002842040008429023020

C:\Users\user\Documents\WinSitu Data\Firmware\LT500.H3-2.V213.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	117679
Entropy (8bit):	3.8185446925076425
Encrypted:	false
SSDEEP:	3072:XyZ8RKTpDw6+snYn+YVyVkEFU7uwn+m7x8IjB0Wjk:fKTpDLMX8ouEyn
MD5:	FC843A4797ABBDFFB208F040BD3C46DE
SHA1:	14131326D86DA15C2E9FE8D7331EDBBB7FE92F00
SHA-256:	FDD153CA16C54FC08460828F178714D82A4BCFB32B59A327E79361666240CB87
SHA-512:	0F00BFA08C550BB9E8E26C2B2AE581560B18E39DAB61C1ECF9C8108DD2A6D1766D5676F359D1ED240910036D6AAB177A15F65492F1C358DB7549ED90B4C95E7E
Malicious:	false
Preview:	:0F0000F0000100D5000200030001CBAF010000AA..:020000040000FA..:102800003DE6D500062831400025B012009C0C930F..:102810000E243C4006123D40E60DB01206C53C4079..:1028200000123D4036283E400500B01218C5B012D7..:10283000149CB012C6BE0A0A030301FF0E2D853593..:10284000019199E2B69F48F14A0BDC91B98E09B12A..:10285000282301000100C4460500000029230100CF..:102860000100BC460400A4462A2302000100984649..:10287000040074462C23030001006C4604005446F7..:102880002F23010001004C46050000003023010009..:1028900001004446050000003123010001003C46D0..:1028A000050000003223010001003446050000004D..:1028B0003323020001002C460500000035230200EE..:1028C00001002046050000003723030001001846E0..:1028D0000400BE453A23010000005AB00000CC437A..:1028E0003B2320000100B24303008A435B23200006..:1028F00001006C43020022437B23040001001C43BF..:102900000200FE427F2304000100F8420200DA4286..:10291000832304000100CE4202009E42872302006E..:102920000100944202006E428923030001005A42D2..:10293000020024428C23020001001842050000001E..:102940008E2302000100FC410400EC419023020

C:\Users\user\Documents\WinSitu Data\Firmware\LT500.H5-4.V306.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	116329
Entropy (8bit):	3.817227143085855
Encrypted:	false
SSDEEP:	3072:Gy8EZFY4dO4yWzICSKO9W4tN7VDUGkffGUG:uEh+pvf56f+UG
MD5:	0E8524108825548E327E5DC689E3F16E
SHA1:	6E57FCDC35681ADBC7D7A611E676714ED6F10928
SHA-256:	11E36736C3E3FD62AA0CE515DED304AE0C544C9D636E0888F82C4AE4B75DAB8E
SHA-512:	69AE6D16FB15FF14335FABD3733400F6B4A3AABDC3C3D37E1217B3AE066CA234D473015B88E704C1475301D96017D746F1298C14E32113FFF9B19BB507C96426
Malicious:	false
Preview:	:0F0000F000010132000400050001C66901000093..:020000040000FA..:10280000E54D3201062831400025B012FE9A0C93A6..:102810000E243C4006123D40E30DB01228C33C405C..:1028200000123D4036283E400500B0123AC3B012B7..:10283000129BB012EEBC0A0A030301FF0E2D853570..:10284000019199E2B69F48F14A0BDC91B98E09B12A..:10285000282301000100F44605000000292301009F..:102860000100EC460400D4462A2302000100C846B9..:102870000400A4462C23030001009C460400844667..:102880002F23010001007C460500000030230100D9..:1028900001007446050000003123010001006C4670..:1028A000050000003223010001006446050000001D..:1028B0003323020001005C460500000035230200BE..:1028C0000100504605000000372303000100484680..:1028D0000400EE453A230100000082AE0000FC43F4..:1028E0003B2320000100E2430300BA435B232000A6..:1028F00001009C43020052437B23040001004C432F..:1029000002002E437F2304000100284302000A43F3..:10291000832304000100FE420200CE42872302000E..:102920000100C44202009E42892303000100864246..:10293000020050428C2302000100444205000000C6..:102940008E23020001002842040008429023020

C:\Users\user\Documents\WinSitu Data\Firmware\LT700.H3-2.V213.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	124339
Entropy (8bit):	3.817663511035805
Encrypted:	false
SSDEEP:	3072:W0QwEnxklmCT/9EwIfOYCyTKeHUWUpuBZNjbQvsalD4ND3bz9F0fKSpM:WQEnxwrmfAyTK6VUpkbwd4ND3bzz0Cp
MD5:	C2A511B6F8A261917AA0B6BAEB44DF9D
SHA1:	0DE30651CAB6198E908C2827AB926335B8E8D7F5
SHA-256:	385F1E6B98D544FB91729E5DC13C4EB2A32F8D0D596B4CB2912D0605737234DD
SHA-512:	5DD3215BCE9A5124FBFDF9A3285CAF5546842E5CE961D39B983005220C6D7AC783D2ADE9DB1B534265255C10AC595CE31473DD024967F3100D4B0E15554A55E8
Malicious:	false
Preview:	:0F0000F0000200D5000200030001E5B30100008B..:020000040000FA..:1028000064A3D500062831400025B0124CA50C93D6..:102810000E243C4006123D40E90EB0124CCE3C4026..:1028200000123D4036283E400500B0125ECEB01288..:1028300060A5B0120CC80A0A030301FF0E2D8535EE..:10284000019199E2B69F48F14A0BDC91B98E09B12A..:102850002823010001002047050000002923010072..:1028600001001847040000472A2302000100F44633..:102870000400D0462C2303000100C8460400B046E3..:102880002F2301000100A8460500000030230100AD..:102890000100A04605000000312301000100984618..:1028A00005000000322301000100904605000000F1..:1028B0003323020001008846050000003523020092..:1028C00001007C4605000000372303000100744628..:1028D00004001A463A2301000000A6B9000028446B..:1028E0003B23200001000E440300E6435B2320004D..:1028F0000100C84302007E437B23040001007843AB..:1029000002005A437F23040001005443020036436F..:102910008323040001002A430200FA4287230200B5..:102920000100F0420200CA42892303000100B642BE..:10293000020080428C230200010074420500000066..:102940008E23020001005842040048429023020

C:\Users\user\Documents\WinSitu Data\Firmware\LT700.H5-4.V306.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	122989
Entropy (8bit):	3.8188899669802203
Encrypted:	false
SSDEEP:	3072:YDTgOQR1omr4958zCGe9eEY7q0YU6oIgy0Nr4WNdkMtnXF:YDsFhcY7qryFNL4Cn1
MD5:	707D8F9E5310BF25796622CC2AB87EEA
SHA1:	8EDA8D0FE6CC52B9A129CB5B2F8D161364C3F61E
SHA-256:	C7DF0760B4E3AC885DFC233204EB553A5F99C673592C6370EDA26FD9179E28DC
SHA-512:	4D4AC0805BC81E81D5320BA594BB2AAE3E35B1BFF24A51C29D8EBBD58F3D02D3966F4E63E87BC1B7FD669CC85C3273D43108A45A50E682CF154E7698C93D6D1F
Malicious:	false
Preview:	:0F0000F000020132000400050001E06D01000074..:020000040000FA..:1028000076FB3201062831400025B01246A40C9315..:102810000E243C4006123D40E60EB0126ACC3C400D..:1028200000123D4036283E400500B0127CCCB0126C..:102830005AA4B01230C60A0A030301FF0E2D8535D3..:10284000019199E2B69F48F14A0BDC91B98E09B12A..:102850002823010001005047050000002923010042..:1028600001004847040030472A23020001002447A2..:10287000040000472C2303000100F8460400E04652..:102880002F2301000100D84605000000302301007D..:102890000100D04605000000312301000100C846B8..:1028A00005000000322301000100C04605000000C1..:1028B000332302000100B846050000003523020062..:1028C0000100AC4605000000372303000100A446C8..:1028D00004004A463A2301000000CAB700005844E9..:1028E0003B23200001003E44030016445B232000EC..:1028F0000100F8430200AE437B2304000100A8431B..:1029000002008A437F2304000100844302006643DF..:102910008323040001005A4302002A438723020054..:10292000010020430200FA42892303000100E24231..:102930000200AC428C2302000100A042050000000E..:102940008E23020001008442040064429023020

C:\Users\user\Documents\WinSitu Data\Firmware\Level TROLL 100.V103.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	139768
Entropy (8bit):	3.7427382380484024
Encrypted:	false
SSDEEP:	3072:MATjLTl28Sd9Wkpx2WMALiclMGPhG9OK72F:/TjWH7ZMALicGK
MD5:	2D90ABA7766D61C8869ABB83E51BFED7
SHA1:	4F1749D0A17A4C5FCD808BB656BCDE4869AA430C
SHA-256:	969C2DD61D84365455575C35B32EEDC60E910BEFA504350765DF7B4030F274C0
SHA-512:	26879FC5C6AD4F367D44296E288054402D2C045D11B0CAE3086AB17A3916846E57273123116EC70172670CF2F90EA07FE698DF1E108979800E58D101080635EF
Malicious:	false
Preview:	:0C0000F00008006700000000000221F87A..:020000040000FA..:102800002FDC6700502D0A0A0A0A01FFD6A7000034..:102810000000E42FC21301FABE4B22150232EC5D18..:10282000761603640A80B418049612002823010067..:102830000105124000002923010001040A40FA3F6B..:102840002A2302000104EE3FB43F2C2303000104BD..:10285000AE3F803F2F2301000105783F0000302369..:1028600001000105703F0000312301000105683FB0..:102870000000322301000105623F00003323020003..:1028800001055A3F00003523020001054E3F0000BC..:102890003723030001033E3FE83E3A2301000000D6..:1028A000E03E4C3D3B23200001032A3DE43C5B23FA..:1028B00020000102CE3C9A3C7B2304000102943CA0..:1028C000763C7F2304000102703C463C83230400D5..:1028D0000102363C123C872302000102063CC63B43..:1028E000892303000102AA3B743B8C2302000105EB..:1028F0006C3B00008E2302000104643B443B9023A8..:10290000020001053C3B0000922301000105363B1B..:102910000000932301000105303B0000BE230100AD..:1029200001022A3B8E39BF23010001028839743924..:10293000C0230200010268394C39C223030001029E..:1029400044393639C523030001022E391839F023E2..:

C:\Users\user\Documents\WinSitu Data\Firmware\Level TROLL 200.V101.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	139768
Entropy (8bit):	3.741435580213503
Encrypted:	false
SSDEEP:	3072:iW7HczzneURF3m0qhrkaSIJ+e30HxyT52LkrmR23GkzK72F:iW7AmrkaSIse3uyT/Wg
MD5:	C85579DF63731EE83128F0BD989C3B8E
SHA1:	0916ABF78C4076E3253E47F1151750FC22010C5A
SHA-256:	CBD480A976FA276E55DC8E5B683052B89182B2562800CFF4E23FF3FB7C74A600
SHA-512:	A584B9BAB6B0AF3D27F97025A8D97EEA787B4935106151FF1F5D528FB5E8062B54281E5FF134359AB8B63E293181CFA9759257DAA67A7F767F96BE371BF40708
Malicious:	false
Preview:	:0C0000F00006006500000000000221F87E..:020000040000FA..:10280000B3C96500502D0A0A0A0A01FFFEA700009D..:102810000000E82FC21301FAC24B22150232145EE7..:10282000B61603643280F4180496120028230100BF..:102830000105164000002923010001040E40FE3F5F..:102840002A2302000104F23FB83F2C2303000104B5..:10285000B23F843F2F23010001057C3F000030235D..:1028600001000105743F00003123010001056C3FA8..:102870000000322301000105663F000033230200FF..:1028800001055E3F0000352302000105523F0000B4..:10289000372303000103423FEC3E3A2301000000CE..:1028A000E43E503D3B23200001032E3DE83C5B23EA..:1028B00020000102D23C9E3C7B2304000102983C94..:1028C0007A3C7F2304000102743C4A3C83230400C9..:1028D00001023A3C163C8723020001020A3CCA3B33..:1028E000892303000102AE3B783B8C2302000105E3..:1028F000703B00008E2302000104683B483B90239C..:1029000002000105403B00009223010001053A3B13..:102910000000932301000105343B0000BE230100A9..:1029200001022E3B9239BF23010001028C39783914..:10293000C023020001026C395039C2230300010296..:1029400048393A39C5230300010232391C39F023D2..:

C:\Users\user\Documents\WinSitu Data\Firmware\Level TROLL 300.V202.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	139768
Entropy (8bit):	3.8011969923070494
Encrypted:	false
SSDEEP:	3072:j2Llr6bTwuUOaSQoe50tzUMAGMzYvYGiz0b872m:j2LluZDe5olPiIO
MD5:	3C409CCFE94AC0C805CD50B97C2375D6
SHA1:	E756DBE8A28BC8DB697BA5AA2E07C6C0C232A0E5
SHA-256:	1E5CF9C051EAC68BBC19BF25BECADB4ABDF93EFDE4390ECE1BF765BE1C1B4DBD
SHA-512:	979AEAB2C75B8E8A7A523D4995C689BAFA95D95237283FFC695821F59281177E222B10A05D2C9D540A59BC15A6F85F9B6B6A18C46531E43BDDC3F27891A447A3
Malicious:	false
Preview:	:0C0000F0000400CA00000001000221F81A..:020000040000FA..:102800006090CA00062831400025B012D8950C937C..:102810000F243C4006143E40520DB012DCBF3C4039..:1028200000123E403C2830120502B012EEBF215388..:10283000B012EC95B0120CC03040FCBF0A0A030382..:102840000100C1814001C0804101C0804100C181BF..:102850004001C0804100C1814000C1814001C08071..:102860004101C0804100C1814000C1814001C08060..:102870004100C1814001C0804101C0804100C1814F..:102880004001C0804100C1814000C1814001C08041..:102890004100C1814001C0804101C0804100C1812F..:1028A0004000C1814001C0804101C0804100C18120..:1028B0004001C0804100C1814000C1814001C08011..:1028C0004101C0804100C1814000C1814001C08000..:1028D0004100C1814001C0804101C0804100C181EF..:1028E0004000C1814001C0804101C0804100C181E0..:1028F0004001C0804100C1814000C1814001C080D1..:102900004100C1814001C0804101C0804100C181BE..:102910004001C0804100C1814000C1814001C080B0..:102920004101C0804100C1814000C1814001C0809F..:102930004100C1814001C0804101C0804100C1818E..:102940004000C0C101C30302C2C60607C705C5C413..:

C:\Users\user\Documents\WinSitu Data\Firmware\Level TROLL 300.V205.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	139768
Entropy (8bit):	3.783508179330601
Encrypted:	false
SSDEEP:	3072:sdiydLslVcSPwqNO38XUpltYeONE1agdz72m:yrLc5U8X2l7Ugdd
MD5:	3D607849474B1DDB1E4D15C2969A6B8B
SHA1:	2208DF464112B7C9F39C9BF2899BE0DCED3EBF05
SHA-256:	D2804ED2C65207DBFC7AAAD921225C2DF445AE6E307DEE9095F0E9BB1BB1277D
SHA-512:	4DD1F358E6E61E713364788A78A62A4F6B902791A7714DCC3FCBEF76597F177FB910E8FDCE189D87526B2BDE849554E90E6A6F69D218359BFFE29495C2136CBC
Malicious:	false
Preview:	:0C0000F0000400CD00020003000221F813..:020000040000FA..:1028000059D3CD00062831400025B012629B0C93AD..:102810000E243C4006123D40650DB01258C43C40A9..:1028200000123D4036283E400500B0126AC4B01286..:10283000769BB01218BE0A0A030301FF0E2D8535E0..:10284000019199E2B69F48F14A0BDC91B98E09B12A..:10285000282301000100784605000000292301001B..:1028600001007046040058462A23020001004C462D..:10287000040028462C2303000100204604000846DB..:102880002F23010001000046050000003023010055..:102890000100F84505000000312301000100F0456A..:1028A00005000000322301000100EA450500000098..:1028B000332302000100E245050000003523020039..:1028C0000100D64505000000372303000100CE4576..:1028D000040074453A2301000000B2AF00008243B7..:1028E0003B23200001006843030040435B2320009A..:1028F000010022430200D8427B2304000100D2429F..:102900000200B4427F2304000100AE420200904264..:102910008323040001008442020054428723020002..:1029200001004A42020024428923030001001042B0..:102930000200DA418C2302000100CE4105000000B4..:102940008E2302000100B2410400A2419023020044..:

C:\Users\user\Documents\WinSitu Data\Firmware\Level TROLL 500.V118.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	139768
Entropy (8bit):	3.727726632113255
Encrypted:	false
SSDEEP:	3072:7n9TKAD7rq+lIG6SoxvsR9E5rS4jT5bsK72z:rNKAjlIRxvsRMrS4pbs
MD5:	BB4A9C6C00595999C4CC1BD07CF6B0E4
SHA1:	C0E6745DC6EC09C058B99262CA539E9CA7C37830
SHA-256:	035B5F8EA8226ACE7A85A4AEAAB28119842EE2C41C0DE0B3FBC796ADF9F17EE0
SHA-512:	557E9709C18D30A03B4500658A0304C004299D1C306F5532BE04BC23723C298E6E9E36101557814BFF6B9D624A9946F12429AC46C45EEA4870BF4A40C8E58A19
Malicious:	false
Preview:	:0C0000F00001007600000000000221F872..:020000040000FA..:102800006BAE76000A28304038B231400025B01255..:102810002E8C0C930F243C4006143E40AD0CB0129D..:1028200034B83C4000123E403C2830120502B01241..:1028300046B82153B012368CB0125EB20A0A0303B6..:102840000100C1814001C0804101C0804100C181BF..:102850004001C0804100C1814000C1814001C08071..:102860004101C0804100C1814000C1814001C08060..:102870004100C1814001C0804101C0804100C1814F..:102880004001C0804100C1814000C1814001C08041..:102890004100C1814001C0804101C0804100C1812F..:1028A0004000C1814001C0804101C0804100C18120..:1028B0004001C0804100C1814000C1814001C08011..:1028C0004101C0804100C1814000C1814001C08000..:1028D0004100C1814001C0804101C0804100C181EF..:1028E0004000C1814001C0804101C0804100C181E0..:1028F0004001C0804100C1814000C1814001C080D1..:102900004100C1814001C0804101C0804100C181BE..:102910004001C0804100C1814000C1814001C080B0..:102920004101C0804100C1814000C1814001C0809F..:102930004100C1814001C0804101C0804100C1818E..:102940004000C0C101C30302C2C60607C705C5C413..:

C:\Users\user\Documents\WinSitu Data\Firmware\Level TROLL 500.V202.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	139768
Entropy (8bit):	3.812856960815156
Encrypted:	false
SSDEEP:	3072:J2LloAjHWW2lFFFZ82Wo6osWTMhzQmBYR+Z72m:J2L72fZ82WoNKnSC
MD5:	96065CD6E4B65701E7E4A3882E8E2902
SHA1:	2593D931FEBAD45DCA1B5C5847DC99692D52B6B8
SHA-256:	F3359180F1D52F3C762DFB84C1EB0D1EEB889CDB96377FD39B7FCB72DF5C6278
SHA-512:	B3AD82EA3160B57A548B2A01439478D6AE4A6C7BF5E9168C44C2D155C5A817F21AD127715DD0472F2476DD19478573C7686E880C7B758FC5F8CD42D968D5474B
Malicious:	false
Preview:	:0C0000F0000100CA00010001000221F81C..:020000040000FA..:10280000A79CCA00062831400025B01216960C93EA..:102810000F243C4006143E40D20DB0121AC03C407A..:1028200000123E403C2830120502B0122CC0215349..:10283000B0122A96B0124AC030403AC00A0A0303C6..:102840000100C1814001C0804101C0804100C181BF..:102850004001C0804100C1814000C1814001C08071..:102860004101C0804100C1814000C1814001C08060..:102870004100C1814001C0804101C0804100C1814F..:102880004001C0804100C1814000C1814001C08041..:102890004100C1814001C0804101C0804100C1812F..:1028A0004000C1814001C0804101C0804100C18120..:1028B0004001C0804100C1814000C1814001C08011..:1028C0004101C0804100C1814000C1814001C08000..:1028D0004100C1814001C0804101C0804100C181EF..:1028E0004000C1814001C0804101C0804100C181E0..:1028F0004001C0804100C1814000C1814001C080D1..:102900004100C1814001C0804101C0804100C181BE..:102910004001C0804100C1814000C1814001C080B0..:102920004101C0804100C1814000C1814001C0809F..:102930004100C1814001C0804101C0804100C1818E..:102940004000C0C101C30302C2C60607C705C5C413..:

C:\Users\user\Documents\WinSitu Data\Firmware\Level TROLL 700.V104.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	139768
Entropy (8bit):	3.8099909439027857
Encrypted:	false
SSDEEP:	3072:2Hne3dXWS/OTfHgFxIypJlsok+UpQwRdtEmT72m:2KdXjGzHAIufsom/rEW
MD5:	BB89F0E2D99D09F9632DD5DF0531A360
SHA1:	F404AA5BECE8E347C559F86AE477F24E87325235
SHA-256:	3661836EF466F1FDA4FDF49A981E72F2FB9D0AEEF2A95016716F32A59F9C47C3
SHA-512:	CBE8D74F8CECC46AF23E11B8351393DCD20C0DC61A009F274ECCA17358AE85A0734DEDA0155B67B929EBE5C2D992D6D2C88A08C0A46A2E4B961C3B7A88218003
Malicious:	false
Preview:	:0C0000F00002006800000000000221F87F..:020000040000FA..:10280000BF466800062831400025B01248960C9358..:102810000F243C4006143E40D20EB01200BF3C4094..:1028200000123E403C2830120502B01212BF215364..:10283000B0125C96B01230BF304020BF0A0A0303CA..:102840000100C1814001C0804101C0804100C181BF..:102850004001C0804100C1814000C1814001C08071..:102860004101C0804100C1814000C1814001C08060..:102870004100C1814001C0804101C0804100C1814F..:102880004001C0804100C1814000C1814001C08041..:102890004100C1814001C0804101C0804100C1812F..:1028A0004000C1814001C0804101C0804100C18120..:1028B0004001C0804100C1814000C1814001C08011..:1028C0004101C0804100C1814000C1814001C08000..:1028D0004100C1814001C0804101C0804100C181EF..:1028E0004000C1814001C0804101C0804100C181E0..:1028F0004001C0804100C1814000C1814001C080D1..:102900004100C1814001C0804101C0804100C181BE..:102910004001C0804100C1814000C1814001C080B0..:102920004101C0804100C1814000C1814001C0809F..:102930004100C1814001C0804101C0804100C1818E..:102940004000C0C101C30302C2C60607C705C5C413..:

C:\Users\user\Documents\WinSitu Data\Firmware\Level TROLL 700.V204.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	139768
Entropy (8bit):	3.8292197757761737
Encrypted:	false
SSDEEP:	3072:XSOCGRnGHW5+/1AUXQiup0mH/ewUPD9WX5Y4P6RFdUfz:CYnGHWkTXupXH/RjWs6g
MD5:	FE8F869E4EE8E4A691BEC977E3A36591
SHA1:	794DCCB2E09A753311AB192D42F4300E5CF72DD4
SHA-256:	AAE49156F961E9D30D69D1F6C86275CFBCCD43D883C8C6AB2B3841BA67AD0878
SHA-512:	78DB3F0C585B147665D00F7EF20D2F6776EFC2E5C3394907A1DDC7BE768B8C8868498C708B76D847A61BF4889C44E7712E77E4EFD6567D6AA3E1966353500C88
Malicious:	false
Preview:	:0C0000F0000200CC00000001000221F81A..:020000040000FA..:102800008994CC000A283040F8C931400025B01224..:10281000C09E0C930F243C4006143E40D20EB012D2..:102820004CD03C4000123E403C2830120502B01211..:102830005ED02153B012D49EB0121ECA0A0A0303FE..:102840000100C1814001C0804101C0804100C181BF..:102850004001C0804100C1814000C1814001C08071..:102860004101C0804100C1814000C1814001C08060..:102870004100C1814001C0804101C0804100C1814F..:102880004001C0804100C1814000C1814001C08041..:102890004100C1814001C0804101C0804100C1812F..:1028A0004000C1814001C0804101C0804100C18120..:1028B0004001C0804100C1814000C1814001C08011..:1028C0004101C0804100C1814000C1814001C08000..:1028D0004100C1814001C0804101C0804100C181EF..:1028E0004000C1814001C0804101C0804100C181E0..:1028F0004001C0804100C1814000C1814001C080D1..:102900004100C1814001C0804101C0804100C181BE..:102910004001C0804100C1814000C1814001C080B0..:102920004101C0804100C1814000C1814001C0809F..:102930004100C1814001C0804101C0804100C1818E..:102940004000C0C101C30302C2C60607C705C5C413..:

C:\Users\user\Documents\WinSitu Data\Firmware\RBT.H0-0.V103.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	102289
Entropy (8bit):	3.798909577045034
Encrypted:	false
SSDEEP:	1536:HBQKUu+kUHXPxtTLR15yfUSQ4tmiEuUOyAWz6FmNh6+AgKwBpizdtIhfuac3GGw:HOKEHPxtnR1UfDoisz6cQCpizsfsxw
MD5:	3B566DDA03C2070AACA725E10ED0D80B
SHA1:	6A014EEA993DF01983D7D93BAAADE4E215887974
SHA-256:	32F44AECE36383F21F0711305A2E7DCD986F02B1454EDD70FDEC73F505D2875F
SHA-512:	E6A1E5FD0381A771B6A32A5DC2AE8374A6CA4E8CFF823A0E58965961AEC8DA60993A27AF9711372B59B1E72E327E27637C5F16FE1F921032B8DFAB56B2E21012
Malicious:	false
Preview:	:0F0000F0001100670000000000018F9101000067..:020000040000FA..:1028000081206700F22C0A0A0A0A01FF949D000049..:102810000000722FC21301FAA04A22150232C25CD4..:1028200036170364CC7A6C19049612002823010031..:102830000105664000002923010001045E404E406E..:102840002A23020001044240E83F2C230300010434..:10285000E23FD23F2F2301000105CA3F0000302391..:1028600001000105C23F0000312301000105BA3F0C..:102870000000322301000105B43F000033230200B1..:102880000105AC3F0000352302000105A03F000018..:10289000372303000103903F3C3F3A23010000002F..:1028A000343FA03D3B23200001037C3D403D5B23A2..:1028B00020000102283DEA3C7B2304000102E43CA5..:1028C000C63C7F2304000102C03C963C83230400E5..:1028D0000102863C623C872302000102563C163C02..:1028E000892303000102F23BBC3B8C23020001055B..:1028F000B43B00008E2302000104AC3B8C3B9023D0..:1029000002000105843B00009223010001057E3B8B..:102910000000932301000105783B0000BE23010065..:102920000102723BD639BF2301000102D039BC3904..:10293000C02302000102B0399439C223030001020E..:102940008C397E39C5230300010276396039F02

