Windows Analysis Report
Advanced_IP_Scanner_2.5.4594.12.exe

Overview

General Information

Sample name:	Advanced_IP_Scanner_2.5.4594.12.exe
Analysis ID:	1546304
MD5:	446c29d515104b6752c1e9da981d4e5e
SHA1:	d52760df6b22805a4470a6b2e72654ce36577f30
SHA256:	7b13496fb45b51e821771d63bbd1d503f07710f676481ff34962b051283d8033
Tags:	exeuser-NDA0E
Infos:

Detection

NetSupport RAT, NetSupport Downloader

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

Malicious sample detected (through community Yara rule)

Sigma detected: Powershell drops NetSupport RAT client

Suricata IDS alerts for network traffic

Yara detected Advanced IP Scanner Hacktool

Yara detected NetSupport Downloader

Bypasses PowerShell execution policy

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Yara signature match

Classification

Signatures

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		7_2_110AC820
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		8_2_110AC820

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\SysHelper\client32.exe			Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\SysHelper\client32.exe			Jump to behavior

Uses 32bit PE files

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: certificate valid

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll

Jump to behavior

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000007.00000002.4194115639.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.2084821391.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2165673550.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: ws\Mion.pdb source: powershell.exe, 00000005.00000002.2038454722.00000000076C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5WinExtras.pdb00 source: is-JTIOC.tmp.1.dr
Source:	Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: is-2I7SK.tmp.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: is-7V6MF.tmp.1.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: is-DFL4O.tmp.1.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: is-56ICT.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: is-8VUCH.tmp.1.dr
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: is-853KO.tmp.1.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: is-JPUOQ.tmp.1.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: is-SF594.tmp.1.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4193839189.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000008.00000002.2084472036.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2165360601.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: is-GHBG6.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdbss' source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: System.Management.Automation.pdbrq source: powershell.exe, 00000005.00000002.2038454722.00000000076DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbcV source: powershell.exe, 00000005.00000002.2043434808.00000000087B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb"" source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5PrintSupport.pdb44 source: is-7MB5M.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdbt3 source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5WinExtras.pdb source: is-JTIOC.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000007.00000002.4194011069.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000008.00000002.2084695368.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2165556205.0000000068895000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: is-2I7SK.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5PrintSupport.pdb source: is-7MB5M.tmp.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: is-NKCKG.tmp.1.dr

Spreading

Yara detected Advanced IP Scanner Hacktool

Source: Yara match

File source: C:\Program Files (x86)\Advanced IP Scanner\is-91UK3.tmp, type: DROPPED

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	7_2_11123570
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	7_2_11069690
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	7_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	7_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	7_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	7_2_11064E30
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6882CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	7_2_6882CA9B
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68830B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	7_2_68830B33
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	8_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	8_2_11123570
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	8_2_11069690
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	8_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	8_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	8_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	8_2_11064E30

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49741 -> 199.188.200.195:443
Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49740 -> 151.236.16.15:443

Yara detected NetSupport Downloader

Source: Yara match	File source: amsi32_7872.amsi.csv, type: OTHER
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Advanced IP Scanner\unins000.dat, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.26.1.231 104.26.1.231

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HVC-ASUS HVC-ASUS
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49760

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: payiki.com
Source: global traffic	DNS traffic detected: DNS query: anyhowdo.com
Source: global traffic	DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

HTTP traffic detected: POST http://151.236.16.15/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 151.236.16.15Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:

Source: client32.exe, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/fakeurl.htm
Source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/testpage.htm
Source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: client32.exe, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://127.0.0.1
Source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000005.00000002.2038454722.00000000076C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000005.00000002.2042967524.000000000878D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoV
Source: powershell.exe, 00000005.00000002.2038454722.0000000007718000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1989875022.0000000003124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: client32.exe, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 00000007.00000002.4192062509.0000000002FAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp=Rw
Source: client32.exe, 00000007.00000002.4192062509.0000000002F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspM
Source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: client32.exe, 00000007.00000002.4190771017.00000000004B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspp
Source: client32.exe, 00000007.00000002.4190771017.00000000004B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asptXI
Source: powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://s.symcd.com06
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://s.symcd.com0_
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000005.00000002.1992936334.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcd.com0&
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://sv.symcd.com0&
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://sw.symcd.com0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://www.advanced-ip-scanner.com0
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: is-COPMO.tmp.1.dr	String found in binary or memory: http://www.famatech.comARPHELPLINKThe
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.macrovision.com0
Source: client32.exe, 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: client32.exe, 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.netsupportsoftware.com
Source: client32.exe, 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pci.co.uk/support
Source: client32.exe, 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.radmin.com
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2099926952.0000000002D24000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ultimatenetworktool.com
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2099926952.0000000002D33000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2091844461.000000000267A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ultimatenetworktool.com/support
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2099926952.0000000002D33000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2091844461.000000000267A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ultimatenetworktool.com/update
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2091844461.000000000266C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ultimatenetworktool.com1
Source: powershell.exe, 00000005.00000002.1992936334.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, AudioCapture.dll.5.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: is-JTIOC.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0)
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Advanced_IP_Scanner_2.5.4594.12.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1723461870.000000007EF1B000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1722972586.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000000.1725364189.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	String found in binary or memory: https://www.innosetup.com/
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1723461870.000000007EF1B000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1722972586.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000000.1725364189.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

7_2_1101F360

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	7_2_1101F360
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11032930 GetClipboardFormatNameA,SetClipboardData,	7_2_11032930
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	8_2_1101F360
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11032930 GetClipboardFormatNameA,SetClipboardData,	8_2_11032930