C:\Users\user\Documents\WinSitu Data\Firmware\RDO Blue.H0-0.V201.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	89284
Entropy (8bit):	3.79491809233585
Encrypted:	false
SSDEEP:	1536:hz/iAIK1+OuLXNek2N04gfnGoTZ5M43ypYerJvyb5vHFKUo+6MByVTgj:BJm9c4f5gdab5vlKeIG
MD5:	A9B93C81724ED2CDD107579860E20BA6
SHA1:	3E05D20683B17CA026CB4C83432CF7C74C1C88FA
SHA-256:	29EA5FD2BD204269ED1E244BD23A0A885898580307097D7D3F5B7B9BFCF78974
SHA-512:	9E355716715980B6C1377409DE5B32C0305352C3A8C8971274A112C609C8C1D65309C46869749660C7FEF3DABE303B8C5781DB016FF0B8F151281FCA9C1B4E5B
Malicious:	false
Preview:	:0F0000F0002300C90000000000015CC4010000F3..:020000040000FA..:102C0000BE58C90054320A0A0A0A01FF467D000074..:102C100000003A4120190132120028230100010569..:102C2000C63E0000292301000104BE3EA63E2A2321..:102C3000020001049A3E503E2C2303000104403E52..:102C40000E3E2F2301000105063E00003023010047..:102C50000105FE3D0000312301000105F43D0000A7..:102C6000322301000105EE3D00003323020001057F..:102C7000EA3D0000352302000105E63D0000372350..:102C800003000103D83D00003A2301000100D03DBC..:102C9000E03C3B2320000103C03C883C5B23200038..:102CA0000102743C503C7B23040001024A3C343C4A..:102CB0007F23040001022E3C183C83230400010200..:102CC000083CF23B872302000102E83BA43B892336..:102CD000030001026C3B203B8C2302000105163BE4..:102CE00000008E2302000104143B00009023020028..:102CF0000105123B00009223010001050E3B00007C..:102D00009323010001050A3B0000942308000102FF..:102D1000E63ACE3AF02301000103C83A943AF1238F..:102D2000010001038E3A1A3AF22301000103143A1A..:102D3000D639F32301000103D0398E39F423010081..:102D400001058C390000F523010001058639000

C:\Users\user\Documents\WinSitu Data\Firmware\RDO PRO-X.H0-0.V108.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104224
Entropy (8bit):	3.8042083178646693
Encrypted:	false
SSDEEP:	1536:ozWlox5A6XsQyonCITRIkNyR9chgjLuJWziERrtrl5x0mevJxwc:BgQonpvyXQgPeEhtrlomWwc
MD5:	07ADF476B3FD9D04B74181919C230F5E
SHA1:	51DDD420E9C8729115E9515F0723B0BDBF7C4DAA
SHA-256:	351B3CA3ECEE58C9A8C2CB8D3031F697AE5CCD0B9B533AF35C183515A86E3FBB
SHA-512:	256E5C1BA91ABC5CFE9E33B4C113D426A9B1497B06E35C23EF55EB0B6DCCB30ED12B6E03709DDA57C00E27D40D501FEF9A914AAC0B847BECE075AE735EF0CA7F
Malicious:	false
Preview:	:0F0000F0001F006C0000000000019720010000BD..:020000040000FA..:102C00001C806C0064330A0A0A0A01FFBA910000B2..:102C10000000844F6A190132365EC41A029612000F..:102C2000282301000105C040000029230100010400..:102C3000B840A0402A230200010494404A402C23BB..:102C4000030001043A4008402F2301000105004021..:102C50000000302301000105F83F0000312301008E..:102C60000105EE3F0000322301000105E83F0000AE..:102C7000332302000105E43F000035230200010573..:102C8000E03F0000372303000103D23F00003A2356..:102C900001000100CA3FDA3E3B2320000103C03E91..:102CA000983E5B2320000102763E523E7B230400C7..:102CB00001024C3E363E7F2304000102303E1A3EA4..:102CC0008323040001020A3EF43D8723020001022F..:102CD000EA3DA63D8923030001027E3D7A3D8C2317..:102CE00002000105703D00008E23020001046E3DCC..:102CF00000009023020001056C3D000092230100BA..:102D00000105683D0000932301000105643D0000BA..:102D1000942308000102483D303DF02301000103E7..:102D20002A3DEE3CF12301000103E83C743CF22310..:102D3000010001036E3C383CF32301000103323CE7..:102D4000E83BF42301000105E63B0000F523010

C:\Users\user\Documents\WinSitu Data\Firmware\RDO Titan.H0-0.V210.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	89284
Entropy (8bit):	3.7949146236695497
Encrypted:	false
SSDEEP:	1536:Qz/i2IK1+OuLXNek2N04gfnGoTZ5M43ypYerJvyb5vHFKUo+6MByVTgj:g/m9c4f5gdab5vlKeIG
MD5:	AE3C598CC649CC258BC7D56699699BFA
SHA1:	5FBD89E2A4E4DBB6BF52F6FE9C4A45D3DE032A44
SHA-256:	85C41DF59C385242B9127E4C2F386EC4CE73B08592267F584AC4986C8F56A700
SHA-512:	E73B72AC06A49EDED615ED516E46E2D8317AEB636FD61FC9953036558062557227F53ACCCE7A62574DB800E51FABE0709DCDE807AF9D9401C54DAA832A1724AE
Malicious:	false
Preview:	:0F0000F0001300D20000000000015CC4010000FA..:020000040000FA..:102C0000A758D20054320A0A0A0A01FF467D000082..:102C100000003A4120190132120028230100010569..:102C2000C63E0000292301000104BE3EA63E2A2321..:102C3000020001049A3E503E2C2303000104403E52..:102C40000E3E2F2301000105063E00003023010047..:102C50000105FE3D0000312301000105F43D0000A7..:102C6000322301000105EE3D00003323020001057F..:102C7000EA3D0000352302000105E63D0000372350..:102C800003000103D83D00003A2301000100D03DBC..:102C9000E03C3B2320000103C03C883C5B23200038..:102CA0000102743C503C7B23040001024A3C343C4A..:102CB0007F23040001022E3C183C83230400010200..:102CC000083CF23B872302000102E83BA43B892336..:102CD000030001026C3B203B8C2302000105163BE4..:102CE00000008E2302000104143B00009023020028..:102CF0000105123B00009223010001050E3B00007C..:102D00009323010001050A3B0000942308000102FF..:102D1000E63ACE3AF02301000103C83A943AF1238F..:102D2000010001038E3A1A3AF22301000103143A1A..:102D3000D639F32301000103D0398E39F423010081..:102D400001058C390000F523010001058639000

C:\Users\user\Documents\WinSitu Data\Firmware\RT100.H0-0.V104.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	111154
Entropy (8bit):	3.8070975466648522
Encrypted:	false
SSDEEP:	1536:Y9pjT93UY6aZzXlDZPOpVy1vlp+d1ekhoT1gKeEPw4JptYYg3RHQuI0zKCnHjhxi:CV9aiTfPOmF+d1ekhodJpmYJCnNsYdS
MD5:	D567C7B8AF99933D42DDAC90157DFEF1
SHA1:	21A27C7E4E9C945EC135D5D8BB7B0471191220AB
SHA-256:	B904496E2C82AC25835CF0CB52F2C42CE695C6071E1B237A9831128A389C3A4A
SHA-512:	D9BAA8E71D02C76CA2074C4091C4F6456CB338E49C33906D550406AEAA90A09BD4831357ECF1F073354D2AFAB7A38E22A40C7CB6D258E5612C36C54C1E78CAD2
Malicious:	false
Preview:	:0F0000F0000F0068000000000001B232010000A4..:020000040000FA..:102800003FEF6800602D0A0A0A0A01FF70A9000064..:1028100000000A30C21301FA164D22150232445F3D..:10282000361703649C817419049612002823010052..:102830000105FE400000292301000104F640E640A6..:102840002A2302000104DA4080402C230300010403..:102850007A406A402F2301000105624000003023C6..:10286000010001055A4000003123010001055240DA..:1028700000003223010001054C4000003323020018..:1028800001054440000035230200010538400000E6..:102890003723030001032840D43F3A2301000000FE..:1028A000CC3F383E3B2320000103143ED83D5B2340..:1028B00020000102C03D823D7B23040001027C3DDB..:1028C0005E3D7F2304000102583D2E3D832304001A..:1028D00001021E3DFA3C872302000102EE3CAE3CA1..:1028E0008923030001028A3C543C8C230200010529..:1028F0004C3C00008E2302000104443C243C902305..:10290000020001051C3C0000922301000105163C59..:102910000000932301000105103C0000BE230100CC..:1029200001020A3C6E3ABF2301000102683A543AA0..:10293000C02302000102483A2C3AC22303000102DC..:10294000243A163AC523030001020E3AF839F02

C:\Users\user\Documents\WinSitu Data\Firmware\RT200.H0-0.V104.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	111154
Entropy (8bit):	3.807033637119103
Encrypted:	false
SSDEEP:	1536:295jT33UYgaZzXlDZPOpVy1Tlp+d1ekhoT1gKYEPw4JptYYg3RHQuI0zKCnHjhxi:wFTAiTfPOm5+d1ekho3JpmYJCnNsYdS
MD5:	49BBB69A46859CC9E3F819C25B952723
SHA1:	E887DB5A18FA0C28BFC1E2CCD0A40C9926604CCE
SHA-256:	86A311808501CA54A9EE50AE859DEC2A1884E703AE8624A52BBB6A6D44AD94D9
SHA-512:	AA796099935A28E02F0025254582F8DE45CCE3D26476BB8B761EF41EC566AA37AE5331EBA410E1CC4747D230B80589077B4DA6F145FD82436C4233BD05C5A798
Malicious:	false
Preview:	:0F0000F000100068000000000001B232010000A3..:020000040000FA..:1028000082EF6800602D0A0A0A0A01FF70A9000021..:1028100000000A30C21301FA164D22150232445F3D..:10282000361703649C817419049612002823010052..:102830000105FE400000292301000104F640E640A6..:102840002A2302000104DA4080402C230300010403..:102850007A406A402F2301000105624000003023C6..:10286000010001055A4000003123010001055240DA..:1028700000003223010001054C4000003323020018..:1028800001054440000035230200010538400000E6..:102890003723030001032840D43F3A2301000000FE..:1028A000CC3F383E3B2320000103143ED83D5B2340..:1028B00020000102C03D823D7B23040001027C3DDB..:1028C0005E3D7F2304000102583D2E3D832304001A..:1028D00001021E3DFA3C872302000102EE3CAE3CA1..:1028E0008923030001028A3C543C8C230200010529..:1028F0004C3C00008E2302000104443C243C902305..:10290000020001051C3C0000922301000105163C59..:102910000000932301000105103C0000BE230100CC..:1029200001020A3C6E3ABF2301000102683A543AA0..:10293000C02302000102483A2C3AC22303000102DC..:10294000243A163AC523030001020E3AF839F02

C:\Users\user\Documents\WinSitu Data\Firmware\SmarTROLL MP.H0-0.V109.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	184026
Entropy (8bit):	3.741775890351625
Encrypted:	false
SSDEEP:	3072:KdV/rzdMHalALyfI/9pFjV5XekpZnsCZrUpkRc4ByBDBgjoWXU/KIPSaSf6aqJ8d:ORCHoeygRjZsCdFyBDBgjoWXU/KIXg
MD5:	D39D6DD43B460E7EAD777071C9DE2620
SHA1:	EA6C3CBC00BFD8098507834CF3ACC802F3C2573D
SHA-256:	27744D2A36C52E83938193B78F6E2E3919A61A393B19670E509005678D25BC1B
SHA-512:	FF27E6F8801C2FBAEB1918CB05612980D0E9E751A45C40ABB22032FEF565104752A6BF84E1CD62312650BC6751B04EA99628A23B2AAC53EFF76E1F77BF45ECCA
Malicious:	false
Preview:	:0F0000F00015006D000000000002CEDA010000D4..:020000040000FA..:10400000F5B26D00064031400031B113E06D0C9304..:104010000E243C40AC133D40330CB113705E3C4069..:10402000A6138D0036403E400500B1134E6FB1130C..:104030000445B1135A6F0404070401FF66A700008A..:1040400000000000EA9D00006419010100ACCCBB37..:104050005D40F3BBF1CE2BBCB6DF02BC28230100D0..:104060000105F2660100000000002923010001049F..:104070003A610100925201002A2302000104AE5D60..:104080000100924901002C23030001042267010072..:10409000F22901002F23010001050E5B0100000041..:1040A0000000302301000105245B01000000000036..:1040B0003123010001053A5B0100000000003223BA..:1040C000010001059C6C0100000000003323020088..:1040D0000105826701000000000035230200010590..:1040E0008E67010000000000372303000103E25047..:1040F0000100000000003A230100010042680100B5..:10410000708700003B232000010376500100863BAE..:1041100001005B232000010272510100523B0100AB..:104120007B23040001025A680100965101007F239D..:104130000400010272680100FE52010083230400A2..:1041400001028A6801006A53010087230200010

C:\Users\user\Documents\WinSitu Data\Firmware\SmarTROLL RDO.H0-0.V105.bin

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88114
Entropy (8bit):	3.792125132781728
Encrypted:	false
SSDEEP:	1536:rJ48SRaLGuNfRXupO4BDqbcWda1pekMOyGGUv6afCBuOXZRP:ZX6ccWQMOyawJRP
MD5:	CF3A741135AF131B3E69B594F02304E9
SHA1:	6C0C75243B3726CB8F41743C7204ACE5442BCDA9
SHA-256:	F8927E60E0C5464C9B7C9635D3357BD73C7C81EFF2CFA79AF86FD5E01D152210
SHA-512:	D7590FCBA6BB2004FA26973A452F3D2C547701A232C765E878133DADC41D1C858F9267363A11527127F7C08FB771D43BAC993A76DA13CA621C25A14B0A50C558
Malicious:	false
Preview:	:0F0000F0001800690000000000015832010000F4..:020000040000FA..:102C0000FBA16900D2310A0A0A0A01FFA67B000073..:102C10000000824020190132120028230100010522..:102C2000243E00002923010001041C3E043E2A2307..:102C300002000104F83DAE3D2C23030001049E3D3B..:102C40006C3D2F2301000105643D0000302301008D..:102C500001055C3D0000312301000105523D0000EB..:102C60003223010001054C3D000033230200010521..:102C7000483D0000352302000105443D0000372394..:102C800003000103363D00003A23010001002E3D00..:102C90003E3C3B23200001031E3CF63B5B2320000F..:102CA0000102E23BBE3B7B2304000102B83BA23B96..:102CB0007F23040001029C3B7C3B83230400010230..:102CC0006C3B563B8723020001024C3B083B8923A7..:102CD00003000102D03A7C3A8C2302000105723ACB..:102CE00000008E2302000104703A000090230200CD..:102CF00001056E3A00009223010001056A3A0000C6..:102D0000932301000105663A0000942308000102A4..:102D1000423A2A3AF02301000103243AF039F12320..:102D200001000103EA397639F22301000103703909..:102D30003239F323010001032C39EA38F42301006E..:102D40000105E8380000F52301000105E238000

C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\concrt140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	244016
Entropy (8bit):	6.693973055341775
Encrypted:	false
SSDEEP:	6144:Q/qKU/JVSHU3eFBp0xRe1o7qu0NdtB0ria/greG5IohE12z/vyG:+Um1Zu0b0eaI5IYzX
MD5:	3ED29DC99DE03F150CA723282F06C557
SHA1:	4096429AD1E98EF9DB2EC98A6264AE9BC3E24DF0
SHA-256:	BD6E4EA16471DF7924E23D88EEF7302ACF329D9B6866D71129B55E28DBFA9FEB
SHA-512:	6F010501DCE727803FEBD78BB4ED2BA1E83E68B2C87A02168083AA91AFB5A9A106BFE5AF2BF1E01F381885610694260613072E33F464B5F4D768FF4E33CC1DDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u..}1.j.1.j.1.j..Q..3.j.8...;.j.1.k...j...k/4.j...i/6.j...n/=.j...o/'.j...c/..j...j/0.j....0.j...h/0.j.Rich1.j.........................PE..L......Z.........."!.........r......@........ ............................................@A........................@....K..,R.......p...............z..0?.......)...'..8............................(..@............P..(............................text............................... ..`.data........ ...,..................@....idata.......P.......8..............@..@.rsrc........p.......J..............@..@.reloc...).......*...P..............@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\msvcp140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	440104
Entropy (8bit):	6.655640444414015
Encrypted:	false
SSDEEP:	12288:DTLNQjAM80l7Vpm8j2NoSpmanuhUgiW6QR7t5s03Ooc8dHkC2esuSP0:DTLNQcMmYpEN03Ooc8dHkC2enSM
MD5:	851E7732D09151D218A2E7C3BF2DAFBB
SHA1:	F5ACA8CD8DA53976B13A4ADC9C6111356803C4C9
SHA-256:	2545C8B2EAB83C9DE0E48A36923949D30837DBC61D638A5FB879B0C9D647976D
SHA-512:	9FBD2E66CD6A107E14B083372AC3303058E3978C8616B9E3B79A05B26066C3681D16CA8C2F29423E53AF0E3D3EC61745414F9845F416FA7272A3A7FFACA65465
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.............!;......c....5..........5.....5......5......5...v..5.....5......5.....Rich...........................PE..L......Z.........."!......................... ............................................@A.........................C.......R..,....................x..(?.......:.. g..8............................(..@............P......p@..@....................text...B........................... ..`.data....'... ......................@....idata.......P....... ..............@..@.didat..4....p.......6..............@....rsrc................8..............@..@.reloc...:.......<...<..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vccorlib140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	267568
Entropy (8bit):	6.584640819181868
Encrypted:	false
SSDEEP:	3072:Q9EYbM6NOpMOMfWEZI8O76AhRpG05dPVOxL3t2rHelmDC2WYs3nOjpK:MEYbM6bTWoI8Oph/pbeL3t2NK
MD5:	D602037841213434962584A04AC165BB
SHA1:	A60A39A141E7CE59FA20314708B1805A4416A324
SHA-256:	B0777AEEBD09C9F5AC9353F38A835DF57FDCDA12A3EC149F33677A5268FA84A7
SHA-512:	799580550DBC2EE93190E0E87A820BE22DB03A301A7398A6197D9A40E467AA05785B60C23CDD25D4C64AC8564B422DF1493CF487921F2E6E96A787355B296BF4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Kv.\|.../.../.../.oo/.../4I...../4I...../4I...../4I...../..7/.../.../\|../4I...../4I...../4I./.../4I...../Rich.../........................PE..L......Z.........."!................@........@.......................................0....@A.............................=..............................0?.......Q...D..8............................D..@............................................text....,.......................... ..`.data....=...@...:...2..............@....idata...............l..............@..@minATL...............\|..............@..@.rsrc................~..............@..@.reloc...Q.......R..................@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\$PatchCache$\Managed\32F1197744E6E504CB55435D94BD462B\5.7.800\vcruntime140.dll.41084701_5F61_3497_AC5D_D0A6D4A85536

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83768
Entropy (8bit):	6.846131048807189
Encrypted:	false
SSDEEP:	1536:0aYGvQ2+kLJ4AE6ZkJrIriwx0AKGsu0g1kqAecbRyDlB6kVaY:0a7vQ2+KJ4AE0sAKxQAecbRyDlNZ
MD5:	AEAB74DB6BC6C914997F1A8A9FF013EC
SHA1:	6B717F23227D158D6AA566498C438B8F305A29B5
SHA-256:	18CCB2DD8AF853F4E6221BB5513E3154EF67AE61CEE6EC319A8A97615987DC4B
SHA-512:	A2832B7720599361E2537F79A2597ACB1A2D5633FDFE20A0D1075E9457683FDB1D5676D121C0BF1A825FF99512DCD924254F1151B50AAE922ACC0CC10F461036
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c..'...'...'....Yf.%.....>.,...'...........7.......4.......#.......?.......&.....R.&.......&...Rich'...................PE..L......Z.........."!........."...............................................P............@A........................P................0..................8?...@..p.......8...............................@............................................text...d........................... ..`.data...d...........................@....idata..............................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc..p....@......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\6bacb2.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {8FC2E7A4-D62A-4678-921F-8927182D4AFD}, Title: In-Situ Win-Situ 5, Author: In-Situ Technical Support, Number of Words: 2, Last Saved Time/Date: Wed Apr 14 22:23:55 2021, Last Printed: Wed Apr 14 22:23:55 2021
Category:	dropped
Size (bytes):	36761088
Entropy (8bit):	7.993254826437659
Encrypted:	true
SSDEEP:	786432:G9gHzK4nvrt49XMGQCHSU+zIdS4sWBYINCUFWEYVmUbjxXmLyUYrZYBTSOo:G9fEvy9cGBDzs6aUEXmLyUYrZwlo
MD5:	7BBC1C706FA3DC23782DB860555F1CDA
SHA1:	A7597FB7D007A4B82D8626C25BCBED2B5D28D1ED
SHA-256:	7C52536C77CC7A3EBEA7273084D70305349503E84649682C3EAD73317A775EF3
SHA-512:	EFFE8A27CC9988685BFC14E78FE738C6AFB28F13CDA178CCE9F2E925C5B050820C3461EFFB17673F3D8BFF59C0986BF27C7DC763800CD57544595E37F93ADBED
Malicious:	false
Preview:	......................>...................1...............8......._................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...........Z................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0...1...2...3...4...5...6...7...E...v...:...;...<...=...>...?...@...A...B...C...D...Y...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...[...\...]...^...t...\|..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...}...u...w.......x...y...z...

C:\Windows\Installer\MSIB1C3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	93963
Entropy (8bit):	6.74168440962444
Encrypted:	false
SSDEEP:	768:0DCB1XQvai2jKuzH0tBQvmHLhgEJ6wNeaGJgeHUOwQBJiGgDyFM0/svwyvp0/H0X:Yu1gip2uw75ZwyRUsjFiw
MD5:	F4D91943EC204A23056EB1EEB236BE8F
SHA1:	C08EB87DCF0C50FDF760FC65BDF5F56BE174F085
SHA-256:	07BBCFB678C86299886D2F417590ED69EC56C4D95390E552E3EF479E1A6D12F6
SHA-512:	67BF8B361A0BD8D0FE97A4A0E4FD331F326924C98A96C4679D7FEFE5841943D90F7957B791C064910BF072ABFA5F3FEDB8B047775643CDB8EC7C22C4106CE276
Malicious:	false
Preview:	...@IXOS.@.....@D.]Y.@.....@.....@.....@.....@.....@......&.{77911F23-6E44-405E-BC55-34D549DB64B2}..In-Situ Win-Situ 5..WinSitu-5.7.8.0.msi.@.....@ ....@.....@......_853F67D554F05449430E7E.exe..&.{8FC2E7A4-D62A-4678-921F-8927182D4AFD}.....@.....@.....@.....@.......@.....@.....@.......@......In-Situ Win-Situ 5......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{A20E98AF-1532-7D91-9166-B508329205DD}G.C:\Users\user\Documents\WinSitu Data\Firmware\ConTROLL PRO AC.V110.bin.@.......@.....@.....@......&.{60B67299-9861-7B82-CDEA-5D7F9A82E4D1}G.C:\Users\user\Documents\WinSitu Data\Firmware\Level TROLL 300.V202.bin.@.......@.....@.....@......&.{DC5686B9-37F4-0FDB-3B13-22F375C4F314}>.C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\ftdiport.inf.@.......@.....@.....@......&.{50081DF8-D6F9-5681-0C57-B7C07EC57DC7}F.C:\Users\user\Documents\WinSitu Data\Firmware\A

C:\Windows\Installer\SourceHash{77911F23-6E44-405E-BC55-34D549DB64B2}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.770531590631998
Encrypted:	false
SSDEEP:	12:JSbX72FjPAGiLIlHVRp+h/7777777777777777777777777vDHFNTy3sDATYKK1z:JNQI5W7Ty3qlKtF
MD5:	31978B0BD4BC0EA3E3D02162D2451DCA
SHA1:	EB2B7138D3F4D708B250F0464FB84B2D44782281
SHA-256:	91B6B2AA92715BA968BA415F304A0F38BA47CF608FB34B629F3E257C0B2D2F34
SHA-512:	23ACE37A33BB5749E8D702D9FCA03F80DA1B6BA69A7ABBD83E1F98D93B974AAF1D125138E8F12A155B4CEFE49516041FE9C593E39423919155C6FE34745F7BE2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.3807524299024614
Encrypted:	false
SSDEEP:	96:40jlTO8KUL8dcPNOCoAJHRO1zec2NSpocPNOCoAJHRO1zec2NSD:Djl67ePgAfo3RPgAfo
MD5:	28529B09684FEECC9489C5E570B2F372
SHA1:	3AB486CE4A99FEB8FF921B22D848E3A11C66E982
SHA-256:	B0BB7550F9357F17854893C9E2C83F76246F76E5A6B4D36907F6E3FBC80FBA8C
SHA-512:	90D1103CE6EAF6B11626C66FAC2F43F38AB16A1987D23136870D78E174D40025A00DC9396620A2D56EDB79298430F23A86E650FCF59F80A7FF70866B244DA097
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_288987BFEB08B712E2C981.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	10134
Entropy (8bit):	4.904373126290693
Encrypted:	false
SSDEEP:	96:4kUpiZtd9KZZqwoxcOZQkNqaxnvKdrg8ZxYkyPF7o:gpaUZIwgtZtpvVDN7o
MD5:	CE8EE64C66E92BBB46231B1BE06ABA22
SHA1:	5BB368FBCF57D92D8C83A4487FDDE7E713ED3A24
SHA-256:	D4F066DB44F8EC61D8EC183091BEAD9578022C2385D4F7552B32F1B0C53FD26B
SHA-512:	AA31399CDE6457DFA727F3F21074EFB8F1F5B7FF5BFEE6E54231082E7E8F5D4B6D4DF90D70529AAFF3935BB3AB86DC86AC1A0D85429D247FDCFF9720F4E2C0EC
Malicious:	false
Preview:	...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@......................................................................................................................................wwwwwwp...............p...............p...............p...............p...............p...............p...............p...............p...............p...............p...............p...............p...............p...............p...............p...............p...............p...............p...............p...............p...............p..............................x..............................x...............................................................................................................................................................................?....................(....... ...................................................................................................................www...........................

C:\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_853F67D554F05449430E7E.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 3 icons, 16x16, 24 bits/pixel, 32x32, 24 bits/pixel
Category:	dropped
Size (bytes):	11502
Entropy (8bit):	6.693850939797661
Encrypted:	false
SSDEEP:	96:49ych/bqtAjNg2IwGwwzC7KOjmg8i8i8i8i8i8i8i7GTq2fRJmQQHk1EWqvkbn3D:4H/bqteNgh+KOC8yq2fRJmQ3bfdjt
MD5:	3CA3A55ABEAE2FA61A85E82C8AE1EB90
SHA1:	04BA7D9D3BF1672CD453BCFC851886E335E09C70
SHA-256:	6C7014C24923BF342B0B37868086CB9B64FA33BE0B1A92E3B54EE103FD255D7A
SHA-512:	D7F61AC411E6CE85F63F550E25609FFECE80EBA4628EA4AAB92F55667B5CAF3218FFA1F333B3C9CD0D1D72386757880FD147B5F3ED8E953A0B0D7847CB8ECAE9
Malicious:	false
Preview:	..............h...6... ..............00..........F...(....... ................................A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..Q.O.O.N.N.L.K.I.G.E.C.C.`...A..A..J.I.I.H.F.D.B.?.<.}9.{6.z5.T...A..A..E.D.C.A.?.<.}8.z5.w0.t,.q(.o&.F.\|.A..A..q4._(.f,.l/.Z".U..f&.o'.h .X..J..K..g,.k.A..A..uT......z?........mL.W..V...y.......\|.mH.A..A..........`0..........>........kVwM4......A..A...........zg.........eG.;.tD$.zg.........A..A.......wM4.......kV.....yI)..........x.iQ.A..A......a-........^F.zg....ZB......l?#.kV....A..A........a=..n.....l.hI......]A.............A..A..~Z.~[.}.z..l......l..q....w.z\..f...A..A..............................A..A.........................................A..A...........................................A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A.................................................................(... ...@............................................A..A..A..A..A..A..A..

C:\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_9512E0AD78DB887D16D994.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 3 icons, 16x16, 24 bits/pixel, 32x32, 24 bits/pixel
Category:	dropped
Size (bytes):	11502
Entropy (8bit):	6.693850939797661
Encrypted:	false
SSDEEP:	96:49ych/bqtAjNg2IwGwwzC7KOjmg8i8i8i8i8i8i8i7GTq2fRJmQQHk1EWqvkbn3D:4H/bqteNgh+KOC8yq2fRJmQ3bfdjt
MD5:	3CA3A55ABEAE2FA61A85E82C8AE1EB90
SHA1:	04BA7D9D3BF1672CD453BCFC851886E335E09C70
SHA-256:	6C7014C24923BF342B0B37868086CB9B64FA33BE0B1A92E3B54EE103FD255D7A
SHA-512:	D7F61AC411E6CE85F63F550E25609FFECE80EBA4628EA4AAB92F55667B5CAF3218FFA1F333B3C9CD0D1D72386757880FD147B5F3ED8E953A0B0D7847CB8ECAE9
Malicious:	false
Preview:	..............h...6... ..............00..........F...(....... ................................A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..Q.O.O.N.N.L.K.I.G.E.C.C.`...A..A..J.I.I.H.F.D.B.?.<.}9.{6.z5.T...A..A..E.D.C.A.?.<.}8.z5.w0.t,.q(.o&.F.\|.A..A..q4._(.f,.l/.Z".U..f&.o'.h .X..J..K..g,.k.A..A..uT......z?........mL.W..V...y.......\|.mH.A..A..........`0..........>........kVwM4......A..A...........zg.........eG.;.tD$.zg.........A..A.......wM4.......kV.....yI)..........x.iQ.A..A......a-........^F.zg....ZB......l?#.kV....A..A........a=..n.....l.hI......]A.............A..A..~Z.~[.}.z..l......l..q....w.z\..f...A..A..............................A..A.........................................A..A...........................................A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A.................................................................(... ...@............................................A..A..A..A..A..A..A..

C:\Windows\Installer\{77911F23-6E44-405E-BC55-34D549DB64B2}\_A89184D00202F7F1765B04.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 3 icons, 16x16, 24 bits/pixel, 32x32, 24 bits/pixel
Category:	dropped
Size (bytes):	11502
Entropy (8bit):	6.693850939797661
Encrypted:	false
SSDEEP:	96:49ych/bqtAjNg2IwGwwzC7KOjmg8i8i8i8i8i8i8i7GTq2fRJmQQHk1EWqvkbn3D:4H/bqteNgh+KOC8yq2fRJmQ3bfdjt
MD5:	3CA3A55ABEAE2FA61A85E82C8AE1EB90
SHA1:	04BA7D9D3BF1672CD453BCFC851886E335E09C70
SHA-256:	6C7014C24923BF342B0B37868086CB9B64FA33BE0B1A92E3B54EE103FD255D7A
SHA-512:	D7F61AC411E6CE85F63F550E25609FFECE80EBA4628EA4AAB92F55667B5CAF3218FFA1F333B3C9CD0D1D72386757880FD147B5F3ED8E953A0B0D7847CB8ECAE9
Malicious:	false
Preview:	..............h...6... ..............00..........F...(....... ................................A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..Q.O.O.N.N.L.K.I.G.E.C.C.`...A..A..J.I.I.H.F.D.B.?.<.}9.{6.z5.T...A..A..E.D.C.A.?.<.}8.z5.w0.t,.q(.o&.F.\|.A..A..q4._(.f,.l/.Z".U..f&.o'.h .X..J..K..g,.k.A..A..uT......z?........mL.W..V...y.......\|.mH.A..A..........`0..........>........kVwM4......A..A...........zg.........eG.;.tD$.zg.........A..A.......wM4.......kV.....yI)..........x.iQ.A..A......a-........^F.zg....ZB......l?#.kV....A..A........a=..n.....l.hI......]A.............A..A..~Z.~[.}.z..l......l..q....w.z\..f...A..A..............................A..A.........................................A..A...........................................A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A..A.................................................................(... ...@............................................A..A..A..A..A..A..A..

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375164666457956
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauB:zTtbmkExhMJCIpErI
MD5:	92AECFC1B5E3726C67E49AFF1B306B7B
SHA1:	F8566D91551C0BE7130DE55877C876AD2441A519
SHA-256:	8246D65002E7FDC6FA5CD2F5C46B1B50C26660BD7BF6926858042825CB926906
SHA-512:	11A22F5902B079B858AF62FEA3BBB215190B9DB8E3D120C43C124FF812A714658F623A83E0F6D7DFD6C5DC90AAD8A47AFD280F590CF0105B3CD4B1E1897E0BD1
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\SysWOW64\mfc140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4705056
Entropy (8bit):	7.05731700691555
Encrypted:	false
SSDEEP:	98304:J9xt9uDvWEuw9RPnmxQipCGecmmi4gFLOAkGkzdnEVomFHKnPHP:Rw/e3pCGecmp4gFLOyomFHKnPHP
MD5:	F20805208EC4FF6C1E1EFF26F07DA820
SHA1:	32797FC5F177068922CC11655C6686A89E9EC397
SHA-256:	DB4609E6056F1A2B1B4628082FAE0DBA537C6CEC2AC05E68DC2CDC725C22205A
SHA-512:	9CECF79301369467E3365D7481A966C0CD219932C3E3842173E2C8E929F0141D05D4C358FBC117E50CDC7B8A52690E409ADBDD75F9F90541E859675C6C9B8F0C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......OZ;,.;U..;U..;U.....;U.....;U.....;U.....;U..C...;U.0eT~.;U.0eV~.;U.0eQ~.;U.0eP~.;U.....;U..;T..?U.0e\~.:U.0eU~.;U.0e...;U.0eW~.;U.Rich.;U.........................PE..L...D..Z.........."!......-......... .).......-..............................0H.......G...@A........................ .-..............p/...............G. ?....E.....0~..8...................h~..........@.....................,......................text.....-.......-................. ..`.data.........-.......-.............@....idata...T.......V..................@..@.didat.......P/.....................@....tls.........`/.....................@....rsrc........p/.....................@..@.reloc........E......tD.............@..B................................................................................................................................................................................

C:\Windows\SysWOW64\mfc140u.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4775200
Entropy (8bit):	7.037261707280988
Encrypted:	false
SSDEEP:	98304:uWtxN76QDEsuJXsm75DBC/qupepFAFLOAkGkzdnEVomFHKnPq/:u8lumeRBC/quKAFLOyomFHKnPq/
MD5:	DA766AC8D3E3AF30407A1EB96E03BAF7
SHA1:	353CB2C8F893E769E069BC0FBCF4FE632D457326
SHA-256:	01C7C858A5A4AE74690FDDE79AC994BD7085820238C133CC653D60B6F0658A52
SHA-512:	A482D5A9EC51DEC4C025C3126C54D3BEBD54A258120506F360A0FB6E11CC183A64BC1FAF162291B3204479A3EFAE2EEA1166CBCAE6894041A29CD262D28E6949
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........Z;-K;U~K;U~K;U~..~J;U~..~J;U~..~I;U~..~^;U~BC.~_;U~peT.I;U~peV.@;U~peQ.G;U~peP.\;U~..~X;U~K;T~.8U~pe\..:U~peU.J;U~pe.~J;U~peW.J;U~RichK;U~........................PE..L...h..Z.........."!.........................P................................I.......I...@A............................L...../......@0...............H. ?....E.....`...8...................,4......p...@............./.............................text.............................. ..`.data...$...........................@....idata..fS..../..T..../.............@..@.didat....... 0......./.............@....tls.........00......./.............@....rsrc........@0......./.............@..@.reloc........E.......E.............@..B................................................................................................................................................................................

C:\Windows\SysWOW64\mfcm140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95008
Entropy (8bit):	6.483846276891073
Encrypted:	false
SSDEEP:	1536:lKaK/ssrqmwbkwYn9Q6JLfeC31CxJTjSvEjbFEXAVOVzHxc:lKPEsiYndJLfeC31GTjoEjbyX0Wu
MD5:	7E7BF3239A4FC0408E7E41F70E3C2D3E
SHA1:	B556E1AC737246AAD5C534479B52190FE25C61C0
SHA-256:	6C644970EF988B99ADB2981C421DCFD3C824F9B48F551B1EE83C4C6F168BB737
SHA-512:	F62584FF27EC8FFC458A17157487ED34851C0E175119DAE40C4263FC2238ED388CDF1E8FA4EBFA4E47DE7A775A66AF2A290F09665D8596D8DE953E127E2A9475
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........y..y..yz<hy..y..5y..y...x..y...x..y...x..y..5y..yz<my..y..y..y...x..y...x..y..Yy..y...x..yRich..y........PE..L......Z.........."!.....D...........R.......`......................................4.....@..........................0......`1.......p...............4.. ?..........0f..8....................&.......e..@............`..L...........Pc..H............text....C.......D.................. ..`.rdata.......`.......H..............@..@.data........@......."..............@....tls.........P.......&..............@....gfids..T....`.......(..............@..@.rsrc........p.....................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Windows\SysWOW64\mfcm140u.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.458979771637682
Encrypted:	false
SSDEEP:	1536:wU26ddhAg3kTWF1Wah39Ai31CxPUDwODtho51Vbim:wUrduWFR9Ai31UUDXho5Pum
MD5:	D1896E52F5C118B37CAC9F5FBCEADD14
SHA1:	480B5664AC64934D10AB2C423AC5636AF7C7E65E
SHA-256:	9A4CCBCFAF1B2D5A19C35085B6688CD96C3CD02D5A42857531DFB78FA576C444
SHA-512:	C1A01AB3BC902D41343A88B7BC3EDA812EC65AF9667866DFFCB5E156589388F0CF4997F414C229ABDD7A75BE74C0C419A1ACE48AC4B8E18E5555370940FEB4F9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........y..y..yz<hy..y..5y..y...x..y...x..y...x..y..5y..yz<my..y..y..y...x..y...x..y..Yy..y...x..yRich..y........PE..L...5..Z.........."!.....D...........R.......`............................................@..........................0.......1.......p...............6.. ?..........0f..8....................&.......e..@............`..L...........Pc..H............text....C.......D.................. ..`.rdata.......`.......H..............@..@.data........@......."..............@....tls.........P.......&..............@....gfids..T....`.......(..............@..@.rsrc........p.....................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................

C:\Windows\Temp\~DF26040CF1CD1F40B5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.3807524299024614
Encrypted:	false
SSDEEP:	96:40jlTO8KUL8dcPNOCoAJHRO1zec2NSpocPNOCoAJHRO1zec2NSD:Djl67ePgAfo3RPgAfo
MD5:	28529B09684FEECC9489C5E570B2F372
SHA1:	3AB486CE4A99FEB8FF921B22D848E3A11C66E982
SHA-256:	B0BB7550F9357F17854893C9E2C83F76246F76E5A6B4D36907F6E3FBC80FBA8C
SHA-512:	90D1103CE6EAF6B11626C66FAC2F43F38AB16A1987D23136870D78E174D40025A00DC9396620A2D56EDB79298430F23A86E650FCF59F80A7FF70866B244DA097
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF62EE7E940E2A2386.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07386864866444769
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKONTyxx2zDyfT1+IZQhKVky6l1:2F0i8n0itFzDHFNTy3sDATYKK1
MD5:	E768586219FC9F9DDEED359C40C6863F
SHA1:	6256947676E3C559CF080369179FBB7A9DA5238C
SHA-256:	E75D93C4FE84D4420B2D85E9B29B15A3012D0644F05A89F251A03A059B98BF4B
SHA-512:	77AF2889E07A7E3DF552404F398825512B50BDCC4B3A1929D5989E55E8CB265C374864FC5FB8F19E3D5BABB716F23FC22070470474D280C48B4B000BAD30FA5C
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE080A742D8EFE46F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	0.39708491561503134
Encrypted:	false
SSDEEP:	96:W3ocPNOCoAJHRO1zec2NSodcPNOCoAJHRO1zec2NSD:+RPgAfoiePgAfo
MD5:	8069AA7E18DB2468975297E01471AA79
SHA1:	9FB96E1F874418FCE6CF573C9B0D60D8CB2A2680
SHA-256:	04FF44579D7106E2A698A1D85A69222C73AFFE3C21D8644D746F48EFF4A6E1B9
SHA-512:	227534F38D7D53BA63FFAF76566C267DE777BDD7DC4862773FE74E56EE4C80C185FD09CF2660F7D9AF0381ECF101E627C56603C415A29D174D530688753912A7
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEE815C267DD37F98.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {8FC2E7A4-D62A-4678-921F-8927182D4AFD}, Title: In-Situ Win-Situ 5, Author: In-Situ Technical Support, Number of Words: 2, Last Saved Time/Date: Wed Apr 14 22:23:55 2021, Last Printed: Wed Apr 14 22:23:55 2021
Entropy (8bit):	7.993254826437659
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	WinSitu-5.7.8.0.msi
File size:	36'761'088 bytes
MD5:	7bbc1c706fa3dc23782db860555f1cda
SHA1:	a7597fb7d007a4b82d8626c25bcbed2b5d28d1ed
SHA256:	7c52536c77cc7a3ebea7273084d70305349503e84649682c3ead73317a775ef3
SHA512:	effe8a27cc9988685bfc14e78fe738c6afb28f13cda178cce9f2e925c5b050820c3461effb17673f3d8bff59c0986bf27c7dc763800cd57544595e37f93adbed
SSDEEP:	786432:G9gHzK4nvrt49XMGQCHSU+zIdS4sWBYINCUFWEYVmUbjxXmLyUYrZYBTSOo:G9fEvy9cGBDzs6aUEXmLyUYrZwlo
TLSH:	F1873332755C9F33E85C36BE0422278D4AA67E220D6450125778FCA9BA78E7343B49DF
File Content Preview:	........................>...................1...............8......._..........................................................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Target ID:	0
Start time:	20:08:49
Start date:	29/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\WinSitu-5.7.8.0.msi"
Imagebase:	0x7ff6f4470000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	20:08:49
Start date:	29/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6f4470000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	20:10:13
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\InSitu\WinSitu\iPlotLibrary.ocx"
Imagebase:	0xfb0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:10:13
Start date:	29/10/2024
Path:	C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe"
Imagebase:	0x400000
File size:	319'488 bytes
MD5 hash:	196C5F7AB6FB7D1B6B32813449CC9511
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.5%
Total number of Nodes:	770
Total number of Limit Nodes:	51

Executed Functions

Function 00403264 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 235
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00403283
GetModuleHandleW.KERNEL32(kernel32.dll,0000005C), ref: 004032AD
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 004032BE
ConvertDefaultLocale.KERNELBASE(?), ref: 004032F4
ConvertDefaultLocale.KERNELBASE(?), ref: 004032FC
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 00403310
ConvertDefaultLocale.KERNEL32(?), ref: 00403334
ConvertDefaultLocale.KERNEL32(74DEF550), ref: 0040333A
GetModuleFileNameW.KERNEL32(00400000,00000000,00000105), ref: 0040337B
GetVersion.KERNEL32 ref: 00403390
RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 004033B5
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 004033DA
_sscanf.LIBCMT ref: 004033FA
ConvertDefaultLocale.KERNEL32(?), ref: 0040342F
ConvertDefaultLocale.KERNEL32(74DEF550), ref: 00403435
RegCloseKey.ADVAPI32(?), ref: 00403444
GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00403454
EnumResourceLanguagesW.KERNEL32(00000000,00000010,00000001,00402A77,?), ref: 0040346F
ConvertDefaultLocale.KERNEL32(?), ref: 004034A0
ConvertDefaultLocale.KERNEL32(74DEF550), ref: 004034A6

Strings

kernel32.dll, xrefs: 0040329F
Control Panel\Desktop\ResourceLocale, xrefs: 004033A8
ntdll.dll, xrefs: 0040344F
GetSystemDefaultUILanguage, xrefs: 004032FE
GetUserDefaultUILanguage, xrefs: 004032B5

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 1001324880-483790700
Opcode ID: 8c6f2a4cce5a7bdb48e0f727d8abf33910d4d237905a6fc6a311aaf35598ffcc
Instruction ID: 17b3ca7bc7395537d1debb59c16bbeaf3c342fc39f5f3c99e41831582ebf75d9
Opcode Fuzzy Hash: 8c6f2a4cce5a7bdb48e0f727d8abf33910d4d237905a6fc6a311aaf35598ffcc
Instruction Fuzzy Hash: A8813DB1D002199EDB10DFA5DC85AEEBBB8FB48305F10013BE915F7290D778AA45CB68

Function 00402FD2 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 110
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy_s.LIBCMT ref: 00403013
__snprintf_s.LIBCMT ref: 0040304D

Part of subcall function 0041FF91: __vsnwprintf_s_l.LIBCMT ref: 0041FFA6

GetLocaleInfoW.KERNELBASE(00000800,00000003,?,00000004,00000000), ref: 0040307B
PathFindFileNameW.SHLWAPI(?,?,?,?,?,00000020,00000000), ref: 0040309D
GetModuleHandleW.KERNEL32(KERNEL32,?,?,?,?,?,?,?,00000020,00000000), ref: 004030C0
GetProcAddress.KERNEL32(00000000,FindActCtxSectionStringW), ref: 004030D0
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000020,00000000), ref: 004030F4

Strings

LOC, xrefs: 0040300B
FindActCtxSectionStringW, xrefs: 004030CA
KERNEL32, xrefs: 004030BB

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: AddressFileFindHandleInfoLibraryLoadLocaleModuleNamePathProc__snprintf_s__vsnwprintf_s_l_wcscpy_s
String ID: FindActCtxSectionStringW$KERNEL32$LOC
API String ID: 3774431915-2507659101
Opcode ID: 9e630ecf91355d833dc2a809563df4c599eb10877a4bbcd4ffa27fc126af7ff4
Instruction ID: a11b7ece1e40674c6d4c54a950e41e5e29bb7d21ef585a109552d75fd47fc985
Opcode Fuzzy Hash: 9e630ecf91355d833dc2a809563df4c599eb10877a4bbcd4ffa27fc126af7ff4
Instruction Fuzzy Hash: C031B671A4020DAFDB20AFA1DC46EEF3A6CBB05349F00013BF615F6191DB785A4A8769

Function 00405F11 Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 00405F18
FindResourceW.KERNEL32(?,?,00000005,00000024,004010AB), ref: 00405F4B
LoadResource.KERNEL32(?,00000000), ref: 00405F53
LockResource.KERNEL32(?,00000024,004010AB), ref: 00405F64
GetDesktopWindow.USER32 ref: 00405F97
IsWindowEnabled.USER32(?), ref: 00405FA5
EnableWindow.USER32(?,00000000), ref: 00405FB4

Part of subcall function 0040B57F: IsWindowEnabled.USER32(?), ref: 0040B588

Part of subcall function 0040B59A: EnableWindow.USER32(?,?), ref: 0040B5A7

EnableWindow.USER32(?,00000001), ref: 00406098
GetActiveWindow.USER32 ref: 004060A3
SetActiveWindow.USER32(?,?,00000024,004010AB), ref: 004060B1
FreeResource.KERNEL32(?,?,00000024,004010AB), ref: 004060CD

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: a8df2df2b64633db54329cd4f5083b8d52e567359d8fafaafecc17059fcaca92
Instruction ID: d81ed2e560b8e9ed9673860deaa9eb436a044a549447f3d54ae472a44fab9466
Opcode Fuzzy Hash: a8df2df2b64633db54329cd4f5083b8d52e567359d8fafaafecc17059fcaca92
Instruction Fuzzy Hash: F2517B30A00606DBCB21AFA6C9496AFBAB1FF88715F10013EE142B62D1CB785941DF5D

Function 00401380 Relevance: 9.1, APIs: 6, Instructions: 81
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsIconic.USER32(?), ref: 0040139D

Part of subcall function 0040D2E3: __EH_prolog3.LIBCMT ref: 0040D2EA
Part of subcall function 0040D2E3: BeginPaint.USER32(?,?,00000004,004057F2,?,00000058,00401440), ref: 0040D316

SendMessageW.USER32(?,00000027,?,00000000), ref: 004013C2
GetSystemMetrics.USER32(0000000B), ref: 004013D0
GetSystemMetrics.USER32(0000000C), ref: 004013D6
GetClientRect.USER32(?,?), ref: 004013E3
DrawIcon.USER32(?,?,?,?), ref: 00401418

Part of subcall function 0040D337: __EH_prolog3.LIBCMT ref: 0040D33E
Part of subcall function 0040D337: EndPaint.USER32(?,?,00000004,00405818,?,?,00000058,00401440), ref: 0040D359

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: H_prolog3MetricsPaintSystem$BeginClientDrawIconIconicMessageRectSend
String ID:
API String ID: 2914073315-0
Opcode ID: 9c2f534003e14770ad9dfe766e793e05d43b71cef1f111361c5ca6712f11ca06
Instruction ID: 327125334d59a6a48c6720d73107c304ab3b07aae1d02308400734510b8b82d7
Opcode Fuzzy Hash: 9c2f534003e14770ad9dfe766e793e05d43b71cef1f111361c5ca6712f11ca06
Instruction Fuzzy Hash: B92160766046059BC210DF79DC49EABB3E9FBC8215F050A2EF595D7290DA34F804CAA6

Function 0040A308 Relevance: 1.9, APIs: 1, Instructions: 445COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040A30F

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: cab98a086250f18b20361b5f2fcb6563a2265870a736d9fd20b56f5c088ba6e9
Instruction ID: be5681f1951a1dbad807a24cfe5f4da851da0a6b2387850b975b6c6d29fc8515
Opcode Fuzzy Hash: cab98a086250f18b20361b5f2fcb6563a2265870a736d9fd20b56f5c088ba6e9
Instruction Fuzzy Hash: 03F15070500205EFDB15DF55C884ABE7BB9AF04314F10812AF816BB2D1DB78DA61EB6A

Function 00409F3A Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00409F59

Part of subcall function 0040E41E: __EH_prolog3.LIBCMT ref: 0040E425

CallNextHookEx.USER32(?,00000003,?,?), ref: 00409FA2

Part of subcall function 0040C08A: __CxxThrowException@8.LIBCMT ref: 0040C09E

GetClassLongW.USER32(?,000000E0), ref: 0040A019
SetWindowLongW.USER32(?,000000FC,Function_00008E87), ref: 0040A068
GetClassNameW.USER32(?,00000000,00000100), ref: 0040A09F
GetWindowLongW.USER32(?,000000FC), ref: 0040A0C4
GetPropW.USER32(?,AfxOldWndProc423), ref: 0040A0D8
SetPropW.USER32(?,AfxOldWndProc423,?), ref: 0040A0E7
GetPropW.USER32(?,AfxOldWndProc423), ref: 0040A0EF
GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 0040A0FB
SetWindowLongW.USER32(?,000000FC,Function_00009DF0), ref: 0040A109
CallNextHookEx.USER32(?,00000003,?,00000000), ref: 0040A118
UnhookWindowsHookEx.USER32(?), ref: 0040A129

Strings

#32768, xrefs: 00409FFB, 0040A000, 0040A0B4
AfxOldWndProc423, xrefs: 0040A0D1, 0040A0D6, 0040A0E5, 0040A0ED, 0040A0FA

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Long$HookPropWindow$CallClassH_prolog3Next$AtomException@8GlobalNameThrowUnhookWindows
String ID: #32768$AfxOldWndProc423
API String ID: 1411322586-2141921550
Opcode ID: 8a0edb6cebf1686886be3a05b79608d7754f9779147643f79ca3c7d242dc2fc9
Instruction ID: a93cf84e35830060d3f3b00c12f4562ae6ed5849dba5ba4b5074f4f22929eb2d
Opcode Fuzzy Hash: 8a0edb6cebf1686886be3a05b79608d7754f9779147643f79ca3c7d242dc2fc9
Instruction Fuzzy Hash: D7519371500225EBCB209FA1DC49BEF7BB8BF04355F10053AE815AB2D1DB789951CBA9

Function 00408118 Relevance: 19.7, APIs: 13, Instructions: 176
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B490: GetWindowLongW.USER32(?,000000F0), ref: 0040B49B

GetParent.USER32(?), ref: 00408145
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 00408168
GetWindowRect.USER32(?,?), ref: 00408182
GetWindowLongW.USER32(00000000,000000F0), ref: 00408198
CopyRect.USER32(?,?), ref: 004081E5
CopyRect.USER32(?,?), ref: 004081EF
GetWindowRect.USER32(00000000,?), ref: 004081F8

Part of subcall function 00406358: MonitorFromWindow.USER32(00000002,00000000), ref: 0040636D

Part of subcall function 004063C3: GetMonitorInfoW.USER32(00000002,00000000), ref: 004063DB
Part of subcall function 004063C3: MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 00406401

CopyRect.USER32(?,?), ref: 00408214

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: RectWindow$Copy$LongMonitor$ByteCharFromInfoMessageMultiParentSendWide
String ID:
API String ID: 1958002487-0
Opcode ID: 75670a8f083df1f4c21d4dc87948fe47804d1b16aded65c3f1deb48e107d4b5c
Instruction ID: 410059b156c98e24aca0d156158c7df04128e65fd249f222edae3bf8ea0e3719
Opcode Fuzzy Hash: 75670a8f083df1f4c21d4dc87948fe47804d1b16aded65c3f1deb48e107d4b5c
Instruction Fuzzy Hash: 29516372900619ABDB00DBA8DD85EEEBBB9FF44314F15013AF941F7291DB34E9418B68

Function 00409DF0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 00409DF7
GetPropW.USER32(?,AfxOldWndProc423), ref: 00409E06
CallWindowProcW.USER32(?,?,00000110,?,00000000), ref: 00409E60

Part of subcall function 00408D18: GetWindowRect.USER32(?,10000000), ref: 00408D40
Part of subcall function 00408D18: GetWindow.USER32(?,00000004), ref: 00408D5D

SetWindowLongW.USER32(?,000000FC,?), ref: 00409E87
RemovePropW.USER32(?,AfxOldWndProc423), ref: 00409E8F
GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 00409E96
GlobalDeleteAtom.KERNEL32(00000000), ref: 00409E9D

Part of subcall function 0040748E: GetWindowRect.USER32(?,?), ref: 0040749A

CallWindowProcW.USER32(?,?,?,?,00000000), ref: 00409EF1

Strings

AfxOldWndProc423, xrefs: 00409DFF, 00409E04, 00409E8D, 00409E95

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: bde734d10218e47a97bd77e18be6d89eaba25f2358059cea4d6bb60b56c0e694
Instruction ID: f38ecfdd764bb9584b0034cf3b01f5de61fd885dabcbb9df866c3e740f537b5d
Opcode Fuzzy Hash: bde734d10218e47a97bd77e18be6d89eaba25f2358059cea4d6bb60b56c0e694
Instruction Fuzzy Hash: 3A310D3180111AABCF01EFA5DD49EFF7A78AF45315F10413AF501B21E2DB399D119BA9

Function 00405D19 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 00405D20
GetSystemMetrics.USER32(0000002A), ref: 00405DD1
GlobalLock.KERNEL32(00000000), ref: 00405E3A
CreateDialogIndirectParamW.USER32(000000FF,?,?,0040576A,00000000), ref: 00405E69

Strings

MS Shell Dlg, xrefs: 00405DDB

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 1736106359-76309092
Opcode ID: 8093ece83f33bf52fc8d832f2b3412bcbadd0c9021475d0ffdd17aadec93207d
Instruction ID: f14e0de2fe2005d5b6bcb798628b9ce33c1e4de05d2013004dbce60654b1fe01
Opcode Fuzzy Hash: 8093ece83f33bf52fc8d832f2b3412bcbadd0c9021475d0ffdd17aadec93207d
Instruction Fuzzy Hash: BA51597190060A9BCF20AFA4C8859EFBBB4EF04314F14453EF552B72D1DB389A958F99

Function 0040DBB9 Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 0040DBC6
GetSystemMetrics.USER32(0000000C), ref: 0040DBCD
GetSystemMetrics.USER32(00000002), ref: 0040DBD4
GetSystemMetrics.USER32(00000003), ref: 0040DBDE
GetDC.USER32(00000000), ref: 0040DBE8
GetDeviceCaps.GDI32(00000000,00000058), ref: 0040DBF9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0040DC01
ReleaseDC.USER32(00000000,00000000), ref: 0040DC09

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: a074d62e002cbb0349d67158f7aa5b2cc784e38baa7c479787685749d84d1a0e
Instruction ID: f6bde49cbe358948f6126a5a77fc0d4dbc322e22b1ea579094d1bbfd1a3534fc
Opcode Fuzzy Hash: a074d62e002cbb0349d67158f7aa5b2cc784e38baa7c479787685749d84d1a0e
Instruction Fuzzy Hash: D8F03071A40704AFE720AFB19C49F677BB4EBC5B11F01483AE7518B2E0DAB5A8058F94

Function 004082DA Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetParent.USER32(?), ref: 00408308
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0040832F
UpdateWindow.USER32(?), ref: 00408349
SendMessageW.USER32(?,00000121,00000000,?), ref: 0040836D
SendMessageW.USER32(?,0000036A,00000000,00000004), ref: 00408387
UpdateWindow.USER32(?), ref: 004083CD
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00408401

Part of subcall function 0040B490: GetWindowLongW.USER32(?,000000F0), ref: 0040B49B

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 9a342a37a3fdd40faa89b2a5699faedbe61ddee25098fee28169349d415eff64
Instruction ID: 949ea17830f18867f2cb08e64f4ae375a8908fed2a017aea1470fdd6a47b3b7c
Opcode Fuzzy Hash: 9a342a37a3fdd40faa89b2a5699faedbe61ddee25098fee28169349d415eff64
Instruction Fuzzy Hash: F941A2301043419BD7219F269E44B2BBAE4FFC0B15F04093EF9C1A16E1DB7AD955CB5A

Function 00419A7B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000000), ref: 00419A84
SetErrorMode.KERNELBASE(00000000), ref: 00419A8C

Part of subcall function 0040C246: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0040C287
Part of subcall function 0040C246: SetLastError.KERNEL32(0000006F), ref: 0040C2A1

GetModuleHandleW.KERNEL32(user32.dll), ref: 00419ADE
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 00419AEE

Part of subcall function 004198EE: GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00419931
Part of subcall function 004198EE: PathFindExtensionW.SHLWAPI(?), ref: 0041994B
Part of subcall function 004198EE: __wcsdup.LIBCMT ref: 0041998E

Strings

user32.dll, xrefs: 00419AD9
NotifyWinEvent, xrefs: 00419AE8

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: ErrorModule$FileModeName$AddressExtensionFindHandleLastPathProc__wcsdup
String ID: NotifyWinEvent$user32.dll
API String ID: 1671896705-597752486
Opcode ID: 90b22b25e9dce5e8674b8542da46c91da1dcb12f2d17c661127808332efe34de
Instruction ID: 8b9dd5b9063b261d2e17a646eb9e65793273cfaed2741d07b2d081ff3620c1a0
Opcode Fuzzy Hash: 90b22b25e9dce5e8674b8542da46c91da1dcb12f2d17c661127808332efe34de
Instruction Fuzzy Hash: D4018FB0A102019FC710EF759845A5A3AE4AF45750F05846FF449E72A2CA78D840CB6E

Function 0040E0A1 Relevance: 9.1, APIs: 6, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000002,00000000), ref: 0040E0AE
GlobalHandle.KERNEL32(?), ref: 0040E0E9
GlobalLock.KERNEL32(00000000), ref: 0040E0F0
LeaveCriticalSection.KERNEL32(?), ref: 0040E0FA
GlobalLock.KERNEL32(00000000), ref: 0040E106
LeaveCriticalSection.KERNEL32(?), ref: 0040E14B

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Global$CriticalLeaveLockSection$AllocHandle
String ID:
API String ID: 932788031-0
Opcode ID: 5d8e3c6c61598d35bf3ed4de9e83776f8ccebce643f08ad428f9715c02e229f6
Instruction ID: d5e3c4f484db7f19a54d8b1b5aecb22f0dc8604bc3fc35c26044a77466992e63
Opcode Fuzzy Hash: 5d8e3c6c61598d35bf3ed4de9e83776f8ccebce643f08ad428f9715c02e229f6
Instruction Fuzzy Hash: 5711CE356047059FD7249FA5EC48A57B7E8FB44300B008A3EF566E36A0DB35F4148B88

Function 004011C0 Relevance: 7.6, APIs: 5, Instructions: 102
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMenu.USER32(?,00000000,85C441DE,?,?,?,?,?,?,00432F38,000000FF), ref: 004011F2
AppendMenuW.USER32(?,00000800,00000000,00000000), ref: 0040126E
AppendMenuW.USER32(?,00000000,00000010,00000010), ref: 00401279
SendMessageW.USER32(?,00000080,00000001,?), ref: 004012B4
SendMessageW.USER32(?,00000080,00000000,?), ref: 004012C5

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Menu$AppendMessageSend$System
String ID:
API String ID: 62300227-0
Opcode ID: 308c7890317cda5914f6b965b1a5bf0e00b57a014bc207d35a2591ac31af2bf2
Instruction ID: ff4f8200afebac8ce35fe40d11ccdad5a5c5d192c256e9c05b78531f72121281
Opcode Fuzzy Hash: 308c7890317cda5914f6b965b1a5bf0e00b57a014bc207d35a2591ac31af2bf2
Instruction Fuzzy Hash: 5F318475200701AFE314DB65DC41F67B3A9FB88710F10466DF655AB2E0DB79F8048B98

Function 00402BC6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,XHC,00000000,00000001,?), ref: 00402C09
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 00402C29
RegCloseKey.ADVAPI32(?), ref: 00402C6D

Strings

XHC, xrefs: 00402BD6, 00402BEF, 00402C02

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: XHC
API String ID: 3677997916-1251701565
Opcode ID: a4ff8b7eba8428ce2d727c047ecc40555cd80856f597303763cb2bb7ada1633f
Instruction ID: 6b2b682cad891f1ad9a5b47ce0d5c62115d4ff9d744be77d7b85b0417329d24b
Opcode Fuzzy Hash: a4ff8b7eba8428ce2d727c047ecc40555cd80856f597303763cb2bb7ada1633f
Instruction Fuzzy Hash: C6213D71D04208EFEB18CF95CA48AAEFBB8FF91304F1040BBD501B62A0D3B45A44CB15

Function 0040C246 Relevance: 3.1, APIs: 2, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040C169: GetModuleHandleW.KERNEL32(KERNEL32), ref: 0040C177

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0040C287
SetLastError.KERNEL32(0000006F), ref: 0040C2A1

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Module$ErrorFileHandleLastName
String ID:
API String ID: 613274587-0
Opcode ID: a5302e4daaddadeddc64ca43e5d41095d78c3daa5c230c667d058e1d7531b64e
Instruction ID: 6bc576807fe74be5c69f4ab1d9c3e16559ea7ef465a9c16de09444fd81e1fcb4
Opcode Fuzzy Hash: a5302e4daaddadeddc64ca43e5d41095d78c3daa5c230c667d058e1d7531b64e
Instruction Fuzzy Hash: 2F212C71900308DEEB20DFA5D8887EEB7B8BB45318F10462EE869AA1C1EB785548CF55

Function 00408D18 Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 0040B490: GetWindowLongW.USER32(?,000000F0), ref: 0040B49B

GetWindowRect.USER32(?,10000000), ref: 00408D40
GetWindow.USER32(?,00000004), ref: 00408D5D

Part of subcall function 0040B57F: IsWindowEnabled.USER32(?), ref: 0040B588

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Window$EnabledLongRect
String ID:
API String ID: 3170195891-0
Opcode ID: f6180556a740c57cf047a9faf0a6e40bcb7230b41de53d9cd251bad54e5be010
Instruction ID: 56d72a907598a605011b5a98a0950fe309c2ce25373f89365974afd0c5bcf02d
Opcode Fuzzy Hash: f6180556a740c57cf047a9faf0a6e40bcb7230b41de53d9cd251bad54e5be010
Instruction Fuzzy Hash: 48011A316002089BDB10EB658A45BBF73A9AF64354F44457EED81A72D1EF38E9008A98

Function 0040A15A Relevance: 3.0, APIs: 2, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E41E: __EH_prolog3.LIBCMT ref: 0040E425

GetCurrentThreadId.KERNEL32 ref: 0040A185
SetWindowsHookExW.USER32(00000005,00409F3A,00000000,00000000), ref: 0040A195

Part of subcall function 0040C08A: __CxxThrowException@8.LIBCMT ref: 0040C09E

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CurrentException@8H_prolog3HookThreadThrowWindows
String ID:
API String ID: 1226552664-0
Opcode ID: acf0ee52def4e2e17e6192a7764989644aa82fd633253f1e60efe7510f882cf9
Instruction ID: f119ac6825385d78eaceffd93bff055a76becfda9f66b040ed8776a652c28758
Opcode Fuzzy Hash: acf0ee52def4e2e17e6192a7764989644aa82fd633253f1e60efe7510f882cf9
Instruction Fuzzy Hash: D5F0A0316007119BE6306B925801B1BB7A4AFA0B66F20473FF546FA2D0C67CA850C66E

Function 00422978 Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0041D6D1,00000001), ref: 00422989
HeapDestroy.KERNEL32 ref: 004229BF

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 2bcc70b79471236d73deda81f632e512cd423e6fc0037b446e69354488bb631f
Instruction ID: 73673365abad6cbfd1b7528e999bfae329f8ddc4b603f7740320e790030f0fdd
Opcode Fuzzy Hash: 2bcc70b79471236d73deda81f632e512cd423e6fc0037b446e69354488bb631f
Instruction Fuzzy Hash: 68E06DB5754721AFEF109B31BE0E3263694EB6574AF90183AF401D91A1F7A885C09A1D

Function 00406B8E Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00406BB5
CallWindowProcW.USER32(?,?,?,?,?), ref: 00406BCA

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: fdb37e1d7b5cbafdf4509121ff211b2d11fa9c1029370352eaf62752f90090f7
Instruction ID: 531b7457a07148452dea8b58850b35a3b7a7e6554fab056c950506f049620443
Opcode Fuzzy Hash: fdb37e1d7b5cbafdf4509121ff211b2d11fa9c1029370352eaf62752f90090f7
Instruction Fuzzy Hash: 7CF01C36100219EFCF115F94DC04EDA7BB9FF18350B054479FA46D6521D336E930AB54

Function 00403F41 Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00403F54
SetWindowsHookExW.USER32(000000FF,Function_00003DAD,00000000,00000000), ref: 00403F64

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: 5cf03e703e99b259fc0f29e77d5e8c9947d1ef6b386c66467658ba094791ea99
Instruction ID: 3b088de9a353cfb77631b085040a026ae70e9f8a77f7ebf0fbcbc6f0cd880b2a
Opcode Fuzzy Hash: 5cf03e703e99b259fc0f29e77d5e8c9947d1ef6b386c66467658ba094791ea99
Instruction Fuzzy Hash: DFD0A772808210AEE7606B717D09B9A3E546B54329F110777F420F15E1C5BC5541875D

Function 00408D94 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00408D9B

Part of subcall function 0040E41E: __EH_prolog3.LIBCMT ref: 0040E425

Part of subcall function 0040C08A: __CxxThrowException@8.LIBCMT ref: 0040C09E

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Exception@8H_prolog3H_prolog3_catchThrow
String ID:
API String ID: 1377961577-0
Opcode ID: dd789116a1c1a2da90e748a3ce9ab8715488f6ad2d236072e011fca820626230
Instruction ID: e49c9fbb99ef4e8026a386cd2e22760f23f02e48e2e9c1913a144a89d7f721db
Opcode Fuzzy Hash: dd789116a1c1a2da90e748a3ce9ab8715488f6ad2d236072e011fca820626230
Instruction Fuzzy Hash: AB218972A00209DFCF14DF65C4819DE3BB6EF98314F10842BFD45AB281CB38AA81CB95

Function 00401030 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

InitCommonControlsEx.COMCTL32 ref: 00401071

Part of subcall function 0040313B: InterlockedExchange.KERNEL32(004465D0,?), ref: 00403167

Part of subcall function 00401140: LoadIconW.USER32(?,00000080), ref: 00401191

Part of subcall function 00405F11: __EH_prolog3_catch.LIBCMT ref: 00405F18
Part of subcall function 00405F11: FindResourceW.KERNEL32(?,?,00000005,00000024,004010AB), ref: 00405F4B
Part of subcall function 00405F11: LoadResource.KERNEL32(?,00000000), ref: 00405F53
Part of subcall function 00405F11: LockResource.KERNEL32(?,00000024,004010AB), ref: 00405F64

Part of subcall function 004057A4: __EH_prolog3.LIBCMT ref: 004057AB

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Resource$Load$CommonControlsExchangeFindH_prolog3H_prolog3_catchIconInitInterlockedLock
String ID:
API String ID: 176259587-0
Opcode ID: c2a0793a087d964bb7e649246c66b750e3e1c6b3c184d5a7d4cb26b916a9f9eb
Instruction ID: 017068cc3b0e96f7da5c0790cc6380ac1a659f464ae7fec102d5d253ffb12139
Opcode Fuzzy Hash: c2a0793a087d964bb7e649246c66b750e3e1c6b3c184d5a7d4cb26b916a9f9eb
Instruction Fuzzy Hash: DC0192755087819BD324EF25C842B9BB7E4FB88324F004A2EE1A9866C1EB7C90088F56

Function 00401140 Relevance: 1.5, APIs: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(?,00000080), ref: 00401191

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: IconLoad
String ID:
API String ID: 2457776203-0
Opcode ID: 06e42dc39ef2c06d0a806d15ccd0e745b420d10d0c6e2d89e97fc63393465d64
Instruction ID: 3a56eef157584a2a47139f3c6a17e6440197fcf9d1a9d66179efb85e73047bb5
Opcode Fuzzy Hash: 06e42dc39ef2c06d0a806d15ccd0e745b420d10d0c6e2d89e97fc63393465d64
Instruction Fuzzy Hash: 7BF06D76604700EBD310DF14E842B46B7E4FB48B20F004A2EF581D76D0D7B9A4448B99

Function 00408E87 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac81800e0d63236ee14468621895c18feec9ab8a90fe735b8b023026c297763
Instruction ID: 007f9e331f0dcf1d72fab100d8ebb782359f693d909027547bb2768d1e2a91c2
Opcode Fuzzy Hash: 2ac81800e0d63236ee14468621895c18feec9ab8a90fe735b8b023026c297763
Instruction Fuzzy Hash: 6BF01232510129BBCF125E91DF00CDB3B59BF19351B00843AFA95A1091CB39C521DBA9

Function 004022F0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceW.KERNELBASE(?,?,00000006,?,00000000,80070057), ref: 00402309

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: 13dfd589ec23ca774122adae4cfddb4c88fb63e23586163125242262b1379d5b
Instruction ID: ee4f0d707a3c9029dbf6efe16f206a503d42f46374b2784700eb3f4da496d1d9
Opcode Fuzzy Hash: 13dfd589ec23ca774122adae4cfddb4c88fb63e23586163125242262b1379d5b
Instruction Fuzzy Hash: 2CD012666141202AE510161ABC05ABB639CDFC1679B05407FFC45F6280D278AC5665B5

Function 00402B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90e9cf6847238d3586bb9c0c38d003f699c93db649ba4907eae086c061313f6
Instruction ID: c9954f89a153cc0b11a46fdb16de2a81b221cc999ed8a55b4c39fe947804d0a6
Opcode Fuzzy Hash: d90e9cf6847238d3586bb9c0c38d003f699c93db649ba4907eae086c061313f6
Instruction Fuzzy Hash: 9AE086354042639FCA204E3499486F673F05B62330F20573FE0B1E32E0D6B899C3AB1A

Function 0040B55E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?,0040402A,?,?,00000363,00000001,00000000,00000001,00000001,?,?,00000363,00000001,00000000), ref: 0040B56B

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 338ab90b582fd9183d62dc624430102c2805e75069c0d2db276f1c2a65d26108
Instruction ID: 453f05afe64a6eec9d2f87e1eb6f46d64f647a11c61d4ad2f8ca254a1df9c35c
Opcode Fuzzy Hash: 338ab90b582fd9183d62dc624430102c2805e75069c0d2db276f1c2a65d26108
Instruction Fuzzy Hash: A0D0CA71600200EFEB08CB10D848F293BB1FB9830AF2111F9E4444E262C33A9822DB08

Non-executed Functions

Function 00429D42 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 164libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,00445A58,004219D9,00445A58,Microsoft Visual C++ Runtime Library,00012010), ref: 00429D6F
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00429D8B

Part of subcall function 004223CD: TlsGetValue.KERNEL32(00425EF3,00425F73,00425EF3,00000014,00424165,00000000,00000FA0,0043EA40,0000000C,004241C4,0040BEFD,-0000000F,?,00420407,00000004,0043E8D8), ref: 004223DA
Part of subcall function 004223CD: TlsGetValue.KERNEL32(00000005,?,00420407,00000004,0043E8D8,0000000C,00422CBB,00000004,00000004,00000000,00000000,00000000,00422612,00000001,00000214), ref: 004223F1

GetProcAddress.KERNEL32(00000000,00000000), ref: 00429DA8

Part of subcall function 004223CD: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00420407,00000004,0043E8D8,0000000C,00422CBB,00000004,00000004,00000000,00000000,00000000,00422612,00000001,00000214), ref: 00422406
Part of subcall function 004223CD: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00422421

GetProcAddress.KERNEL32(00000000,00000000), ref: 00429DBD
__invoke_watson.LIBCMT ref: 00429DDE

Part of subcall function 00423BAF: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 00423C59
Part of subcall function 00423BAF: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 00423C63
Part of subcall function 00423BAF: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00423C6D
Part of subcall function 00423BAF: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 00423C88
Part of subcall function 00423BAF: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 00423C8F

Part of subcall function 00422444: TlsGetValue.KERNEL32(00000000,00424CF0,0041DC58,0040BEFD,?,00402429,00000000,?,00000000,0040B374,0000000C,00000004,00401E56,00000000,0040BEFD,00000000), ref: 00422451
Part of subcall function 00422444: TlsGetValue.KERNEL32(00000005,?,00402429,00000000,?,00000000,0040B374,0000000C,00000004,00401E56,00000000,0040BEFD,00000000), ref: 00422468

Part of subcall function 00422444: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00402429,00000000,?,00000000,0040B374,0000000C,00000004,00401E56,00000000,0040BEFD,00000000), ref: 0042247D
Part of subcall function 00422444: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00422498

GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00429DF2
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00429E0A
__invoke_watson.LIBCMT ref: 00429E7D

Strings

USER32.DLL, xrefs: 00429D6A
MessageBoxA, xrefs: 00429D85
GetProcessWindowStation, xrefs: 00429E04
GetUserObjectInformationA, xrefs: 00429DEC

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate
String ID: GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 2691309996-1046234306
Opcode ID: edc9d780b934e808ac4029182f930a13beef4042b19869914bbce1d094454e37
Instruction ID: c020467ca416f52d88d33dd2d0374ef791a0cfdcc7bbb87e4806592b6afc3809
Opcode Fuzzy Hash: edc9d780b934e808ac4029182f930a13beef4042b19869914bbce1d094454e37
Instruction Fuzzy Hash: 9541A876A04224BADF10EFA5BC859AF7BA9AF05304F95043FF410E2191DB7C9D40CA6D

Function 0040F0B4 Relevance: 12.1, APIs: 8, Instructions: 144filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040F0D3
GetFullPathNameW.KERNEL32(?,00000104,?,?,00000014), ref: 0040F114

Part of subcall function 0040C08A: __CxxThrowException@8.LIBCMT ref: 0040C09E

PathIsUNCW.SHLWAPI(?,00000000), ref: 0040F178
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0040F196
CharUpperW.USER32(?), ref: 0040F1BD
FindFirstFileW.KERNEL32(?,00000000), ref: 0040F1D0
FindClose.KERNEL32(00000000), ref: 0040F1DC
lstrlenW.KERNEL32(?), ref: 0040F1F1

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 3249967234-0
Opcode ID: 92b24d837c38828d1219bce3f909d69b3b20d97b139b2be59a33f13c2ee7471d
Instruction ID: 7ce1d9c056c62af1b4b57d4d773738f15081aabdea78945d00efb4d9f7654866
Opcode Fuzzy Hash: 92b24d837c38828d1219bce3f909d69b3b20d97b139b2be59a33f13c2ee7471d
Instruction Fuzzy Hash: F851C17190020AABDF24AFA5CC49AFF7778AF14314F10013EF911B66D1DB389949CA68

Function 0041D7E4 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00422B1F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00422B34
UnhandledExceptionFilter.KERNEL32(00437E38), ref: 00422B3F
GetCurrentProcess.KERNEL32(C0000409), ref: 00422B5B
TerminateProcess.KERNEL32(00000000), ref: 00422B62

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 3dba56eab54efcd621dbba68232ba42f5aee7290a9a09251be1d62360247750a
Instruction ID: 1dc616da666b63ca70031ca14af900e3ef25fd830e9fa76057c5c62feb69ac55
Opcode Fuzzy Hash: 3dba56eab54efcd621dbba68232ba42f5aee7290a9a09251be1d62360247750a
Instruction Fuzzy Hash: AF21DFBC900604EFDB10DF68F9496443BB4BB1B754F92503AE60987361E7B469888F5E

Function 00408B41 Relevance: 6.0, APIs: 4, Instructions: 41keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B490: GetWindowLongW.USER32(?,000000F0), ref: 0040B49B

GetKeyState.USER32(00000010), ref: 00408B65
GetKeyState.USER32(00000011), ref: 00408B6E
GetKeyState.USER32(00000012), ref: 00408B77
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 00408B8D

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 27bda97dfeb80ae0b6f3442c8b0c4583d7c0c1c67ecc5e639f7504ea3a11e9f1
Instruction ID: 779404052bf7feafefec24bae79b2b5c1307e76da60dfacba6c3b143d053f897
Opcode Fuzzy Hash: 27bda97dfeb80ae0b6f3442c8b0c4583d7c0c1c67ecc5e639f7504ea3a11e9f1
Instruction Fuzzy Hash: D8F089B638034B25F92036B55D41FA961344F91BD5F41053EB7C1FA1D2CDB9E8011678

Function 00406358 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

MonitorFromWindow.USER32(00000002,00000000), ref: 0040636D

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: FromMonitorWindow
String ID:
API String ID: 721739931-0
Opcode ID: 9cdff8f873f406ab76e6530ca3fc8910a015fe66eb3c810c8ac766775c95f43f
Instruction ID: a7a52da0cd063bf9e391b13d3957d6185c9644e41f39c245382d8859961f1edc
Opcode Fuzzy Hash: 9cdff8f873f406ab76e6530ca3fc8910a015fe66eb3c810c8ac766775c95f43f
Instruction Fuzzy Hash: E0F0EC31504109ABDF01AF61DC08AAE7BBCBF04344B45D036FD17A51A1DB39DA25AB99

Function 0043157C Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 0043158F
GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 004315A1
GetACP.KERNEL32 ref: 004315CA

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: de8b0134f461105582fa0945fd6dffaeedc6b77227b4e5a9e2185e907dedcebc
Instruction ID: dac47094185cd3c69006b5b2c93cdf48694a3156969dec19b8b5bfd1a8b1a4e6
Opcode Fuzzy Hash: de8b0134f461105582fa0945fd6dffaeedc6b77227b4e5a9e2185e907dedcebc
Instruction Fuzzy Hash: 12F0FC31E002287BDB159F7598156FF7BF4AB49B00F00516EDD42E7390D634AD0487C8

Function 00421869 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002182C), ref: 0042186E

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 68dc7984fb03da972385af1cc5d813e54e69931bf1cfdfbeda70dde6207c7b30
Instruction ID: 59a8ace69bf20b6854e1a69f801a59338f5797959c3956d52bd46dfc65167340
Opcode Fuzzy Hash: 68dc7984fb03da972385af1cc5d813e54e69931bf1cfdfbeda70dde6207c7b30
Instruction Fuzzy Hash: 129022A83000000A020023302C8800020A00A883023820020A202C0020CF0000800088

Function 0041EDC9 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: bef351a8df7a14a4c3bbf21f3a8d10c48d6b1f11e5cf58a0466fcd95e9136ba1
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 35D1A077D0A9B34A8735812F44582BBEE626FC1B4031FC7E29CD43F389D22A5D8596D4

Function 0041E9A9 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: a1310ba3f53af42121a9b656f518f545866e3a0ae52fe3230acdfe72305b16a6
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: 3BD18E7BD1A9B30A8735812F44582BBEE626FD1B4031EC7E2DCD42F389D22A5D8196D4

Function 0041E59D Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: a07baa764f66dc59a372327b1d718c47fd50046b342493d97c5b885fd6ccf8bc
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 63C17177D0A9B30A8735812F44581BBEEA26FD1B5031FC7E29CE43F389D12A5D8496D4

Function 0041E1C9 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: 9496ba627f1652e149e4fed5d49a6ff2c54f53ec6c1d957ce731bfaaa619d72f
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 30C18177D0A9B3068735812F44685ABEEA36FD1B4031EC7E29CD42F389D13A9D8096D4

Function 0041BC7E Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 44registryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatW.USER32(Native), ref: 0041BC8D
RegisterClipboardFormatW.USER32(OwnerLink), ref: 0041BC96
RegisterClipboardFormatW.USER32(ObjectLink), ref: 0041BCA0
RegisterClipboardFormatW.USER32(Embedded Object), ref: 0041BCAA
RegisterClipboardFormatW.USER32(Embed Source), ref: 0041BCB4
RegisterClipboardFormatW.USER32(Link Source), ref: 0041BCBE
RegisterClipboardFormatW.USER32(Object Descriptor), ref: 0041BCC8
RegisterClipboardFormatW.USER32(Link Source Descriptor), ref: 0041BCD2
RegisterClipboardFormatW.USER32(FileName), ref: 0041BCDC
RegisterClipboardFormatW.USER32(FileNameW), ref: 0041BCE6
RegisterClipboardFormatW.USER32(Rich Text Format), ref: 0041BCF0
RegisterClipboardFormatW.USER32(RichEdit Text and Objects), ref: 0041BCFA

Strings

Embedded Object, xrefs: 0041BCA2
Link Source, xrefs: 0041BCB6
ObjectLink, xrefs: 0041BC98
RichEdit Text and Objects, xrefs: 0041BCF2
Object Descriptor, xrefs: 0041BCC0
OwnerLink, xrefs: 0041BC8F
Native, xrefs: 0041BC86
Link Source Descriptor, xrefs: 0041BCCA
Rich Text Format, xrefs: 0041BCE8
FileNameW, xrefs: 0041BCDE
FileName, xrefs: 0041BCD4
Embed Source, xrefs: 0041BCAC

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: 66abcbae237fa9e2ebf5c20b811ae95ac4d212c7f94022ae864ead9a8c754866
Instruction ID: 99bd0bc286f344bc44fa02dc7610397b7464670e3bfeb628fd9af7f8eef833d0
Opcode Fuzzy Hash: 66abcbae237fa9e2ebf5c20b811ae95ac4d212c7f94022ae864ead9a8c754866
Instruction Fuzzy Hash: 21017971A407896ACB30BF769C09D0BBEE0EEC9B10723AD2FE08587650D6B8D404CF58

Function 00421877 Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 156fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 004218E3
__invoke_watson.LIBCMT ref: 004218F4
GetModuleFileNameA.KERNEL32(00000000,00445A71,00000104,00000000,0040BEFD,00000000), ref: 00421910
_strcpy_s.LIBCMT ref: 00421925
__invoke_watson.LIBCMT ref: 00421938
_strlen.LIBCMT ref: 00421941
_strlen.LIBCMT ref: 0042194E
__invoke_watson.LIBCMT ref: 0042197B
_strcat_s.LIBCMT ref: 0042198E
__invoke_watson.LIBCMT ref: 0042199F
_strcat_s.LIBCMT ref: 004219B0
__invoke_watson.LIBCMT ref: 004219C1
GetStdHandle.KERNEL32(000000F4,?,00000001,-0000000F,00000000,00000003,00421A43,000000FC,00424109,0043EA40,0000000C,004241C4,0040BEFD,-0000000F,?,00420407), ref: 004219E0
_strlen.LIBCMT ref: 00421A01
WriteFile.KERNEL32(00000000,00000000,00000000,00000004,00000000,?,00000001,-0000000F,00000000,00000003,00421A43,000000FC,00424109,0043EA40,0000000C,004241C4), ref: 00421A0B

Strings

Runtime Error!Program: , xrefs: 004218D2
l]D, xrefs: 0042195A
<program name unknown>, xrefs: 0042191A
Microsoft Visual C++ Runtime Library, xrefs: 004219CE
XZD, xrefs: 004218DD
..., xrefs: 0042195F
qZD, xrefs: 00421901

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $XZD$l]D$qZD
API String ID: 1879448924-2849167463
Opcode ID: d714198814e7f6d70bf12f1ab266bd718288eeaf76e8b8680f7ea59585bb35f4
Instruction ID: 4d252cb2e735f0ec1e838b490852f5c6f8115bdce8c6c8062b1edfbdbe461aa6
Opcode Fuzzy Hash: d714198814e7f6d70bf12f1ab266bd718288eeaf76e8b8680f7ea59585bb35f4
Instruction Fuzzy Hash: EC312AA2B402352BEA243A327C5AF7B254C9F22754FD40137FD05A12A3FA4D995181FE

Function 0041B6FA Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 397stringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041B701
lstrlenA.KERNEL32(?), ref: 0041B739
VariantClear.OLEAUT32(?), ref: 0041B9C3
VariantClear.OLEAUT32(?), ref: 0041B9EB
SysStringLen.OLEAUT32(?), ref: 0041BA42
SysFreeString.OLEAUT32(?), ref: 0041BA5C
SysStringLen.OLEAUT32(?), ref: 0041BA61
SysFreeString.OLEAUT32(?), ref: 0041BA75
SysStringLen.OLEAUT32(?), ref: 0041BA7A
SysFreeString.OLEAUT32(?), ref: 0041BA8E
__CxxThrowException@8.LIBCMT ref: 0041BAA8
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 0041BAC6
VariantClear.OLEAUT32(?), ref: 0041BAD6

Strings

P?<up=<u, xrefs: 0041BA38
(lC, xrefs: 0041B75C
`<u, xrefs: 0041BA56, 0041BB3C

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: String$Variant$ClearFree$ChangeException@8H_prolog3ThrowTypelstrlen
String ID: (lC$P?<up=<u$`<u
API String ID: 1765679327-2620380735
Opcode ID: db3de0f73f997553c2382f558ce7e1d8fb8f4d08ee5c760a7565145f54a57178
Instruction ID: 6222bca8c5643f8bd3af565bb588314cca481de0876693bde2e65a3289a58dde
Opcode Fuzzy Hash: db3de0f73f997553c2382f558ce7e1d8fb8f4d08ee5c760a7565145f54a57178
Instruction Fuzzy Hash: F8F19CB090021ADFCF11DFA9D884AEEBBB4FF45304F14405AE901A72A1D7789D92CF99

Function 00422799 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,0041D6E3), ref: 0042279F
__mtterm.LIBCMT ref: 004227AB

Part of subcall function 004224ED: TlsFree.KERNEL32(00000014,00422918), ref: 00422518
Part of subcall function 004224ED: DeleteCriticalSection.KERNEL32(00000000,00000000,74DEDFB0,00000001,00422918), ref: 00424099
Part of subcall function 004224ED: DeleteCriticalSection.KERNEL32(00000014,74DEDFB0,00000001,00422918), ref: 004240C3

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004227C1
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004227CE
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004227DB
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004227E8
TlsAlloc.KERNEL32 ref: 00422838
TlsSetValue.KERNEL32(00000000), ref: 00422853
__init_pointers.LIBCMT ref: 0042285D
__calloc_crt.LIBCMT ref: 004228D2
GetCurrentThreadId.KERNEL32 ref: 00422902

Strings

KERNEL32.DLL, xrefs: 0042279A
FlsFree, xrefs: 004227DD
FlsAlloc, xrefs: 004227BB
FlsGetValue, xrefs: 004227C3
FlsSetValue, xrefs: 004227D0

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2125014093-3819984048
Opcode ID: 127007b94d6b60b6924272b92699577d13c8dccec1f3370c11e4e57dce009401
Instruction ID: 470edc3e8294c2b32b0449b367deb6dbcc9d700fadd56f24a17185b9a3e56de2
Opcode Fuzzy Hash: 127007b94d6b60b6924272b92699577d13c8dccec1f3370c11e4e57dce009401
Instruction Fuzzy Hash: 6A319578700E20AFDF207F75BE0964A3AA4AB46354B90053BF410972F2DBBC9584DB6D

Function 00406204 Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(USER32,00000000,00000000,75C04A40,00406363,?,?,?,?,?,?,?,00408206,00000000,00000002,00000028), ref: 0040622D
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00406249
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0040625E
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0040626F
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00406280
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 00406291
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW), ref: 004062A2
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004062C2

Strings

EnumDisplayDevicesW, xrefs: 0040629C
EnumDisplayMonitors, xrefs: 0040628B
GetMonitorInfoA, xrefs: 004062BC
USER32, xrefs: 00406223
MonitorFromWindow, xrefs: 00406258
GetSystemMetrics, xrefs: 00406243
MonitorFromPoint, xrefs: 0040627A
GetMonitorInfoW, xrefs: 004062B5
MonitorFromRect, xrefs: 00406269

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2451437823
Opcode ID: fb66af7dcfa803097987f3a985d1aee384ca60b012a1b15dc90f8ab8e6f29012
Instruction ID: 4307b141ec46864fa8afb8b297fa5e0f6a328bc50687a320ff861be3dbf5377b
Opcode Fuzzy Hash: fb66af7dcfa803097987f3a985d1aee384ca60b012a1b15dc90f8ab8e6f29012
Instruction Fuzzy Hash: 3621C875A40B119BCF106F256CC052EBAE0B24AB813A244BFE805E66E3C7FC40519F5C

Function 00417E53 Relevance: 26.0, APIs: 17, Instructions: 452windowkeyboardCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00417EA6
IsWindowEnabled.USER32(?), ref: 00417F02
__EH_prolog3_catch.LIBCMT ref: 00417F50
GetFocus.USER32 ref: 00417F70
GetParent.USER32(?), ref: 00417FBB
GetParent.USER32(?), ref: 00417FCB
GetKeyState.USER32(00000012), ref: 00418089
IsDialogMessageW.USER32(?,?), ref: 0041813D
GetFocus.USER32 ref: 00418150
GetFocus.USER32 ref: 0041815D
IsWindow.USER32(?), ref: 00418175
GetFocus.USER32 ref: 00418181
IsWindow.USER32(?), ref: 00418197
GetFocus.USER32 ref: 0041819D
GetKeyState.USER32(00000010), ref: 004181C6
MessageBeep.USER32(00000000), ref: 004182BD

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Focus$Window$MessageParentState$BeepDialogEnabledH_prolog3_catch
String ID:
API String ID: 656273425-0
Opcode ID: c714b1b46eabd41091cb81b1d38c012c3da9b065ba5febb8e5c3b8919c34c65a
Instruction ID: 289a9ffc7f70986001c957e1c40cdfa1080c64a57f6ffc1cb519ed63c1834b97
Opcode Fuzzy Hash: c714b1b46eabd41091cb81b1d38c012c3da9b065ba5febb8e5c3b8919c34c65a
Instruction Fuzzy Hash: B4F1AD31904209ABDF21ABA5C844BEF7BB5AF44754F25402FE815A7291DB3CDCC2CA9D

Function 0042252A Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 49libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,0043E978,0000000C,0042263B,00000000,00000000,?,?,0040BEFD,0042248E,?,00402429,00000000,?,00000000,0040B374), ref: 0042253B
GetProcAddress.KERNEL32(0040B374,EncodePointer), ref: 0042256F
GetProcAddress.KERNEL32(0040B374,DecodePointer), ref: 0042257F
InterlockedIncrement.KERNEL32(00442910), ref: 004225A1
__lock.LIBCMT ref: 004225A9
___addlocaleref.LIBCMT ref: 004225C8

Strings

KERNEL32.DLL, xrefs: 00422536
@.D, xrefs: 004225BD
EncodePointer, xrefs: 00422561
8(D, xrefs: 00422547
DecodePointer, xrefs: 00422577

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
String ID: 8(D$@.D$DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1036688887-244990591
Opcode ID: 10397ce3f348563bfe9b42c4a78a3438afcf678cbf16543f40fa7c141e29071c
Instruction ID: 46d58370662770955194bb23daa9950bfbb0b8beaa424c5b5dd0dd791054cd88
Opcode Fuzzy Hash: 10397ce3f348563bfe9b42c4a78a3438afcf678cbf16543f40fa7c141e29071c
Instruction Fuzzy Hash: C01186B0A40711AFE720AF76D9057ABBBF0EF44304F90451EE89992391CBBC9980CF18

Function 004213AA Relevance: 18.3, APIs: 12, Instructions: 296COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee258df054149ba4ced611b556baa7038e9a5e6c1cfd8a8743fa1681a538182
Instruction ID: 41032f398ec5741f85a336b54811401a173b58b7bd6915f3b15b65eea0118540
Opcode Fuzzy Hash: 1ee258df054149ba4ced611b556baa7038e9a5e6c1cfd8a8743fa1681a538182
Instruction Fuzzy Hash: B8813771B007249BDB24EF6AEC819AFB3F9EFA0314F58452FF015D2262E77899418758

Function 004014B0 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 269processsynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,85C441DE), ref: 00401500
_wcsrchr.LIBCMT ref: 0040155B
GetCurrentProcess.KERNEL32(?), ref: 00401603
IsWow64Process.KERNEL32(00000000), ref: 0040160A
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?), ref: 0040179E
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004017E5
GetExitCodeProcess.KERNEL32(?,?), ref: 004017F4

Strings

\DPInstx86.exe, xrefs: 00401625
D, xrefs: 00401725
\DPInstx64.exe, xrefs: 0040161E

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Process$CodeCreateCurrentExitFileModuleNameObjectSingleWaitWow64_wcsrchr
String ID: D$\DPInstx64.exe$\DPInstx86.exe
API String ID: 3394105499-2900530997
Opcode ID: 3396b95693b402a3a405ae9e4267fc036c8221c70b4f01559908b735613a4977
Instruction ID: 47ed534c9ae48fb0c40142fe3aeddeeb8b5b6f9f8d97c516f6c4943b2db199e0
Opcode Fuzzy Hash: 3396b95693b402a3a405ae9e4267fc036c8221c70b4f01559908b735613a4977
Instruction Fuzzy Hash: 57A18A712083419FC314DF28C885A5BB7E5BFC9724F148A2EF4569B3E1DB78A805CB96

Function 004198EE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00419931
PathFindExtensionW.SHLWAPI(?), ref: 0041994B
__wcsdup.LIBCMT ref: 0041998E
__wcsdup.LIBCMT ref: 004199C7
__wcsdup.LIBCMT ref: 00419A13
_wcscat_s.LIBCMT ref: 00419A3E
__wcsdup.LIBCMT ref: 00419A50

Strings

.INI, xrefs: 00419A31
.CHM, xrefs: 004199F4
.HLP, xrefs: 004199FB

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: __wcsdup$ExtensionFileFindModuleNamePath_wcscat_s
String ID: .CHM$.HLP$.INI
API String ID: 1106884133-4017452060
Opcode ID: 156f03ade88f65d0541f54e6afb88927e93f1559071b61b63ab17c2769b36101
Instruction ID: 630cdf02cfbe1c8c53df57feb3595dc9e75311712a0af56c54e9b84f4f976e93
Opcode Fuzzy Hash: 156f03ade88f65d0541f54e6afb88927e93f1559071b61b63ab17c2769b36101
Instruction Fuzzy Hash: CB414BB16102099BDB30EF65DD85BEB77E8AF05704F00482FF946D6281EB78E944CB28

Function 00402A8D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32,00000020,?,00000000,004034EC,000000FF), ref: 00402AAF
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 00402ACD
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 00402ADA
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 00402AE7
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 00402AF4

Strings

ReleaseActCtx, xrefs: 00402ACF
ActivateActCtx, xrefs: 00402ADC
DeactivateActCtx, xrefs: 00402AE9
CreateActCtxW, xrefs: 00402AC7
KERNEL32, xrefs: 00402AAA

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-2424895508
Opcode ID: 07132d9233b845aaee8d1b826570ddc029bda947b47146fd6b100f0e5e2edba9
Instruction ID: ed5730b6398b3e70b040944a2633c7a0f330cbcd36fcbadc5385ab503ffc5b0b
Opcode Fuzzy Hash: 07132d9233b845aaee8d1b826570ddc029bda947b47146fd6b100f0e5e2edba9
Instruction Fuzzy Hash: 0E11E979B802419BCB31AF656D88456BBA4E796F06710843FE480B26D0DAF87540CF6D

Function 0040C16A Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32), ref: 0040C177
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 0040C198
GetProcAddress.KERNEL32(ReleaseActCtx), ref: 0040C1AA
GetProcAddress.KERNEL32(ActivateActCtx), ref: 0040C1BC
GetProcAddress.KERNEL32(DeactivateActCtx), ref: 0040C1CE

Strings

ReleaseActCtx, xrefs: 0040C19A
ActivateActCtx, xrefs: 0040C1AC
DeactivateActCtx, xrefs: 0040C1BE
CreateActCtxW, xrefs: 0040C192
KERNEL32, xrefs: 0040C172

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-2424895508
Opcode ID: 6325cdd8aa2422adc08fc52fe797c7fc3026648ca8364d39a69abcd102d735ae
Instruction ID: c890be092fe8a302455daad33b1d4494179843055af02fea5ed244cc4fbd1faf
Opcode Fuzzy Hash: 6325cdd8aa2422adc08fc52fe797c7fc3026648ca8364d39a69abcd102d735ae
Instruction Fuzzy Hash: BCF0FE7C906751AFCF50AF707D0578A3EA9E64AB527201437B505EE263E27C5480CE5C

Function 004052BF Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 255memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004052D8
MapDialogRect.USER32(?,00000000), ref: 00405369
SysAllocStringLen.OLEAUT32(?,?), ref: 00405388
CLSIDFromString.OLE32(?,?,00000000), ref: 0040547A

Part of subcall function 0040240A: _malloc.LIBCMT ref: 00402424

CLSIDFromProgID.OLE32(?,?,00000000), ref: 00405482
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,00000000,00000000,0000FC84,00000000), ref: 0040551C
SysFreeString.OLEAUT32(00000000), ref: 0040556E

Strings

`<u, xrefs: 0040556E

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prolog3ProgRectWindow_malloc
String ID: `<u
API String ID: 2841959276-3367579956
Opcode ID: c5005de9f8d17d8b8d0909f014420b4396e9c05d8fc93965f656cf91473522ef
Instruction ID: 06ce08a80ffef963eeaa6a76272924fa47bf0b8a125bfff28f28e254dabad62f
Opcode Fuzzy Hash: c5005de9f8d17d8b8d0909f014420b4396e9c05d8fc93965f656cf91473522ef
Instruction Fuzzy Hash: 13B1F475900609AFCB04DF69C984AEE7BB4FF08344F05412AFC19A7291E778A994CF98

Function 00418A54 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 00418A7A
GetStockObject.GDI32(0000000D), ref: 00418A82
GetObjectW.GDI32(00000000,0000005C,?), ref: 00418A8F
GetDC.USER32(00000000), ref: 00418A9E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00418AB2
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 00418ABE
ReleaseDC.USER32(00000000,00000000), ref: 00418ACA

Strings

System, xrefs: 00418A75, 00418ADF

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: b148ecff2984927f2229cdce8bd82a4553ebd97555b4f2cbdaff4f85ea519fe1
Instruction ID: 9513b3ea852709ca0d6bfa9225d420557fde9130c1ff1c52bab6a310fdcc5cbc
Opcode Fuzzy Hash: b148ecff2984927f2229cdce8bd82a4553ebd97555b4f2cbdaff4f85ea519fe1
Instruction Fuzzy Hash: 8A116071B40318ABDB109BA1DC49FEF7BB8EF54785F00012AFA059B2D0DA749C44CB68

Function 00431988 Relevance: 13.6, APIs: 9, Instructions: 146librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 004319CD
GetLastError.KERNEL32 ref: 004319D9
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00431A0C
InterlockedExchange.KERNEL32(?,00000000), ref: 00431A1E
LocalAlloc.KERNEL32(00000040,00000008), ref: 00431A32
FreeLibrary.KERNEL32(00000000), ref: 00431A4F
GetProcAddress.KERNEL32(?,?), ref: 00431AA4
GetLastError.KERNEL32(?,?), ref: 00431AB0
RaiseException.KERNEL32(C06D007F,00000000,00000001,?,?,?), ref: 00431AE2

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: ErrorExceptionLastLibraryRaise$AddressAllocExchangeFreeInterlockedLoadLocalProc
String ID:
API String ID: 991255547-0
Opcode ID: 6ce9b93ddcdd129534b5a46348dfcabf2f766fa1c9ee4345a571f301845e3d5f
Instruction ID: a0ab8c363ece25369fafd325498e58ae911e25830386486fbf071e74c18db0bd
Opcode Fuzzy Hash: 6ce9b93ddcdd129534b5a46348dfcabf2f766fa1c9ee4345a571f301845e3d5f
Instruction Fuzzy Hash: 37517C746012059FDB11DF98DD84BAEB7B4AF9C341F11602AEA05E7360EB74ED41CB28

Function 0041ABF0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 249stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041ABF7
lstrlenA.KERNEL32(00000000,000000FF,00000050,0040F761,00000000,00000001,?,?,000000FF,?,?,?), ref: 0041AC29

Part of subcall function 004048B7: _memcpy_s.LIBCMT ref: 004048C7

VariantClear.OLEAUT32(?), ref: 0041ADCF

Strings

(lC, xrefs: 0041AD3B, 0041AD3E
`<u, xrefs: 0041AEC2

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: ClearH_prolog3_catch_Variant_memcpy_slstrlen
String ID: (lC$`<u
API String ID: 2214827562-3771470324
Opcode ID: da237e9533aeda0332947c71a6167c9b66c2a81f493e1fa5471174473bc8bf68
Instruction ID: 61770d532fb616ae802c1812c8f1189c470e9414e3137eff6585fdcd47e610a7
Opcode Fuzzy Hash: da237e9533aeda0332947c71a6167c9b66c2a81f493e1fa5471174473bc8bf68
Instruction Fuzzy Hash: E3A1DD31C01209DFCF11DFA5C9856EEBBB0FF05315F24815AE415B7291D3389AA2CBAA

Function 004173A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004173A7
VariantClear.OLEAUT32(?), ref: 00417453
SysFreeString.OLEAUT32(00000000), ref: 004174D4
SysFreeString.OLEAUT32(00000000), ref: 004174E3
SysFreeString.OLEAUT32(00000000), ref: 004174F2
VariantClear.OLEAUT32(00000000), ref: 00417507

Part of subcall function 00416E89: __EH_prolog3.LIBCMT ref: 00416EA5
Part of subcall function 00416E89: VariantClear.OLEAUT32(?), ref: 00416F0A

Part of subcall function 004193C5: VariantCopy.OLEAUT32(?,?), ref: 004193D3

Strings

`<u, xrefs: 004174D4, 004174E3, 004174F2

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Variant$ClearFreeString$H_prolog3$Copy
String ID: `<u
API String ID: 3861216745-3367579956
Opcode ID: 9abf97a1c9ce8a76d9d08913e1132a03c381b17fc06a3bf101c4b871e3cbb722
Instruction ID: c002cca01b19162ad6e891d270b0965d471f3ace887bbcfccb848d80a3935f3e
Opcode Fuzzy Hash: 9abf97a1c9ce8a76d9d08913e1132a03c381b17fc06a3bf101c4b871e3cbb722
Instruction Fuzzy Hash: F5511A71A00209DFDB10DFA8C984BDEBBB9FF48305F10452AE515E7291D778A985CB64

Function 0041AFCF Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0041B052
SysAllocString.OLEAUT32(?), ref: 0041B07A
SysAllocString.OLEAUT32(00000000), ref: 0041B0CF
SysAllocString.OLEAUT32(00000000), ref: 0041B0F8
SysAllocString.OLEAUT32(00000000), ref: 0041B127

Strings

T[C, xrefs: 0041B089
jC, xrefs: 0041B009

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: AllocString
String ID: T[C$jC
API String ID: 2525500382-2062627590
Opcode ID: 8c0e70df3489df632068e020dcdee158924831474a777579e2549323940e54bd
Instruction ID: 07b22e9ee3a90637086684ba75078865ee55cce58f588c59815511b9c8a88aee
Opcode Fuzzy Hash: 8c0e70df3489df632068e020dcdee158924831474a777579e2549323940e54bd
Instruction Fuzzy Hash: 3A413F719006059BCB20AF6AD851AEEB7B0FF44314F50852FE465A72A2DB38A954CF98

Function 004063C3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32(00000002,00000000), ref: 004063DB
MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 00406401
SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 0040642B
GetSystemMetrics.USER32(00000000), ref: 00406442
GetSystemMetrics.USER32(00000001), ref: 00406449
MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,-00000028,00000020), ref: 00406474

Strings

DISPLAY, xrefs: 0040646B

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: System$ByteCharInfoMetricsMultiWide$MonitorParameters
String ID: DISPLAY
API String ID: 3432410572-865373369
Opcode ID: 637800b08258a8e05464a95b3661aeaea5ea117422ee286dcd805eef8187cc85
Instruction ID: cd5b6846f8c30f5f43dea4655d8936c345744756cf3add5f281e85093f26ab73
Opcode Fuzzy Hash: 637800b08258a8e05464a95b3661aeaea5ea117422ee286dcd805eef8187cc85
Instruction Fuzzy Hash: 0521B371500220ABDF209F64CC84A5B7AA8EB05761F124177FC06BB1D5D674A861CBAD

Function 00413163 Relevance: 12.3, APIs: 8, Instructions: 297memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041316A

Part of subcall function 004118B5: SysStringLen.OLEAUT32(?), ref: 004118BD
Part of subcall function 004118B5: CoGetClassObject.OLE32(?,?,00000000,004391FC,?), ref: 004118DB

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 004132F4
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 00413315
GlobalAlloc.KERNEL32(00000000,00000000), ref: 00413362
GlobalLock.KERNEL32(00000000), ref: 00413370
GlobalUnlock.KERNEL32(?), ref: 00413388
CreateILockBytesOnHGlobal.OLE32(8007000E,00000001,?), ref: 004133AB
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 004133C7

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: GlobalLock$Bytes$Create$AllocClassDocfileH_prolog3ObjectOpenStorageStringUnlock
String ID:
API String ID: 317715441-0
Opcode ID: b2b3daea976d6fc6519c188f1ed5570afd7bc7ead602079118be473d3ab1cf00
Instruction ID: 3f53ac4066667cf456b99a10fb748b27cf230f0baed110563d375640da8decfc
Opcode Fuzzy Hash: b2b3daea976d6fc6519c188f1ed5570afd7bc7ead602079118be473d3ab1cf00
Instruction Fuzzy Hash: 3BC10BB090020AEFDF10DFA5C8849EEB7B9FF48305B50496EF915E7251C7759A81CB64

Function 0040E1FB Relevance: 12.1, APIs: 8, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0040E202
EnterCriticalSection.KERNEL32(?,00000010,0040E49E,?,00000000,?,00000004,0040C9FD,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001,?,0040D324), ref: 0040E213
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,0040C9FD,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001,?,0040D324,00000000), ref: 0040E231
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,0040C9FD,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001), ref: 0040E265
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0040C9FD,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001,?,0040D324,00000000), ref: 0040E2D1
TlsSetValue.KERNEL32(?,00000000), ref: 0040E301
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0040C9FD,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001,?,0040D324,00000000), ref: 0040E322

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal
String ID:
API String ID: 2819805515-0
Opcode ID: 109a01513b92958aa0402ac09dbb9c63bd248c613c0d6a01782f26d6682aa41c
Instruction ID: babacc030b5106bf61fb759286ab9ceec74420f0689691f5ec86526ad281be7a
Opcode Fuzzy Hash: 109a01513b92958aa0402ac09dbb9c63bd248c613c0d6a01782f26d6682aa41c
Instruction Fuzzy Hash: 9031A571400606EFCB10AF52D885C9ABBA4FF44310B10C93FF916A76A1C774BDA1CB98

Function 00402E5E Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 00402E7B
lstrcmpW.KERNEL32(00000000,?), ref: 00402E88
OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 00402E9A
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00402EBA
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00402EC2
GlobalLock.KERNEL32(00000000), ref: 00402ECC
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00402ED9
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00402EF1

Part of subcall function 0040DA3F: GlobalFlags.KERNEL32(?), ref: 0040DA4A
Part of subcall function 0040DA3F: GlobalUnlock.KERNEL32(?), ref: 0040DA5C
Part of subcall function 0040DA3F: GlobalFree.KERNEL32(?), ref: 0040DA67

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 5d1bc618e5900c62ca94e3316c93b0d47b5fbf0e3c91d0e0c45e6bacdc7c9478
Instruction ID: 8a1c3dba372a210b763a19075e7db06a2d346b32194a5f0c32d946328f3bf3cc
Opcode Fuzzy Hash: 5d1bc618e5900c62ca94e3316c93b0d47b5fbf0e3c91d0e0c45e6bacdc7c9478
Instruction Fuzzy Hash: 2C119471900504BBDB219BA6DD49C6F7BBDFFC9744B00102AF605E2161DB79D910E768

Function 00404205 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00404224
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 004042E0
RegEnumKeyW.ADVAPI32(?,00000000,00000000,00000104), ref: 004042F7
RegCloseKey.ADVAPI32(?,?,?,?,?,Software\,00000018), ref: 00404311
RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 00404323

Strings

Software\, xrefs: 00404279

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: 1a2fe4e324e7ac29240ce4fb5b0da3cdd32acc7460ba1fbee6a820456f3b0a4d
Instruction ID: 3d9cafb162dc2fde85708bea953d31a28296fbdbbbecc8c42615b6d47bbd8d35
Opcode Fuzzy Hash: 1a2fe4e324e7ac29240ce4fb5b0da3cdd32acc7460ba1fbee6a820456f3b0a4d
Instruction Fuzzy Hash: 45417071A002099BCB11EBA5CC459EFB7B9EF84304F10452FF611F22D1DB789A45DB69

Function 004178DB Relevance: 10.6, APIs: 7, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000002), ref: 004178F6
GetParent.USER32(?), ref: 00417907
GetWindow.USER32(?,00000002), ref: 0041792A
GetWindow.USER32(?,00000002), ref: 0041793C
GetWindowLongW.USER32(?,000000EC), ref: 0041794B
IsWindowVisible.USER32(?), ref: 00417965
GetTopWindow.USER32(?), ref: 0041798B

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: 4859dde0af1b68c7280e5ffcda68c727b4966a9b33332b08d1757715c40387ff
Instruction ID: a415d72211b306664d0c45f30e39844720a8c8f19b0878942b2331b8f27d2991
Opcode Fuzzy Hash: 4859dde0af1b68c7280e5ffcda68c727b4966a9b33332b08d1757715c40387ff
Instruction Fuzzy Hash: 09213DB16593146BEB20AB718C09FAB72BCBF44354F05052EF885A7291D72CDC44C7AC

Function 0040DD50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 0040DD7E
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 0040DDA1
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 0040DDBD
RegCloseKey.ADVAPI32(?), ref: 0040DDCD
RegCloseKey.ADVAPI32(?), ref: 0040DDD7

Strings

software, xrefs: 0040DD66

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 7f475e6ef268612aeb0ab6a157ecd6ebf112705f1d601cbbdbe0cc6a6e485acc
Instruction ID: 38e98835c2b5b2b8a04d80a6508d865327f532230f8ed2aeb5698a8d2e93b6bc
Opcode Fuzzy Hash: 7f475e6ef268612aeb0ab6a157ecd6ebf112705f1d601cbbdbe0cc6a6e485acc
Instruction Fuzzy Hash: 9211B676D00119FBCB21DBDACC84DDFBFBCEFC5754B1040AAA505A2121D271AA44DB64

Function 004223CD Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00425EF3,00425F73,00425EF3,00000014,00424165,00000000,00000FA0,0043EA40,0000000C,004241C4,0040BEFD,-0000000F,?,00420407,00000004,0043E8D8), ref: 004223DA
TlsGetValue.KERNEL32(00000005,?,00420407,00000004,0043E8D8,0000000C,00422CBB,00000004,00000004,00000000,00000000,00000000,00422612,00000001,00000214), ref: 004223F1
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00420407,00000004,0043E8D8,0000000C,00422CBB,00000004,00000004,00000000,00000000,00000000,00422612,00000001,00000214), ref: 00422406
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00422421

Strings

KERNEL32.DLL, xrefs: 00422401
EncodePointer, xrefs: 0042241B

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Value$AddressHandleModuleProc
String ID: EncodePointer$KERNEL32.DLL
API String ID: 1929421221-3682587211
Opcode ID: 8bbf634d186e99d5af397b3f2f678ab8ce41ca3b9d2a18c7f76b06912dd60758
Instruction ID: 68c58473cd788c9a106ba936a5d2dbbef8079bd1c1cae075a0f5ade2aa0780d6
Opcode Fuzzy Hash: 8bbf634d186e99d5af397b3f2f678ab8ce41ca3b9d2a18c7f76b06912dd60758
Instruction Fuzzy Hash: 39F09670705137BB86157B25FE04AAB3AE49F48354B944132FC58D22B1DBA8ED41866D

Function 00422444 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00424CF0,0041DC58,0040BEFD,?,00402429,00000000,?,00000000,0040B374,0000000C,00000004,00401E56,00000000,0040BEFD,00000000), ref: 00422451
TlsGetValue.KERNEL32(00000005,?,00402429,00000000,?,00000000,0040B374,0000000C,00000004,00401E56,00000000,0040BEFD,00000000), ref: 00422468
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00402429,00000000,?,00000000,0040B374,0000000C,00000004,00401E56,00000000,0040BEFD,00000000), ref: 0042247D
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00422498

Strings

KERNEL32.DLL, xrefs: 00422478
DecodePointer, xrefs: 00422492

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Value$AddressHandleModuleProc
String ID: DecodePointer$KERNEL32.DLL
API String ID: 1929421221-629428536
Opcode ID: 12244c76e16d8c01cb8ccb07a5dad3a4014d52f8198c1a61aea4649eb8586f72
Instruction ID: f4bfd0c5fe9cc89d9a720c80211922e2dc5aa2261d796e3ead09a8a39b698f27
Opcode Fuzzy Hash: 12244c76e16d8c01cb8ccb07a5dad3a4014d52f8198c1a61aea4649eb8586f72
Instruction Fuzzy Hash: 1CF09670705136BB86117B25FF0497B3AE49F41390B844172F858E2270CBA8DD01966D

Function 0040DB75 Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 0040DB81
GetSysColor.USER32(00000010), ref: 0040DB88
GetSysColor.USER32(00000014), ref: 0040DB8F
GetSysColor.USER32(00000012), ref: 0040DB96
GetSysColor.USER32(00000006), ref: 0040DB9D
GetSysColorBrush.USER32(0000000F), ref: 0040DBAA
GetSysColorBrush.USER32(00000006), ref: 0040DBB1

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 4166e3257f1dcdb5dcb32d3a3de4375c70e81955a6fd1f089be8718a256e4c9f
Instruction ID: b2d69407b7ec4de291adbd894616552f40c2939cbe22c84e62c5a036204cebde
Opcode Fuzzy Hash: 4166e3257f1dcdb5dcb32d3a3de4375c70e81955a6fd1f089be8718a256e4c9f
Instruction Fuzzy Hash: 13F0FE71A407445BD730BB725D49B47BAD5EFC4B10F02192AD2418B990D6B5E0409F44

Function 0043325E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24registryclipboardCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00433266
GetVersion.KERNEL32 ref: 00433271
GetVersion.KERNEL32 ref: 00433279
GetVersion.KERNEL32 ref: 0043327F
RegisterClipboardFormatW.USER32(MSWHEEL_ROLLMSG), ref: 0043328C

Strings

MSWHEEL_ROLLMSG, xrefs: 00433287

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Version$ClipboardFormatRegister
String ID: MSWHEEL_ROLLMSG
API String ID: 2888461884-2485103130
Opcode ID: 16e15b6fe98e1a17b4212ccf5b236d66343bd8e22ef3ba9750656d5c654daa39
Instruction ID: 04f0fab565c036ad66d61320494cd6e97434e7df261070a5f5ce94b8c935890d
Opcode Fuzzy Hash: 16e15b6fe98e1a17b4212ccf5b236d66343bd8e22ef3ba9750656d5c654daa39
Instruction Fuzzy Hash: 0EE0807D810E128BDB112B747C043AB5A54978D3B2F595477DD0053351DA3C45834A7D

Function 00416E89 Relevance: 9.4, APIs: 6, Instructions: 404COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00416EA5
VariantClear.OLEAUT32(?), ref: 00416F0A

Part of subcall function 0040C08A: __CxxThrowException@8.LIBCMT ref: 0040C09E

VariantClear.OLEAUT32(?), ref: 00417119
VariantClear.OLEAUT32(?), ref: 0041718B
VariantClear.OLEAUT32(?), ref: 0041737C

Part of subcall function 004193C5: VariantCopy.OLEAUT32(?,?), ref: 004193D3

Part of subcall function 004166F5: __EH_prolog3.LIBCMT ref: 004166FC

Part of subcall function 0041962F: __EH_prolog3.LIBCMT ref: 00419639

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Variant$Clear$H_prolog3$CopyException@8Throw
String ID:
API String ID: 3382529314-0
Opcode ID: 65a5872debfce7c2ecaed5df10bef2b44ae881926521734ffad4432954609cc2
Instruction ID: 4adbb54d0ca1646180b99d7cbf0a271b176605069b1777e515610b1cace8369b
Opcode Fuzzy Hash: 65a5872debfce7c2ecaed5df10bef2b44ae881926521734ffad4432954609cc2
Instruction Fuzzy Hash: 12F17E7040424CEADF15EFA1C890AEE7BB9BF08348F54405BFC5593292DB78DA84DB69

Function 0042C05B Relevance: 9.2, APIs: 6, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

__filbuf.LIBCMT ref: 0042C0C6
__filbuf.LIBCMT ref: 0042C0ED
__filbuf.LIBCMT ref: 0042C167
__filbuf.LIBCMT ref: 0042C197
_ungetc.LIBCMT ref: 0042C1A8
__filwbuf.LIBCMT ref: 0042C1F7

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: __filbuf$__filwbuf_ungetc
String ID:
API String ID: 716107490-0
Opcode ID: 12f5b84c3f1da6320370162a3f18821b0128cc062b640210ddea20ad6116a8d7
Instruction ID: 08f6e400ccf2594faabeff47591a1ef6550146bc734b1b0472657c9047875ac3
Opcode Fuzzy Hash: 12f5b84c3f1da6320370162a3f18821b0128cc062b640210ddea20ad6116a8d7
Instruction Fuzzy Hash: FC415831215535D9C3246B79B8825BE3BA4DE023347B40A0FF4A1973C3DB2C9652DB9D

Function 00404676 Relevance: 9.1, APIs: 6, Instructions: 115threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004045CB: GetParent.USER32(?), ref: 0040461E
Part of subcall function 004045CB: GetLastActivePopup.USER32(?), ref: 0040462D
Part of subcall function 004045CB: IsWindowEnabled.USER32(?), ref: 00404642
Part of subcall function 004045CB: EnableWindow.USER32(?,00000000), ref: 00404655

EnableWindow.USER32(?,00000001), ref: 004046C3
GetWindowThreadProcessId.USER32(?,?), ref: 004046D1
GetCurrentProcessId.KERNEL32 ref: 004046DB
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 004046F0
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040476E
EnableWindow.USER32(?,00000001), ref: 004047AB

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID:
API String ID: 1877664794-0
Opcode ID: ed25b40188e99e9287f4a1d7d2399fa9f4f535941f871db828045521d0575c1c
Instruction ID: c973ce6a58ba0b78acc30c11a6d279bea295fa1537fa1792d60d0db9127491c7
Opcode Fuzzy Hash: ed25b40188e99e9287f4a1d7d2399fa9f4f535941f871db828045521d0575c1c
Instruction Fuzzy Hash: E941B4B2A003489BDB319F64DC857DEB7B8FF85314F24053AEA15AB2D1E77999008F58

Function 004045CB Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004045FD
GetParent.USER32(?), ref: 0040460B
GetParent.USER32(?), ref: 0040461E
GetLastActivePopup.USER32(?), ref: 0040462D
IsWindowEnabled.USER32(?), ref: 00404642
EnableWindow.USER32(?,00000000), ref: 00404655

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: fa66f74dc7bd7cbba717e4b7959eab07d38ad596937b00777423d814bb37bd0f
Instruction ID: a3867029c37a03d441934be8337d41f8ec4b511fb1df1383b69278e2c4e69f22
Opcode Fuzzy Hash: fa66f74dc7bd7cbba717e4b7959eab07d38ad596937b00777423d814bb37bd0f
Instruction Fuzzy Hash: E911BCB260122167C6312A6A5C44B2BB2985FE6B64F05053BEF01B33D1EB7DDC0156AE

Function 0040E29C Relevance: 9.1, APIs: 6, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?), ref: 0040E2A3
__CxxThrowException@8.LIBCMT ref: 0040E2AD

Part of subcall function 0042053F: RaiseException.KERNEL32(0040D324,00000000,00401440,?,0040D324,00000000,?,00000058,00401440), ref: 0042057F

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,0040C9FD,00403B74,0040CA26,0040D0D7,00000000,0040D15D), ref: 0040E2C4
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0040C9FD,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001,?,0040D324,00000000), ref: 0040E2D1

Part of subcall function 0040C056: __CxxThrowException@8.LIBCMT ref: 0040C06A

TlsSetValue.KERNEL32(?,00000000), ref: 0040E301
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0040C9FD,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001,?,0040D324,00000000), ref: 0040E322

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue
String ID:
API String ID: 3522952025-0
Opcode ID: c21b009eb156801b565b11e57dd7c43c0ada5988d99f30654caf9b22434e295b
Instruction ID: d6cd9d41fd3f88925a9dc4d1b0be53298ae7aa2c9be0812d448d3d1a9cdb13d3
Opcode Fuzzy Hash: c21b009eb156801b565b11e57dd7c43c0ada5988d99f30654caf9b22434e295b
Instruction Fuzzy Hash: 64118270100505AFDB10AF65DC85CABBBA5FF40314750C53EF956A35A1CB35ADA0CB58

Function 0040DB03 Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0040DB12
GetDlgCtrlID.USER32(00000000), ref: 0040DB26
GetWindowLongW.USER32(00000000,000000F0), ref: 0040DB34
GetWindowRect.USER32(00000000,?), ref: 0040DB46
PtInRect.USER32(?,?,?), ref: 0040DB56
GetWindow.USER32(?,00000005), ref: 0040DB63

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: b859441a53fb2ef2b24fcd822e5dd4b9dce5d5953088eaf5cb1b28aee5dfa0f0
Instruction ID: 682482b090557ef16fb41fd621bc677a0093baf6685d07bcf61d030bf53ecc93
Opcode Fuzzy Hash: b859441a53fb2ef2b24fcd822e5dd4b9dce5d5953088eaf5cb1b28aee5dfa0f0
Instruction Fuzzy Hash: 2C014F36900119ABCB116FA5AC08FEF377CEF95750B054035F911A7290D738F9158BAD

Function 0040E0B6 Relevance: 9.0, APIs: 6, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 0040E0B7
GlobalUnlock.KERNEL32(00000000), ref: 0040E0C0
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 0040E0D7
GlobalHandle.KERNEL32(?), ref: 0040E0E9
GlobalLock.KERNEL32(00000000), ref: 0040E0F0
LeaveCriticalSection.KERNEL32(?), ref: 0040E0FA
GlobalLock.KERNEL32(00000000), ref: 0040E106
LeaveCriticalSection.KERNEL32(?), ref: 0040E14B

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Global$CriticalHandleLeaveLockSection$AllocUnlock
String ID:
API String ID: 3588386637-0
Opcode ID: 1c903ab68a23b686debbc945d4a8a9354bc4b9ea200d1e2948afe477844decc3
Instruction ID: bc3f5b1f031c52ad7c56f3d808649c2cac8e76efa4f78460877b0db28027729c
Opcode Fuzzy Hash: 1c903ab68a23b686debbc945d4a8a9354bc4b9ea200d1e2948afe477844decc3
Instruction Fuzzy Hash: 07E01275504711AFE6202FB0AC4DA6B366CFB547417015935F902B61A1DF78B9508B9C

Function 00402916 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 0040292E
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 004029E2
LoadBitmapW.USER32(00000000,00007FE3), ref: 004029FA

Strings

FC, xrefs: 004029AA
, xrefs: 0040294F

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID: $FC
API String ID: 2596413745-2768845546
Opcode ID: 78eb04b3a602ef54ab9254ef97d251ec3f6fb5bbff73d3796b4dfbf6eefe3cd3
Instruction ID: 644caebb4b8956201679804a1af7f33d47eb6b706bb2799f9dede72628bb35a8
Opcode Fuzzy Hash: 78eb04b3a602ef54ab9254ef97d251ec3f6fb5bbff73d3796b4dfbf6eefe3cd3
Instruction Fuzzy Hash: 4031E8B1B002059FEB20CF78DD8AABE7BB5EB44314F15053BE541EB2D1D67499448B54

Function 00414F12 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32 ref: 00414F33
CoTaskMemFree.OLE32(?), ref: 00414FB6

Strings

`<u, xrefs: 00414F97

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID: `<u
API String ID: 3253174383-3367579956
Opcode ID: 193c3c77c8f856881e9276b85d01ad5d10a7ed937f0222d7d22447d0780c0604
Instruction ID: d65d437017a7a44eb087a5b73a8debf9359ef96c3d92de236fa148ba9e7e980e
Opcode Fuzzy Hash: 193c3c77c8f856881e9276b85d01ad5d10a7ed937f0222d7d22447d0780c0604
Instruction Fuzzy Hash: 1C116D702002069FDB249FA5E848BE777A8BFC5355B68441AF849DB394C738EC83CA58

Function 004058FA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

Edit, xrefs: 0040594A

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 8c2fb5c033a49d7f3ddc0f07ff218b24df56ed1eff1318f80d9f4cd8912d9ec0
Instruction ID: 1058ee0e076b181a74d4094c3cdd8bbc1848ff66b43e7bde73ad5dcce0fba93f
Opcode Fuzzy Hash: 8c2fb5c033a49d7f3ddc0f07ff218b24df56ed1eff1318f80d9f4cd8912d9ec0
Instruction Fuzzy Hash: BB01C871204901EAEA2016259C09B6BF7A4EF60725F54093BF451F22E1CB79EC51CD2C

Function 00416739 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00416740

Strings

\fC, xrefs: 004167ED
TgC, xrefs: 004167D9
0fC, xrefs: 004167E3
|fC, xrefs: 004167F7

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: H_prolog3
String ID: 0fC$TgC$\fC$|fC
API String ID: 431132790-2653331905
Opcode ID: 6886d802b1eb7d9411ca43294aa14b182128187ddd54a13276963bd0f107a496
Instruction ID: ba69d6a3b6698c79647be9854e767f0dd7ac1b7e26611c89dfd45961a5436cbf
Opcode Fuzzy Hash: 6886d802b1eb7d9411ca43294aa14b182128187ddd54a13276963bd0f107a496
Instruction Fuzzy Hash: 4631B2B0801B41DFD320DF2A8446786FAE4BFA4308F119A1FD1EA97661C7B86149CF29

Function 0042BD3D Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

__flsbuf.LIBCMT ref: 0042BE0B
__flsbuf.LIBCMT ref: 0042BE38
_wctomb_s.LIBCMT ref: 0042BE9B
__flsbuf.LIBCMT ref: 0042BED0
__flswbuf.LIBCMT ref: 0042BF05

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: __flsbuf$__flswbuf_wctomb_s
String ID:
API String ID: 3257920507-0
Opcode ID: 43b020e726d7a78547a6304e5ce3dd4c1686368b04eba419321ce7e9fd853225
Instruction ID: 706f63df8f84834974627e0b0fc8e70a8e2955571022359da0ced4d7b4490e7c
Opcode Fuzzy Hash: 43b020e726d7a78547a6304e5ce3dd4c1686368b04eba419321ce7e9fd853225
Instruction Fuzzy Hash: CB51E8712255349EC715AB39BC818EA3BA4EE023347F50A4FF1A1973D2DB2C9542C6ED

Function 00429A21 Relevance: 7.7, APIs: 5, Instructions: 172COMMONLIBRARYCODE

Download Yara Rule

APIs

__invoke_watson.LIBCMT ref: 00429A40

Part of subcall function 00423BAF: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 00423C59
Part of subcall function 00423BAF: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 00423C63
Part of subcall function 00423BAF: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00423C6D
Part of subcall function 00423BAF: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 00423C88
Part of subcall function 00423BAF: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 00423C8F

_cvtdate.LIBCMT ref: 00429ACC
_cvtdate.LIBCMT ref: 00429B29
_cvtdate.LIBCMT ref: 00429B67
_cvtdate.LIBCMT ref: 00429B7F

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: _cvtdate$ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate__invoke_watson
String ID:
API String ID: 1874364942-0
Opcode ID: b50dcbb356b02b1a7ba470169200162145a4852bc54ab46942e8b9006bf59896
Instruction ID: 0c1fa3a746751a994056fff63c94e3a3070bea7abc1cdcd1e9d1944f37ef7f1e
Opcode Fuzzy Hash: b50dcbb356b02b1a7ba470169200162145a4852bc54ab46942e8b9006bf59896
Instruction Fuzzy Hash: 0C51E6B6B00530BEDB249B59FD8197B7BACFB4A745F90402BF504C5190E638AD80C76E

Function 004230B7 Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

getSystemCP.LIBCMT ref: 004230D0

Part of subcall function 0042303D: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042304A
Part of subcall function 0042303D: GetOEMCP.KERNEL32(00000000), ref: 00423064

setSBCS.LIBCMT ref: 004230E2
IsValidCodePage.KERNEL32(-00000030), ref: 00423128
GetCPInfo.KERNEL32(00000000,?), ref: 0042313B
setSBUpLow.LIBCMT ref: 00423226

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Locale$CodeInfoPageSystemUpdateUpdate::_Valid
String ID:
API String ID: 364485666-0
Opcode ID: fbceaa5e9dbc933676518e1e1a1442a3678c382001e478d454ec4fb5199f1eff
Instruction ID: a287810e940cf9235e0357ffe0235bb27057941b29329b022bd7c4beb0d05311
Opcode Fuzzy Hash: fbceaa5e9dbc933676518e1e1a1442a3678c382001e478d454ec4fb5199f1eff
Instruction Fuzzy Hash: A1511870B04165DBDF158F65D8802BFBBB4EF05306F5480ABD8819F242D67DCA46CBA9

Function 00413E8E Relevance: 7.6, APIs: 5, Instructions: 121COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00413E95
VariantClear.OLEAUT32(?), ref: 00413F2B
SysFreeString.OLEAUT32(?), ref: 00413FB5
SysFreeString.OLEAUT32(?), ref: 00413FBF
SysFreeString.OLEAUT32(?), ref: 00413FC9

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: FreeString$ClearH_prolog3Variant
String ID:
API String ID: 3675777790-0
Opcode ID: b85dcafd8a0ffc477b084d9cb046bcc76b06371b2a5b597fa2e08cd93e2cba3c
Instruction ID: 99f414725cb519f92f755de9c6782b5e7e1bc9032619fc884b903fced377dad9
Opcode Fuzzy Hash: b85dcafd8a0ffc477b084d9cb046bcc76b06371b2a5b597fa2e08cd93e2cba3c
Instruction Fuzzy Hash: CF416B71E00219EBCF11DFA0C8459DEBB79BF08B15F10812BF415AA291C7789A86CF98

Function 004111EA Relevance: 7.6, APIs: 5, Instructions: 108windowthreadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004111F1
SendMessageW.USER32(?,00000138,?,?), ref: 00411269
GetBkColor.GDI32(?), ref: 00411272
GetTextColor.GDI32(?), ref: 0041127E
GetThreadLocale.KERNEL32(0000F1C0,00000000,?,?,00000014), ref: 00411310

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Color$H_prolog3LocaleMessageSendTextThread
String ID:
API String ID: 187318432-0
Opcode ID: afc27687552f77b22cd3c0c6e629082c48a5eefe6751dea1a68df5f1d81ec9d0
Instruction ID: 018a79b21e61d26bf3ea22a4c1e1747943da5939ad1316830d33ac15478033fd
Opcode Fuzzy Hash: afc27687552f77b22cd3c0c6e629082c48a5eefe6751dea1a68df5f1d81ec9d0
Instruction Fuzzy Hash: A8416E30800346DFCB109F64D844AEEB7B0FF05314F11896EEA66AB6B1D778E891DB59

Function 004040F6 Relevance: 7.6, APIs: 5, Instructions: 75registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00404115
RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 00404134
RegEnumKeyW.ADVAPI32(?,00000000,00000000,00000104), ref: 00404152
RegDeleteKeyW.ADVAPI32(?,?), ref: 004041CD
RegCloseKey.ADVAPI32(?), ref: 004041D8

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CloseDeleteEnumH_prolog3_catchOpen
String ID:
API String ID: 3522057324-0
Opcode ID: f991ae1f3c9b9decd83ef43ea0908310af13bcb166fd80dea85a075b89034260
Instruction ID: 42ca0a3efec63d7d1aaf3f4f2eefbb6434df460106eeeb3ad2602fa9eca67b05
Opcode Fuzzy Hash: f991ae1f3c9b9decd83ef43ea0908310af13bcb166fd80dea85a075b89034260
Instruction Fuzzy Hash: DD21A0B6D002199BDB25DF54CC45BEEB7B4EB54310F11423AEE11BB2D0D7385E449BA4

Function 00419794 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?,?,?,?,?,?,00412B98,?,00000000,0000001C,00413506,?,?,?,?,?), ref: 004197A4
GetDeviceCaps.GDI32(?,00000058), ref: 004197DE
GetDeviceCaps.GDI32(?,0000005A), ref: 004197E7

Part of subcall function 0040CFB7: MulDiv.KERNEL32(?,00000000,00000000), ref: 0040CFF7
Part of subcall function 0040CFB7: MulDiv.KERNEL32(?,00000000,00000000), ref: 0040D014

MulDiv.KERNEL32(?,000009EC,00000060), ref: 0041980B
MulDiv.KERNEL32(00000000,000009EC,?), ref: 00419816

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: eb21ffb4a728cd18faf578a3dc3eabc23d062c4294fb6d7e1fe3fbf374c41550
Instruction ID: 5de76647ebce52784aea11f1e546f008d4a287ac47fcf2a4468364b6f9fad939
Opcode Fuzzy Hash: eb21ffb4a728cd18faf578a3dc3eabc23d062c4294fb6d7e1fe3fbf374c41550
Instruction Fuzzy Hash: 7E11C275700A04EFCB21AF65CC84C5FBBE9EF88720711442AFA85977A1C775AC418F94

Function 00419822 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,00412BDC,?,?,?,?,?,?), ref: 00419832
GetDeviceCaps.GDI32(?,00000058), ref: 0041986C
GetDeviceCaps.GDI32(?,0000005A), ref: 00419875

Part of subcall function 0040CF4E: MulDiv.KERNEL32(?,00000000,00000000), ref: 0040CF8E
Part of subcall function 0040CF4E: MulDiv.KERNEL32(?,00000000,00000000), ref: 0040CFAB

MulDiv.KERNEL32(?,00000060,000009EC), ref: 00419899
MulDiv.KERNEL32(00000000,?,000009EC), ref: 004198A4

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: c92c5ae39ae96a2d70d2de2fca7249b31166b1521e93f0b1ddf9d7abe0ebae81
Instruction ID: 9e4de6ba568d8e204c671ea95b71172f2a5b5c2d25ffe5218ee9f21611ceaa20
Opcode Fuzzy Hash: c92c5ae39ae96a2d70d2de2fca7249b31166b1521e93f0b1ddf9d7abe0ebae81
Instruction Fuzzy Hash: 2411C235600604EFCB21AF66CC44C5EBBB9EF89760B11482AF98657361C735EC418F94

Function 0041DC68 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041DC86

Part of subcall function 004241AB: __mtinitlocknum.LIBCMT ref: 004241BF
Part of subcall function 004241AB: __amsg_exit.LIBCMT ref: 004241CB
Part of subcall function 004241AB: EnterCriticalSection.KERNEL32(-0000000F,-0000000F,?,00420407,00000004,0043E8D8,0000000C,00422CBB,00000004,00000004,00000000,00000000,00000000,00422612,00000001,00000214), ref: 004241D3

___sbh_find_block.LIBCMT ref: 0041DC91
___sbh_free_block.LIBCMT ref: 0041DCA0
HeapFree.KERNEL32(00000000,0040BEFD,0043E898,0000000C,0042418C,00000000,0043EA40,0000000C,004241C4,0040BEFD,-0000000F,?,00420407,00000004,0043E8D8,0000000C), ref: 0041DCD0
GetLastError.KERNEL32(?,00420407,00000004,0043E8D8,0000000C,00422CBB,00000004,00000004,00000000,00000000,00000000,00422612,00000001,00000214), ref: 0041DCE1

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: f7d372caa958347c5b2f5e032afcf89efe9f87f89d6b8c0a9c460a8d13fb93fe
Instruction ID: 11fb865d520d6f4c234f937421d04b259d60940d32455db68301adba539f6375
Opcode Fuzzy Hash: f7d372caa958347c5b2f5e032afcf89efe9f87f89d6b8c0a9c460a8d13fb93fe
Instruction Fuzzy Hash: 9701A771E01221AADF346B72AC0A7EF3AA4DF41764F10045FF505662C1DABC95C1CA9D

Function 0040E4D8 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(?), ref: 0040E4FE
GlobalHandle.KERNEL32(?), ref: 0040E50C
GlobalUnlock.KERNEL32(00000000), ref: 0040E515
GlobalFree.KERNEL32(00000000), ref: 0040E51C
DeleteCriticalSection.KERNEL32 ref: 0040E526

Part of subcall function 0040E330: EnterCriticalSection.KERNEL32(?), ref: 0040E38D
Part of subcall function 0040E330: LeaveCriticalSection.KERNEL32(?,?), ref: 0040E39D
Part of subcall function 0040E330: LocalFree.KERNEL32(?), ref: 0040E3A6
Part of subcall function 0040E330: TlsSetValue.KERNEL32(?,00000000), ref: 0040E3B8

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: 37eb8848cf7699564796f947da704ced12a686d8219072cb30b0980b6b64df92
Instruction ID: 556748d1aa1c61ad7abf35dd0b7c2a621dfb1c6e45ff37ee606ee60800937ebc
Opcode Fuzzy Hash: 37eb8848cf7699564796f947da704ced12a686d8219072cb30b0980b6b64df92
Instruction Fuzzy Hash: FAF0BE392005005BC6219F7AAC0CA6B76ACEFC5724716096AFC11E33A1EB38EC118668

Function 00418934 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 0041894E
lstrlenW.KERNEL32(?,?,?), ref: 00418996

Strings

System, xrefs: 0041894A

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: GlobalLocklstrlen
String ID: System
API String ID: 1144527523-3470857405
Opcode ID: 83d1b91964ccb81eeaf7c93f7d86bfc4a777466b344bb0db2fe8203ee67495f1
Instruction ID: 9702059706b1eef0b67111b151fcdae1679bd218b87a61ee85a08a0a17d3b2ba
Opcode Fuzzy Hash: 83d1b91964ccb81eeaf7c93f7d86bfc4a777466b344bb0db2fe8203ee67495f1
Instruction Fuzzy Hash: B141E3B1900115EFCB04DFA4C8455EEB7B5FF00354F14866FE415A7285EB389A91CB98

Function 0042BB75 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 0042BB97
__calloc_crt.LIBCMT ref: 0042BBB0

Strings

gD, xrefs: 0042BBC7
x3D, xrefs: 0042BC19

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: __calloc_crt
String ID: gD$x3D
API String ID: 3494438863-440125105
Opcode ID: 9e9a3b748f9f88709e7fe39093633a641b47813bc018b803e5d1cb8f501978ed
Instruction ID: 0332bbb2c0c3bed28fe9ed21cc0e8ee4567f8a07bf3bfa5e4107e26762e4c614
Opcode Fuzzy Hash: 9e9a3b748f9f88709e7fe39093633a641b47813bc018b803e5d1cb8f501978ed
Instruction Fuzzy Hash: 4F11CA353086206BFB258F5EBC416662791EB85738B94463FE611CB394EB38A84181DD

Function 004118B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 004118BD
CoGetClassObject.OLE32(?,?,00000000,004391FC,?), ref: 004118DB
CoGetClassObject.OLE32(?,?,00000000,004393AC,00000000), ref: 00411915

Strings

P?<up=<u, xrefs: 004118BD

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: ClassObject$String
String ID: P?<up=<u
API String ID: 1109195124-951417710
Opcode ID: c7c01140878957c0b9a11e9dcf1b3d34be4b9049c75a9afc5bc6fe4db5672a22
Instruction ID: e55a24c00ff637610a1f519ecdaa90ab99c78cfae70946bd5057591bc76dc253
Opcode Fuzzy Hash: c7c01140878957c0b9a11e9dcf1b3d34be4b9049c75a9afc5bc6fe4db5672a22
Instruction Fuzzy Hash: 5211F67690021AAFCF018F94CC04E9E7BA9EF08751F104055FE11A7260D735DE21EBA4

Function 0042FF5D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__flush.LIBCMT ref: 0042FF90
__freebuf.LIBCMT ref: 0042FF98
__close.LIBCMT ref: 0042FFA4

Strings

@8C, xrefs: 0042FF5F, 0042FF8F, 0042FF95, 0042FF9D

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: __close__flush__freebuf
String ID: @8C
API String ID: 3722736141-3513479188
Opcode ID: bb693d3a4937b11d0811e8f5055988928331dad54a5a0c6c7bfffa56e0f4bac0
Instruction ID: 1dd7cd33e22165c6c898c58122914b94647cfbb7cefe6a285f187ed24472e12d
Opcode Fuzzy Hash: bb693d3a4937b11d0811e8f5055988928331dad54a5a0c6c7bfffa56e0f4bac0
Instruction Fuzzy Hash: 99F02872B047301E96207A7B6D4044BA2EC4E473387D64A3FF564E32D2E66C89054A6D

Function 00409829 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D8F9: EnterCriticalSection.KERNEL32(00445890,?,?,?,?,0040DF58,00000010,00000008,0040CA1C,0040C9BF,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001), ref: 0040D935
Part of subcall function 0040D8F9: InitializeCriticalSection.KERNEL32(?,?,?,?,?,0040DF58,00000010,00000008,0040CA1C,0040C9BF,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001), ref: 0040D944
Part of subcall function 0040D8F9: LeaveCriticalSection.KERNEL32(00445890,?,?,?,?,0040DF58,00000010,00000008,0040CA1C,0040C9BF,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001), ref: 0040D951
Part of subcall function 0040D8F9: EnterCriticalSection.KERNEL32(?,?,?,?,?,0040DF58,00000010,00000008,0040CA1C,0040C9BF,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001), ref: 0040D95D

Part of subcall function 0040DF3D: __EH_prolog3_catch.LIBCMT ref: 0040DF44

Part of subcall function 0040C08A: __CxxThrowException@8.LIBCMT ref: 0040C09E

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 0040986D
FreeLibrary.KERNEL32(?), ref: 0040987D

Strings

hhctrl.ocx, xrefs: 00409851
HtmlHelpW, xrefs: 00409867

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 3274081130-3773518134
Opcode ID: a2aceb6d30e800d8b51fc1dbb11010aa36af28e1a6333a4b8cf3f2ddf3a3c49c
Instruction ID: 561fe8f67e9f236a093beea40ebe42fb0c20021da51aabb49854703cd79c8806
Opcode Fuzzy Hash: a2aceb6d30e800d8b51fc1dbb11010aa36af28e1a6333a4b8cf3f2ddf3a3c49c
Instruction Fuzzy Hash: 3801AD329047029AD7207BA1E806B1B7690AF40B55F00883FF48AB52D2CB789C049A6A

Function 00418E8C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 00418EB3
GetProcAddress.KERNEL32(00000000,MFCM80ReleaseManagedReferences), ref: 00418EC3

Strings

mfcm80u.dll, xrefs: 00418EA8
MFCM80ReleaseManagedReferences, xrefs: 00418EBD

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: MFCM80ReleaseManagedReferences$mfcm80u.dll
API String ID: 1646373207-1714785701
Opcode ID: 882675f451a77ba5023c9e8a5fcb21aaaedba1826cf69f44a364af8b42713670
Instruction ID: 97310440a9f56aa35e3455745664aadd7280a986769f0ac199c583cba4e53df4
Opcode Fuzzy Hash: 882675f451a77ba5023c9e8a5fcb21aaaedba1826cf69f44a364af8b42713670
Instruction Fuzzy Hash: C0F082B2B00209ABCB10DF65DC85EDFB7ACAB48754B41447BF905E7280DE38E9088668

Function 0042369A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 004236AC

Part of subcall function 00423588: InterlockedIncrement.KERNEL32(00401E56), ref: 00423597
Part of subcall function 00423588: InterlockedIncrement.KERNEL32(C2000000), ref: 004235A4
Part of subcall function 00423588: InterlockedIncrement.KERNEL32(548BCCCC), ref: 004235B1
Part of subcall function 00423588: InterlockedIncrement.KERNEL32(CCCC0004), ref: 004235BE
Part of subcall function 00423588: InterlockedIncrement.KERNEL32(8B068BF1), ref: 004235CB
Part of subcall function 00423588: InterlockedIncrement.KERNEL32(8B068BF1), ref: 004235E3
Part of subcall function 00423588: InterlockedIncrement.KERNEL32(50087DCA), ref: 004235F3
Part of subcall function 00423588: InterlockedIncrement.KERNEL32(52026985), ref: 00423607

___removelocaleref.LIBCMT ref: 004236B7

Part of subcall function 0042360E: InterlockedDecrement.KERNEL32(0041DA01), ref: 00423621
Part of subcall function 0042360E: InterlockedDecrement.KERNEL32(4539E074), ref: 0042362E
Part of subcall function 0042360E: InterlockedDecrement.KERNEL32(0000252E), ref: 0042363B
Part of subcall function 0042360E: InterlockedDecrement.KERNEL32(E80E730C), ref: 00423648
Part of subcall function 0042360E: InterlockedDecrement.KERNEL32(EBF18B08), ref: 00423655
Part of subcall function 0042360E: InterlockedDecrement.KERNEL32(EBF18B08), ref: 0042366D
Part of subcall function 0042360E: InterlockedDecrement.KERNEL32(088B66D0), ref: 0042367D
Part of subcall function 0042360E: InterlockedDecrement.KERNEL32(5E5FBF7F), ref: 00423691

___freetlocinfo.LIBCMT ref: 004236CB

Part of subcall function 00423448: ___free_lconv_mon.LIBCMT ref: 0042348B
Part of subcall function 00423448: ___free_lconv_num.LIBCMT ref: 004234AC
Part of subcall function 00423448: ___free_lc_time.LIBCMT ref: 00423531

Strings

@.D, xrefs: 004236C2

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: @.D
API String ID: 467427115-4117616759
Opcode ID: e272cea132c9337b255408bb41bd60a91d199c44d73892434df13cdfc671a8d8
Instruction ID: 922bda1f51ec9b8e9d268063b8596c4995ba591138e0748fbd58ad49f5d98aae
Opcode Fuzzy Hash: e272cea132c9337b255408bb41bd60a91d199c44d73892434df13cdfc671a8d8
Instruction Fuzzy Hash: F3E0DF22701834338E312F19344026B92BC4F85767BE9006FF804E7B50EBACAE8281AD

Function 0042BC46 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0042BC67

Part of subcall function 004241AB: __mtinitlocknum.LIBCMT ref: 004241BF
Part of subcall function 004241AB: __amsg_exit.LIBCMT ref: 004241CB
Part of subcall function 004241AB: EnterCriticalSection.KERNEL32(-0000000F,-0000000F,?,00420407,00000004,0043E8D8,0000000C,00422CBB,00000004,00000004,00000000,00000000,00000000,00422612,00000001,00000214), ref: 004241D3

EnterCriticalSection.KERNEL32(?,00000000,0042DD89,00000040,0043ED80,0000000C,0042C1AD,00000000,?), ref: 0042BC7A

Strings

gD, xrefs: 0042BC4B
h5D, xrefs: 0042BC54

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CriticalEnterSection$__amsg_exit__lock__mtinitlocknum
String ID: gD$h5D
API String ID: 3996875869-1346880071
Opcode ID: e7b096f6cd3cad4cd8cc189add80891fc37b34785e6f0d2ae211c43cb314711b
Instruction ID: 859bed82de527dcf6e806d0f28301d30c78e364cbb73c5ee37f705c33f0414d4
Opcode Fuzzy Hash: e7b096f6cd3cad4cd8cc189add80891fc37b34785e6f0d2ae211c43cb314711b
Instruction Fuzzy Hash: 25D0723260033093AB283A2878481CE6788CB403A0303C26FFC86762C4CB286C8086CC

Function 004291CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00420F34), ref: 004291CF
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004291DF

Strings

IsProcessorFeaturePresent, xrefs: 004291D9
KERNEL32, xrefs: 004291CA

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 0f714e62b4352c821aa3b8df488cfa12da073aeac46ac37ac7f0bd2f3c37674f
Instruction ID: 38294e407a0d77e078af00310c293c967959b32d4b6e10b09b9c2e49f9a0f7ee
Opcode Fuzzy Hash: 0f714e62b4352c821aa3b8df488cfa12da073aeac46ac37ac7f0bd2f3c37674f
Instruction Fuzzy Hash: A9C0125038C21367F96017B22D0DB3715486B84B42F542092B449E00D0CE68C910E02D

Function 00432F90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00432F9A
GetProcAddress.KERNEL32(00000000), ref: 00432FA1

Strings

IsWow64Process, xrefs: 00432F90
kernel32, xrefs: 00432F95

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: b6f477c8bc7143c7d562ffce32487b6b05a044c6273555ac38e3ea3356200a9d
Instruction ID: 8c312dae74f2ede9c475cff177d0b4593c68627114b28f7748e2df73fd948af1
Opcode Fuzzy Hash: b6f477c8bc7143c7d562ffce32487b6b05a044c6273555ac38e3ea3356200a9d
Instruction Fuzzy Hash: 07B092B49413829BCE04BBA0AD0D94B3AB8A689742B1222B6B801A15A1CAF814008A1D

Function 00416B52 Relevance: 6.2, APIs: 4, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00416B59
VariantClear.OLEAUT32(?), ref: 00416C1D
CoTaskMemFree.OLE32(?,00000010), ref: 00416CCA
CoTaskMemFree.OLE32(?,00000010), ref: 00416CD8

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: FreeTask$ClearH_prolog3Variant
String ID:
API String ID: 365290523-0
Opcode ID: 2e86768a844498bd165ae072ab284416e6c6ba362321a63e0dca0a9cf43a8a37
Instruction ID: eebe77d8fc0bb0326f75002e6dcb2db60b0c5b797d2148c6f703c24b710e5df4
Opcode Fuzzy Hash: 2e86768a844498bd165ae072ab284416e6c6ba362321a63e0dca0a9cf43a8a37
Instruction Fuzzy Hash: D67127716006429FCB20DFA9C9C48AAB7F1FF48304765486EE186DB761CB39EC85CB58

Function 00416512 Relevance: 6.2, APIs: 4, Instructions: 173windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00416543
GetDesktopWindow.USER32 ref: 00416553
GetWindowRect.USER32(?,?), ref: 0041656C
GetWindowRect.USER32(?,?), ref: 00416578

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Window$Rect$DesktopVisible
String ID:
API String ID: 1055025324-0
Opcode ID: a45fe43e3078aa23ea766a76d9245985baed12cd39526e23816c0f9f16b4ec9b
Instruction ID: 98ced7f454573defd039de620529c3a6231434fdc87ec76e9fe48d2ab097d5aa
Opcode Fuzzy Hash: a45fe43e3078aa23ea766a76d9245985baed12cd39526e23816c0f9f16b4ec9b
Instruction Fuzzy Hash: 5D51E975A0050AEFCB00DFA8C985CAEB7B9FF48308B2544A9F506E7254CB35ED41CB64

Function 00411094 Relevance: 6.1, APIs: 4, Instructions: 109comCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004110AD
GetObjectW.GDI32(?,0000005C,?), ref: 00411100
GetDeviceCaps.GDI32(?,0000005A), ref: 0041116C
OleCreateFontIndirect.OLEAUT32(00000020,0043931C), ref: 00411199

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CapsCreateDeviceFontH_prolog3IndirectObject
String ID:
API String ID: 788831076-0
Opcode ID: 11fd6315d2df085332e22c4de21f5442cadf90b2c694fd73eccde3d89b1c6b96
Instruction ID: e2fa6e23074e9a7398ff8639faa37984c5079ec7e9d52de667b1d80417f8946e
Opcode Fuzzy Hash: 11fd6315d2df085332e22c4de21f5442cadf90b2c694fd73eccde3d89b1c6b96
Instruction Fuzzy Hash: 06415E74900249EFDB10DFA5C941AEDBBF4BF18308F10812EFA19A7291E7789A45CF58

Function 0040B909 Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0040B93D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0040B9A2
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0040B9E7
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 0040BA10

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8bc8730924ea4cb44664b1e376baf53739864f306bfc3f576ae3ee9da030f2d5
Instruction ID: 45bd8fd7577118ba66fd6406d8726ba38897461709ee0680096b2d39308af8f7
Opcode Fuzzy Hash: 8bc8730924ea4cb44664b1e376baf53739864f306bfc3f576ae3ee9da030f2d5
Instruction Fuzzy Hash: AE318170600119BBDB24DF55C885EAA7B69EF41394F10807BF605AB391CB38AD80DBED

Function 00401B30 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00401B83
FindResourceW.KERNEL32(?,?,00000005,75C10280,00000034,?,80070057,00000034,0040ADFE,?,00000001,00000030,0040AF7C,?), ref: 0040616C
LoadResource.KERNEL32(?,00000000), ref: 00406174
FreeResource.KERNEL32(00000000,00000000,?,?), ref: 0040618C

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Resource$FindFreeLoad_memcpy_s
String ID:
API String ID: 1465981894-0
Opcode ID: fbd5e5454020e988661ba94953cfb093dbe05d6b50b4795da54d76a5cf573413
Instruction ID: a92c7b2415e33e96ac8175a1bdf0da977cd825ad12c09caf94938f936d56fde0
Opcode Fuzzy Hash: fbd5e5454020e988661ba94953cfb093dbe05d6b50b4795da54d76a5cf573413
Instruction Fuzzy Hash: 1B319F76A01600AFC710DF69D8889ABF7E9FF98355F00846EF905A7365D738AC01CAA5

Function 0042BF31 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042BF61
__isleadbyte_l.LIBCMT ref: 0042BF95
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,FF000002,?,00000000,?,?,?,0042B5C3,?,?,00000001), ref: 0042BFC6
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,0042B5C3,?,?,00000001), ref: 0042C034

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: b6973426afd840ee05cac76dd748b301bb36657b6c238a9e33b18421f8578c9a
Instruction ID: f4c32a9b7d4963c669233324d99e160effeda531ad6e38430ee4689234ce769f
Opcode Fuzzy Hash: b6973426afd840ee05cac76dd748b301bb36657b6c238a9e33b18421f8578c9a
Instruction Fuzzy Hash: D731DF31B00265EFDB20CFA4DD80AAE7BB4EF01351F5681AAF464CB291E3349940DF99

Function 00416895 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041689C

Part of subcall function 0040C08A: __CxxThrowException@8.LIBCMT ref: 0040C09E

GetDC.USER32(?), ref: 0041691A
IntersectRect.USER32(?,?,?), ref: 00416954
CreateRectRgnIndirect.GDI32(?), ref: 0041695E

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Rect$CreateException@8H_prolog3IndirectIntersectThrow
String ID:
API String ID: 3511876931-0
Opcode ID: 8a76af9deadd851a26091d17488aae54c9db7328607b5a018ccb207ff6d9ac21
Instruction ID: 123ee3ec13846d1c56c15bfee8169cde6c81288f79fe65833d2d0046809a24c5
Opcode Fuzzy Hash: 8a76af9deadd851a26091d17488aae54c9db7328607b5a018ccb207ff6d9ac21
Instruction Fuzzy Hash: 62315C71D0022ADBCF01DFE4C588ADEB775AF08304F11816BE955BB291C7789A85CBA9

Function 0040E805 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

__msize.LIBCMT ref: 0040E896
__msize.LIBCMT ref: 0040E8B9
_malloc.LIBCMT ref: 0040E8D1
_malloc.LIBCMT ref: 0040E8E6

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: d344c12f1cdf1deded843a433b8003ee6ed29d38ddf917fe37fc64ebde9bb938
Instruction ID: eafd7f66d5e0404fe645b436113b20d5cf5b012f79bd5b997015d1ba3c0a9708
Opcode Fuzzy Hash: d344c12f1cdf1deded843a433b8003ee6ed29d38ddf917fe37fc64ebde9bb938
Instruction Fuzzy Hash: 662143726006119FDB24BF77D88165B7794AF40314B14C93BE819AB3C6DB78EC61C788

Function 0041C70B Relevance: 6.1, APIs: 4, Instructions: 85windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041C712
PeekMessageW.USER32(00000001,00000000,00000200,00000209,00000003), ref: 0041C76C
PeekMessageW.USER32(00000001,00000000,00000100,00000109,00000003), ref: 0041C783
PeekMessageW.USER32(?,00000000,00000000,00000000,00000002), ref: 0041C7BD

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: MessagePeek$H_prolog3
String ID:
API String ID: 3998274959-0
Opcode ID: fd5c94a31924566655cc3b5a1fc4bad6e7c77c4e9589fc05e3aa14f7044ff43e
Instruction ID: 31c6bfb6a7613fda6e81164fff7fa4a67e98ebaa24204de173d35e7e64f91c17
Opcode Fuzzy Hash: fd5c94a31924566655cc3b5a1fc4bad6e7c77c4e9589fc05e3aa14f7044ff43e
Instruction Fuzzy Hash: 0C31437194030AEFDB209FA4DDC5EAE77A8BF04314F10092FF562A66C1D7B49A418F18

Function 00410183 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

CharNextW.USER32(?), ref: 004101D8
CharNextW.USER32(00000000), ref: 004101FA
_strtol.LIBCMT ref: 00410225
_strtoul.LIBCMT ref: 0041022C

Part of subcall function 00420E9F: wcstoxl.LIBCMT ref: 00420EBF

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CharNext$_strtol_strtoulwcstoxl
String ID:
API String ID: 3842480389-0
Opcode ID: 19c34b826cd0e973f827f38f6bbe14568f5a6c273e2300cd997eb00aa4ddcc02
Instruction ID: 6f526894267aa90eb72f86da1c91f8b9624721bd6d7bf21266e4184455f10cce
Opcode Fuzzy Hash: 19c34b826cd0e973f827f38f6bbe14568f5a6c273e2300cd997eb00aa4ddcc02
Instruction Fuzzy Hash: BB21D57160031AAACB20AB65CC05BEA73F8AF44744F55406BF950D6141EBBDDDC1C75D

Function 004169BA Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004169C1
GetRgnBox.GDI32(?,?), ref: 00416A3C
IntersectRect.USER32(?,?,?), ref: 00416A51
EqualRect.USER32(?,?), ref: 00416A5F

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Rect$EqualH_prolog3Intersect
String ID:
API String ID: 2161412305-0
Opcode ID: d5a62ac63ce3f66dbbd004ed7d52b45645c792280696ffc4ecd9956be2943110
Instruction ID: 45a6c312df8b800c621b6ca83ab1f45834b002ecd838c4ca6945cf1c4decaecd
Opcode Fuzzy Hash: d5a62ac63ce3f66dbbd004ed7d52b45645c792280696ffc4ecd9956be2943110
Instruction Fuzzy Hash: 6A21577190020AEBCB01EFE5C9809EEBBB8BF08304F10856BF515A3252D7789A45DF69

Function 0040B361 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040B368

Part of subcall function 0040240A: _malloc.LIBCMT ref: 00402424

__CxxThrowException@8.LIBCMT ref: 0040B39E
FormatMessageW.KERNEL32(00001100,00000000,?,00000800,00401E56,00000000,00000000,00000000,?,?,0043CD74,00000004,00401E56,00000000,0040BEFD,00000000), ref: 0040B3C7
LocalFree.KERNEL32(00401E56,00401E56,00000000,0040BEFD,00000000), ref: 0040B3F1

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
String ID:
API String ID: 1776251131-0
Opcode ID: 28a2022ca89fc60a89437c13c8d1bbdade580fb3ce955e89652fb01875ece9fa
Instruction ID: 594c2b03f5a87f5ee2d693392741f5b8ee453b3d8d569fb97fe5a0479e5138be
Opcode Fuzzy Hash: 28a2022ca89fc60a89437c13c8d1bbdade580fb3ce955e89652fb01875ece9fa
Instruction Fuzzy Hash: 1611A031600219AFDB00DFA5DC45AEE7BA4FF08750F20853AFA29EA2D0D7709950CB9C

Function 00405C1C Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,00000000,00000005), ref: 00405C42
LoadResource.KERNEL32(?,00000000), ref: 00405C4A
LockResource.KERNEL32(00000000), ref: 00405C5C
FreeResource.KERNEL32(00000000), ref: 00405CA6

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 8e4d6fdeef8d18970f3c136b87dc148f95245b52738d177a975f2dda7ed5cb10
Instruction ID: ae6864b316ee2516b71999588eb8e0dc9292b2967bd3132c721cf85dc58db344
Opcode Fuzzy Hash: 8e4d6fdeef8d18970f3c136b87dc148f95245b52738d177a975f2dda7ed5cb10
Instruction Fuzzy Hash: A9119134504B11EFEB249F95C988AABB7B4FF40759F10817AF842B3690E378AD40DB64

Function 004035D6 Relevance: 6.1, APIs: 4, Instructions: 56threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004035DD

Part of subcall function 00403CE8: __EH_prolog3.LIBCMT ref: 00403CEF

__wcsdup.LIBCMT ref: 004035FF
GetCurrentThread.KERNEL32 ref: 0040362C
GetCurrentThreadId.KERNEL32 ref: 00403635

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__wcsdup
String ID:
API String ID: 190065205-0
Opcode ID: 90dffaee126453a52144eb2a71aafb23daf142bbc9dcd891e691ef9f60dbdaee
Instruction ID: fb16f2a917eeec9874565f32eea33455e9416545c8501b46affe8b284a07e8c4
Opcode Fuzzy Hash: 90dffaee126453a52144eb2a71aafb23daf142bbc9dcd891e691ef9f60dbdaee
Instruction Fuzzy Hash: 582190B0801B10DFC7219F3A854125AFFE8BFA4704F10892FD59A97761C7B9A541CF48

Function 0040A28C Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 0040A2B6
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 0040A2E1

Part of subcall function 00409075: GetTopWindow.USER32(?), ref: 00409083

GetCapture.USER32 ref: 0040A2F3
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 0040A302

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: MessageSend$CaptureWindow
String ID:
API String ID: 729421689-0
Opcode ID: e21c57e38725c8be14c9cc0b754ad6e82e1226aa155ac6c3aecff01b5796b733
Instruction ID: 58142378b1b91770d7826696f539ad6a44d03e2faab616196b8d1c67914e8582
Opcode Fuzzy Hash: e21c57e38725c8be14c9cc0b754ad6e82e1226aa155ac6c3aecff01b5796b733
Instruction Fuzzy Hash: E901A771350209BFF6302B608CC9FBB72ADEB8C798F010139F785BB1E2C6A55C109A24

Function 00404D77 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,000000F0), ref: 00404D9B
LoadResource.KERNEL32(?,00000000), ref: 00404DA7
LockResource.KERNEL32(00000000), ref: 00404DB5
FreeResource.KERNEL32(00000000), ref: 00404DE3

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: e89cddc50c7b270eb8928f5684a3741bd7b7917f541d445e5356060faf0e1664
Instruction ID: c5a760730a9d437c0f728d2d64813e0bfd76514a0cde1de03a7c7c5acb373ccb
Opcode Fuzzy Hash: e89cddc50c7b270eb8928f5684a3741bd7b7917f541d445e5356060faf0e1664
Instruction Fuzzy Hash: 45113AB5200215EFCB109F96D848A9F7BB9FF44354F0480BAF905A7290CB74AE00DF64

Function 0040DE27 Relevance: 6.1, APIs: 4, Instructions: 55registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 0040DE60
RegCloseKey.ADVAPI32(00000000), ref: 0040DE69
_swprintf.LIBCMT ref: 0040DE86
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0040DE97

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: 27973ce05db471a1cce3cac3a6c1285e46cbe325a666619c9765c72de4df6edd
Instruction ID: eba897b23c749c9e4409e2864754ffece8d398c33b1249624bd1e6b8230d8812
Opcode Fuzzy Hash: 27973ce05db471a1cce3cac3a6c1285e46cbe325a666619c9765c72de4df6edd
Instruction Fuzzy Hash: 89018472A00619BBDB109BA4CC45FEFB7ACAF59708F14042AFA01A7181D678ED0587A8

Function 0040D986 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0040D9B0
GetWindowTextW.USER32(?,00000000,00000100), ref: 0040D9E8
lstrcmpW.KERNEL32(00000000,?), ref: 0040D9FA
SetWindowTextW.USER32(?,?), ref: 0040DA06

Part of subcall function 0040C08A: __CxxThrowException@8.LIBCMT ref: 0040C09E

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: TextWindow$Exception@8Throwlstrcmplstrlen
String ID:
API String ID: 577165417-0
Opcode ID: d870499a6331cf98f98dfaa6c3dda0e5430e10908e1984471024f149967b4645
Instruction ID: 597c1d8f103fb50fde8848842564ccbc39f4e615b46c136732ee122939164150
Opcode Fuzzy Hash: d870499a6331cf98f98dfaa6c3dda0e5430e10908e1984471024f149967b4645
Instruction Fuzzy Hash: 5A01D6B2B00318ABD710EBA4DC89FDF776CEB44754F040076F901E3281DA78DD488AA8

Function 00413AF6 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,00000000,?), ref: 00413B35
EqualRect.USER32(?,00000000), ref: 00413B42
IsRectEmpty.USER32(?), ref: 00413B4C
InvalidateRect.USER32(?,?,?), ref: 00413B69

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: 1513f3599a5e9e143d6b319adee2ed635ffb5b9474a2932cdc0d4c4f43d28b40
Instruction ID: 6555fc34ccfbac6b0e808e12d6ef467268ac7b70164950f2b55661b016aebcd0
Opcode Fuzzy Hash: 1513f3599a5e9e143d6b319adee2ed635ffb5b9474a2932cdc0d4c4f43d28b40
Instruction Fuzzy Hash: D4111C7290011AEBCF01DF94D889FDEBB79BF14305F0040A6FA05A6112D375A645DFA4

Function 0040EE76 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 0040240A: _malloc.LIBCMT ref: 00402424

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 0040EEA8
GetCurrentProcess.KERNEL32(?,00000000), ref: 0040EEAE
DuplicateHandle.KERNEL32(00000000), ref: 0040EEB1
GetLastError.KERNEL32(?), ref: 0040EECC

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: 3aaec31eceacf1f26621ffabe0419f0dea3ca52041da986fb4e6b4dd55eee41d
Instruction ID: 3fdaef408aeef7119ff462cf4ae434c0ef57adf59fdb59e84ecccb8f35a6c977
Opcode Fuzzy Hash: 3aaec31eceacf1f26621ffabe0419f0dea3ca52041da986fb4e6b4dd55eee41d
Instruction Fuzzy Hash: C1018F32700204ABDB109BA7DC49F5B7BA9EF84750F14487ABA04EB2C1DB75EC108BA4

Function 004027AB Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,00000000,?), ref: 004027E3

Part of subcall function 0040C08A: __CxxThrowException@8.LIBCMT ref: 0040C09E

GetFocus.USER32 ref: 004027FA
GetParent.USER32(?), ref: 00402808
SendMessageW.USER32(?,00000028,00000000,00000000), ref: 0040281B

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: EnableException@8FocusItemMenuMessageParentSendThrow
String ID:
API String ID: 4211600527-0
Opcode ID: f98d47a13059b84622252a4e64dac28e633a221602e6dd667b84a0ac2498203a
Instruction ID: 9829cdfdf438e5a12674cb537eb343e9eea8f130ed9df7e8d7ac3ba4b4139c7c
Opcode Fuzzy Hash: f98d47a13059b84622252a4e64dac28e633a221602e6dd667b84a0ac2498203a
Instruction Fuzzy Hash: F8118E71100600EFCB20AF20DD88957B7B9FB98319B10CA3EF196629E0C774AC45CBA8

Function 00409075 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 00409083
GetTopWindow.USER32(00000000), ref: 004090C2
GetWindow.USER32(00000000,00000002), ref: 004090E0

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: d396aae75d1422adc3c7dea0c241e2a833af45ea63585f4521ff709d1cb7c1e9
Instruction ID: dfc8f8d9a3c33ade436aa151e8a4b56b296cf66116652b8d32ecf4b28c05947a
Opcode Fuzzy Hash: d396aae75d1422adc3c7dea0c241e2a833af45ea63585f4521ff709d1cb7c1e9
Instruction Fuzzy Hash: 71010C3200151ABBCF226F91DD08EDF3B6AAF45350F044036FE10651A2C73AC971EBAA

Function 004290BE Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 004290E2

Part of subcall function 00428F0D: __fltout2.LIBCMT ref: 00428F37

__cftog_l.LIBCMT ref: 00429108
__cftoe_l.LIBCMT ref: 0042913A

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 0df50984ad6651fe022555ba0d39df218b321ae6f4f9f1908b4ff20eb871ecf8
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: C801723250016ABBDF125E85EC058EE3F62BB18344F85845AFA5855135C63BC9B1AB85

Function 00408A2F Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00408A3A
GetTopWindow.USER32(00000000), ref: 00408A4D

Part of subcall function 00408A2F: GetWindow.USER32(00000000,00000002), ref: 00408A94

GetTopWindow.USER32(?), ref: 00408A7D

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 35e784bc44289774b37b9a8cccca34d8648bec2d8d302682385bcd51f0959a1d
Instruction ID: 79e90521eb1613bb28becb9f5601f680bf2baa8030d75825448d738246a8cbec
Opcode Fuzzy Hash: 35e784bc44289774b37b9a8cccca34d8648bec2d8d302682385bcd51f0959a1d
Instruction Fuzzy Hash: 6D017131301615ABCF326F619E00F9F3658AF50390B01403BFD85B2A90DF39D9129EAD

Function 00422F99 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00422660: __amsg_exit.LIBCMT ref: 0042266E

__amsg_exit.LIBCMT ref: 00422FC5
__lock.LIBCMT ref: 00422FD5
InterlockedDecrement.KERNEL32(?), ref: 00422FF2
InterlockedIncrement.KERNEL32(021E2A38), ref: 0042301D

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__lock
String ID:
API String ID: 4129207761-0
Opcode ID: 21196940fae6efccc5bb6c10944461da901a3c005d1ee93fe7ef7f87bf65b14f
Instruction ID: 5cc7191d1e3c5ac857ff42053d091af09b250e80b4be03193f581f5442c9381f
Opcode Fuzzy Hash: 21196940fae6efccc5bb6c10944461da901a3c005d1ee93fe7ef7f87bf65b14f
Instruction Fuzzy Hash: 8401E131F01630A7D720AF66AA0579B7770AF44715F85002BF800A7290CBBCAA81DBED

Function 004225E9 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,0041FFF0,0041F9BB,00000001,0042237C,00000000,00000000,00000000,?,?,0040BEFD,0042248E,?,00402429,00000000), ref: 004225EB

Part of subcall function 004224BB: TlsGetValue.KERNEL32(00000000,004225FE,?,?,0040BEFD,0042248E,?,00402429,00000000,?,00000000,0040B374,0000000C,00000004,00401E56,00000000), ref: 004224C2
Part of subcall function 004224BB: TlsSetValue.KERNEL32(00000000,?,0040BEFD,0042248E,?,00402429,00000000,?,00000000,0040B374,0000000C,00000004,00401E56,00000000,0040BEFD,00000000), ref: 004224E3

__calloc_crt.LIBCMT ref: 0042260D

Part of subcall function 00422CA8: __calloc_impl.LIBCMT ref: 00422CB6
Part of subcall function 00422CA8: Sleep.KERNEL32(00000000,00000000,0040BEFD,00000000), ref: 00422CCD

Part of subcall function 00422444: TlsGetValue.KERNEL32(00000000,00424CF0,0041DC58,0040BEFD,?,00402429,00000000,?,00000000,0040B374,0000000C,00000004,00401E56,00000000,0040BEFD,00000000), ref: 00422451
Part of subcall function 00422444: TlsGetValue.KERNEL32(00000005,?,00402429,00000000,?,00000000,0040B374,0000000C,00000004,00401E56,00000000,0040BEFD,00000000), ref: 00422468

Part of subcall function 0042252A: GetModuleHandleA.KERNEL32(KERNEL32.DLL,0043E978,0000000C,0042263B,00000000,00000000,?,?,0040BEFD,0042248E,?,00402429,00000000,?,00000000,0040B374), ref: 0042253B
Part of subcall function 0042252A: GetProcAddress.KERNEL32(0040B374,EncodePointer), ref: 0042256F
Part of subcall function 0042252A: GetProcAddress.KERNEL32(0040B374,DecodePointer), ref: 0042257F
Part of subcall function 0042252A: InterlockedIncrement.KERNEL32(00442910), ref: 004225A1
Part of subcall function 0042252A: __lock.LIBCMT ref: 004225A9
Part of subcall function 0042252A: ___addlocaleref.LIBCMT ref: 004225C8

GetCurrentThreadId.KERNEL32 ref: 0042263D
SetLastError.KERNEL32(00000000,?,?,0040BEFD,0042248E,?,00402429,00000000,?,00000000,0040B374,0000000C,00000004,00401E56,00000000,0040BEFD), ref: 00422655

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
String ID:
API String ID: 1081334783-0
Opcode ID: 44cb7e502c076a67489aaf5c991155c7151cee8cf02018a1b5dbed0abf02bf7b
Instruction ID: 29e7d53ac304e707bc58cb4fc22e7163dd72c3b741cd8b8274e34a93cbac0b49
Opcode Fuzzy Hash: 44cb7e502c076a67489aaf5c991155c7151cee8cf02018a1b5dbed0abf02bf7b
Instruction Fuzzy Hash: D2F0FF33701A327BD2363B757E0969B6B50AF927A4B90026BF540A61E0DFAC8801869D

Function 0040B274 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,000000F0,?,?,?,?,00405BD5,?,?,004011EC,85C441DE), ref: 0040B296
LoadResource.KERNEL32(?,00000000,?,?,?,?,00405BD5,?,?,004011EC,85C441DE), ref: 0040B2A2
LockResource.KERNEL32(00000000,?,?,?,?,00405BD5,?,?,004011EC,85C441DE), ref: 0040B2AF
FreeResource.KERNEL32(00000000,?,?,?,?,00405BD5,?,?,004011EC,85C441DE), ref: 0040B2CA

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 91acb18e06a7a344a8a697ee0f126ca6b4cd388e76f7704d793f370086d5cbcb
Instruction ID: 732c4ac4f4349ca45c626b6c215630b5315ae775dd3426851a02a04bdef64722
Opcode Fuzzy Hash: 91acb18e06a7a344a8a697ee0f126ca6b4cd388e76f7704d793f370086d5cbcb
Instruction Fuzzy Hash: DEF0903A2012125BC3111BA65C4897FB6ACEFD57A1B0500BEFD05F23E1DF389C0192AD

Function 00406078 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,00000001), ref: 00406098
GetActiveWindow.USER32 ref: 004060A3
SetActiveWindow.USER32(?,?,00000024,004010AB), ref: 004060B1
FreeResource.KERNEL32(?,?,00000024,004010AB), ref: 004060CD

Part of subcall function 0040B59A: EnableWindow.USER32(?,?), ref: 0040B5A7

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 0c2b759e95a668e94dfdfa553f5cdf23b30149643894fb8a012e3d1725ed23d3
Instruction ID: a6753bbfd88cb9982482e8e4568c52bcb11f9913727ac8d389d23ddddc9e691d
Opcode Fuzzy Hash: 0c2b759e95a668e94dfdfa553f5cdf23b30149643894fb8a012e3d1725ed23d3
Instruction Fuzzy Hash: C4F04F30940609CFCF21EF64C9455AEB7B2FF98701F21113AE442722A1CB7A6D50CF29

Function 0041BD5B Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0041BD7D
GetTickCount.KERNEL32 ref: 0041BD8A
CoFreeUnusedLibraries.OLE32 ref: 0041BD99
GetTickCount.KERNEL32 ref: 0041BD9F

Part of subcall function 0041BD04: CoFreeUnusedLibraries.OLE32(00000000,0041BDE3,00000000), ref: 0041BD48
Part of subcall function 0041BD04: OleUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0041BDE3), ref: 0041BD4E

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: 345f5a0e35ae6ed7b7bcadfee72656509f444fce85a4872e11f2030df3f4ae4a
Instruction ID: 560787deb32d383f5960cb6f6a687c5d58ab9aaec6038f7a99b813e9f4abcf40
Opcode Fuzzy Hash: 345f5a0e35ae6ed7b7bcadfee72656509f444fce85a4872e11f2030df3f4ae4a
Instruction Fuzzy Hash: 16E0E535814254DBCB18AFB4FD0879A3AB0FB86311F805437F48592160C7785C91CFAE

Function 00412FAC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00412FB3

Strings

@, xrefs: 00413016

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: H_prolog3
String ID: @
API String ID: 431132790-2766056989
Opcode ID: 600268e98ab732421509b87d67b1d8c3cd3aebd1f1587051b4f1afb93b60f6c1
Instruction ID: 20e47d97a38bd8381efcd65fe29e9873388d9afd8698cfbafa031d30fc56f76c
Opcode Fuzzy Hash: 600268e98ab732421509b87d67b1d8c3cd3aebd1f1587051b4f1afb93b60f6c1
Instruction Fuzzy Hash: A251E971A0020A9FDB04CFA9C988AEEB7F9BF48304F14456EE516EB290E775AD45CF50

Function 0041AE0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0041AE1B
__CxxThrowException@8.LIBCMT ref: 0041AE2E

Strings

(lC, xrefs: 0041AEC8

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: ClearException@8ThrowVariant
String ID: (lC
API String ID: 3645285410-4018338507
Opcode ID: 429ec31df83d6182138c747f04a71e8713d8b7ac0109d9e03692b5203d91908c
Instruction ID: 59ec7a0885865845c4559253dd029aac75635be75e6b4132d7f582c28cc36da0
Opcode Fuzzy Hash: 429ec31df83d6182138c747f04a71e8713d8b7ac0109d9e03692b5203d91908c
Instruction Fuzzy Hash: EB219F32945304CFCB16DFA5D9846EDB7B0FF45321F25805AE0562B2A1C73869A2CB1B

Function 00419681 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00419688

Part of subcall function 0040D8F9: EnterCriticalSection.KERNEL32(00445890,?,?,?,?,0040DF58,00000010,00000008,0040CA1C,0040C9BF,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001), ref: 0040D935
Part of subcall function 0040D8F9: InitializeCriticalSection.KERNEL32(?,?,?,?,?,0040DF58,00000010,00000008,0040CA1C,0040C9BF,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001), ref: 0040D944
Part of subcall function 0040D8F9: LeaveCriticalSection.KERNEL32(00445890,?,?,?,?,0040DF58,00000010,00000008,0040CA1C,0040C9BF,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001), ref: 0040D951
Part of subcall function 0040D8F9: EnterCriticalSection.KERNEL32(?,?,?,?,?,0040DF58,00000010,00000008,0040CA1C,0040C9BF,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001), ref: 0040D95D

Part of subcall function 0040EA33: _wcsspn.LIBCMT ref: 0040EA74
Part of subcall function 0040EA33: _wcscspn.LIBCMT ref: 0040EA8A

UnregisterClassW.USER32(?,?), ref: 004196C8

Strings

HjC, xrefs: 004196A2

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CriticalSection$Enter$ClassH_prolog3InitializeLeaveUnregister_wcscspn_wcsspn
String ID: HjC
API String ID: 3955971201-4044330605
Opcode ID: 9e244248c0a17c8b1ab3d570caeed6b5676cf520de23311ca10ba7484d0f5354
Instruction ID: 4207aa8bb9161657a158202ef2c1fa6b1dfca3bc46f0e4d3398c6556ae3e4833
Opcode Fuzzy Hash: 9e244248c0a17c8b1ab3d570caeed6b5676cf520de23311ca10ba7484d0f5354
Instruction Fuzzy Hash: E0117071A0010ADBDB00FBE5C992AEEB779AF54308F00057EF512B72D2CA785A459B69

Function 0040355E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00403584
PathFindExtensionW.SHLWAPI(?), ref: 0040359A

Part of subcall function 00403264: __EH_prolog3.LIBCMT ref: 00403283
Part of subcall function 00403264: GetModuleHandleW.KERNEL32(kernel32.dll,0000005C), ref: 004032AD
Part of subcall function 00403264: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 004032BE
Part of subcall function 00403264: ConvertDefaultLocale.KERNELBASE(?), ref: 004032F4
Part of subcall function 00403264: ConvertDefaultLocale.KERNELBASE(?), ref: 004032FC
Part of subcall function 00403264: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 00403310
Part of subcall function 00403264: ConvertDefaultLocale.KERNEL32(?), ref: 00403334
Part of subcall function 00403264: ConvertDefaultLocale.KERNEL32(74DEF550), ref: 0040333A
Part of subcall function 00403264: GetModuleFileNameW.KERNEL32(00400000,00000000,00000105), ref: 0040337B

Strings

%s%s.dll, xrefs: 004035A4

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath
String ID: %s%s.dll
API String ID: 2355367764-1649984862
Opcode ID: 72e4040fbb3c546f33803963ec586f96184b5e9deb553cf9e5079d0e0667f2af
Instruction ID: c4a995f8948a667aa84b88bbd953de0e30a648d499bbfdc13b9a0702c921a07a
Opcode Fuzzy Hash: 72e4040fbb3c546f33803963ec586f96184b5e9deb553cf9e5079d0e0667f2af
Instruction Fuzzy Hash: 6601D672A10108AFC701DFA4EC459EFB7FCBF49704F0000BAE801E7191E674EA048B98

Function 0040E41E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040E425

Part of subcall function 0040C08A: __CxxThrowException@8.LIBCMT ref: 0040C09E

Strings

LYD, xrefs: 0040E44C
LYD, xrefs: 0040E442, 0040E465, 0040E47A, 0040E48E

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: LYD$LYD
API String ID: 3670251406-3559737500
Opcode ID: 3b5388bc054f30c2b1c64c82889462d04533c77b1fbe16214b5cc48d4bbba7b7
Instruction ID: f3750f9b4f871cf2b7b614d6d9712d67400bd33a9f0de06029c80fd7f29924d2
Opcode Fuzzy Hash: 3b5388bc054f30c2b1c64c82889462d04533c77b1fbe16214b5cc48d4bbba7b7
Instruction Fuzzy Hash: 620171B4601602DBDF24AF76C84272A76A2AB95334F14483EE491A73D1EB788C51C71C

Function 004237D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

Strings

@.D, xrefs: 0042381F

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID:
String ID: @.D
API String ID: 0-4117616759
Opcode ID: 036b2bc21926b3ad5ddfcefd2c04fa82748a5fa6c39e2bb98ea2a922095253b6
Instruction ID: adbdc95298241ee357ee8c7ea3cbb802476d2955e309a51ae5578b47b79d3717
Opcode Fuzzy Hash: 036b2bc21926b3ad5ddfcefd2c04fa82748a5fa6c39e2bb98ea2a922095253b6
Instruction Fuzzy Hash: 54F0C2B5600218BADF01AF11ED02BB93BB4A741B59F508026FE05880E1E6FAC794D398

Function 00408ED2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00408ED9

Strings

0TD, xrefs: 00408F0B
(SD, xrefs: 00408EF3

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: H_prolog3
String ID: (SD$0TD
API String ID: 431132790-3792366709
Opcode ID: af3a052fcd209a893c63b83c7d39e07c1c1bbf097663099f1241ea2df34dc700
Instruction ID: 5a5ffcfa254c23156008da3f63548916c0646acc0a152485a18140a9f08c86a7
Opcode Fuzzy Hash: af3a052fcd209a893c63b83c7d39e07c1c1bbf097663099f1241ea2df34dc700
Instruction Fuzzy Hash: 7CF06270D107138BDF34AB38834836AB2A16B44795F14423FA4D5A72E1CBBC4D80C69E

Function 004236D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00422660: __amsg_exit.LIBCMT ref: 0042266E

__amsg_exit.LIBCMT ref: 00423709
__lock.LIBCMT ref: 00423719

Strings

@.D, xrefs: 00423726

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: __amsg_exit$__lock
String ID: @.D
API String ID: 3452092475-4117616759
Opcode ID: c7686c33ddee2a540069e2eb750546ba427832317b6dbac8862b466ee20bb15b
Instruction ID: f4cb967037e77fcf649005c83c1b1b4b130f32b86895671dc87b1ece86597830
Opcode Fuzzy Hash: c7686c33ddee2a540069e2eb750546ba427832317b6dbac8862b466ee20bb15b
Instruction Fuzzy Hash: EFF09672B007209ADB20BFA5A50675A33B0AB40B15FD0812FE441672D2CB7C5E419A5D

Function 0040E330 Relevance: 5.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040E38D
LeaveCriticalSection.KERNEL32(?,?), ref: 0040E39D
LocalFree.KERNEL32(?), ref: 0040E3A6
TlsSetValue.KERNEL32(?,00000000), ref: 0040E3B8

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: e39fb22e354c45764473df13cf529dedbf20f750aee40765e496032a6edac714
Instruction ID: 7014cc4a6053951712fe7dc2ed030d77c704ade6eb588acf5f2f4cc99e4eaa6c
Opcode Fuzzy Hash: e39fb22e354c45764473df13cf529dedbf20f750aee40765e496032a6edac714
Instruction Fuzzy Hash: CA117C35600604EFC720CF66D885F9ABBB4FF45355F10887AE952972A1CB74B950CB14

Function 0040D8F9 Relevance: 5.0, APIs: 4, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00445890,?,?,?,?,0040DF58,00000010,00000008,0040CA1C,0040C9BF,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001), ref: 0040D935
InitializeCriticalSection.KERNEL32(?,?,?,?,?,0040DF58,00000010,00000008,0040CA1C,0040C9BF,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001), ref: 0040D944
LeaveCriticalSection.KERNEL32(00445890,?,?,?,?,0040DF58,00000010,00000008,0040CA1C,0040C9BF,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001), ref: 0040D951
EnterCriticalSection.KERNEL32(?,?,?,?,?,0040DF58,00000010,00000008,0040CA1C,0040C9BF,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001), ref: 0040D95D

Part of subcall function 0040C08A: __CxxThrowException@8.LIBCMT ref: 0040C09E

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
String ID:
API String ID: 3253506028-0
Opcode ID: 674fea175ac3a3fa765b4a2a579efb5b93a4bda702502c5325848d897fc932cb
Instruction ID: 7617435a195a7f7ed732952d1e554fc092cbae05cdb7b6dde7bd29054d9ad9e7
Opcode Fuzzy Hash: 674fea175ac3a3fa765b4a2a579efb5b93a4bda702502c5325848d897fc932cb
Instruction Fuzzy Hash: 74F02B73E00105DFDF102BD4EC44B2AB769EBD2354F42113BF150A2192CB385484CA6C

Function 0040DED6 Relevance: 5.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00445968,?,?,?,0040E485,?,00000004,0040C9FD,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001,?,0040D324), ref: 0040DEDF
TlsGetValue.KERNEL32(0044594C,?,?,?,0040E485,?,00000004,0040C9FD,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001,?,0040D324), ref: 0040DEF4
LeaveCriticalSection.KERNEL32(00445968,?,?,?,0040E485,?,00000004,0040C9FD,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001,?,0040D324), ref: 0040DF0A
LeaveCriticalSection.KERNEL32(00445968,?,?,?,0040E485,?,00000004,0040C9FD,00403B74,0040CA26,0040D0D7,00000000,0040D15D,00000001,?,0040D324), ref: 0040DF15

Memory Dump Source

Source File: 00000007.00000002.2947304072.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2947283024.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947333162.0000000000434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947356563.0000000000441000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2947377561.0000000000448000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_USBInst.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 5ce2628535ae3493c4e65f6bf595921557c913b8dd87d42610a05996b238bd86
Instruction ID: d7cf1b137a569a76fc4a72f3affe8e9007051d5624e0aca9328e97533eb8f877
Opcode Fuzzy Hash: 5ce2628535ae3493c4e65f6bf595921557c913b8dd87d42610a05996b238bd86
Instruction Fuzzy Hash: 7EF0127A6046019FC7208FA8DC4885773E9EFD8365316957AF453A3261D734F849CB78

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
Tactics:	Initial Access
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WinSitu-5.7.8.0.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

6bacb4.rbf (copy)

6bacb5.rbf (copy)

6bacb6.rbf (copy)

6bacb7.rbf (copy)

C:\Config.Msi\6bacb3.rbs

C:\Program Files (x86)\Common Files\InSitu\LowFlow.exe

C:\Program Files (x86)\Common Files\InSitu\PostLevelCorrection.dll

C:\Program Files (x86)\InSitu\WinSitu\AdministratorNotes.htm

C:\Program Files (x86)\InSitu\WinSitu\Help_WS5.chm

C:\Program Files (x86)\InSitu\WinSitu\ParseVuSituDataFileDll.dll

C:\Program Files (x86)\InSitu\WinSitu\RBT.H0-0.V103.bin

C:\Program Files (x86)\InSitu\WinSitu\RDO PRO-X.H0-0.V108.bin

C:\Program Files (x86)\InSitu\WinSitu\ReleaseNotes.htm

C:\Program Files (x86)\InSitu\WinSitu\Software License.rtf

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\CDM 2 08 02 Release Info.rtf

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInst.exe

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInstx64.exe

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\DPInstx86.exe

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\LogoVerificationReport.pdf

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\USBInst.exe

C:\Program Files (x86)\InSitu\WinSitu\USBDriversC\Win-Situ.ico

Windows Analysis Report
WinSitu-5.7.8.0.msi