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11031AC0 IsClipboardFormatAvailable,GetClipboardData,GlobalSize,GlobalLock,_memmove,GlobalUnlock,

7_2_11031AC0

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11007720 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,

7_2_11007720

Yara detected Keylogger Generic

Source: Yara match	File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: client32.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		7_2_11112840
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		8_2_11112840

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_7872.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7872, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll	Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Process Stats: CPU usage > 49%

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_110A9240: DeviceIoControl,

7_2_110A9240

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1115A340 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

7_2_1115A340

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		8_2_1102CE2D

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11029230	7_2_11029230
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11072460	7_2_11072460
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1115B180	7_2_1115B180
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1107F520	7_2_1107F520
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1101B980	7_2_1101B980
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1115F9F0	7_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1101BDC0	7_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11163C55	7_2_11163C55
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11050430	7_2_11050430
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110088DB	7_2_110088DB
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1101CBE0	7_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11032A60	7_2_11032A60
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11086DA0	7_2_11086DA0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11044C60	7_2_11044C60
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6859A980	7_2_6859A980
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C4910	7_2_685C4910
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C3923	7_2_685C3923
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6859DBA0	7_2_6859DBA0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C3DB8	7_2_685C3DB8
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685CA063	7_2_685CA063
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C4156	7_2_685C4156
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68591310	7_2_68591310
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685B43C0	7_2_685B43C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685A84F0	7_2_685A84F0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C4528	7_2_685C4528
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68591760	7_2_68591760
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68860915	7_2_68860915
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68800919	7_2_68800919
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6881EB1A	7_2_6881EB1A
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1115B180	8_2_1115B180
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11029230	8_2_11029230
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1107F520	8_2_1107F520
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1101B980	8_2_1101B980
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1115F9F0	8_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1101BDC0	8_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11163C55	8_2_11163C55
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11050430	8_2_11050430
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11072460	8_2_11072460
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110088DB	8_2_110088DB
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1101CBE0	8_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11032A60	8_2_11032A60
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11086DA0	8_2_11086DA0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11044C60	8_2_11044C60

Enables security privileges

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685A7A90 appears 62 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685930A0 appears 54 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 11142A60 appears 1055 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685BF3CB appears 33 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685A7C70 appears 36 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1116B7E0 appears 54 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 111434D0 appears 42 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 11160790 appears 64 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685A7D00 appears 135 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685B9480 appears 60 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 68596F50 appears 171 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 11080C50 appears 64 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1115CBB3 appears 92 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 110290F0 appears 1919 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1105D340 appears 492 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1109CBD0 appears 32 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1105D470 appears 41 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 11027550 appears 94 times

PE file contains executable resources (Code or Archives)

Source: Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-CD8F9.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

PE file contains more sections than normal

Source: is-CD8F9.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: Advanced_IP_Scanner_2.5.4594.12.exe	Static PE information: Number of sections : 11 > 10
Source: Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	Static PE information: Number of sections : 11 > 10

PE file does not import any functions

Source: is-V7TQP.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-OBI2J.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-D0PHJ.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-7B70A.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-NE6KC.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-8VUCH.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-KNEGU.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-PIDI5.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-5BCDU.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-DUVAI.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-CEPGI.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-G3D36.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-3SOVH.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-4RR0D.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-OT0US.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-FRMIK.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-DFCT3.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-92959.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-H6NSK.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-46V0R.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-3K2R2.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-CQ3UL.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-QAUD7.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-VRSD9.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-N93NO.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-OJCV9.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-MMC0L.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-IE1PQ.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-NKCKG.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-IENMB.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-15NDN.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-SF594.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-P26AP.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-D20H8.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-GHBG6.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-UUCTA.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-56ICT.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-DFL4O.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-JPUOQ.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-7V6MF.tmp.1.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000000.1717068008.0000000000CB9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs Advanced_IP_Scanner_2.5.4594.12.exe
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1723461870.000000007F20B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Advanced_IP_Scanner_2.5.4594.12.exe
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1722972586.00000000034DF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Advanced_IP_Scanner_2.5.4594.12.exe
Source: Advanced_IP_Scanner_2.5.4594.12.exe	Binary or memory string: OriginalFileName vs Advanced_IP_Scanner_2.5.4594.12.exe

Uses 32bit PE files

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: amsi32_7872.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7872, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal56.rans.spre.troj.evad.winEXE@10/300@3/3

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11059270 GetLastError,FormatMessageA,LocalFree,

7_2_11059270

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	7_2_1109C750
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,	7_2_1109C7E0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	8_2_1109C750
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,	8_2_1109C7E0

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11095C90 GetTickCount,CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize,

7_2_11095C90

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11088290 FindResourceA,LoadResource,LockResource,

7_2_11088290

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

File created: C:\Program Files (x86)\Advanced IP Scanner

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\SysHelper

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

File created: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: Advanced_IP_Scanner_2.5.4594.12.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

File read: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe "C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Process created: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp "C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$20466,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Process created: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp "C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$20466,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Advanced IP Scanner for Windows.lnk.1.dr

LNK file: ..\..\..\..\..\..\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Roaming\SysHelper\nsm_vpro.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: certificate valid

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static file information: File size 21426168 > 1048576

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll

Jump to behavior

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000007.00000002.4194115639.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.2084821391.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2165673550.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: ws\Mion.pdb source: powershell.exe, 00000005.00000002.2038454722.00000000076C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5WinExtras.pdb00 source: is-JTIOC.tmp.1.dr
Source:	Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: is-2I7SK.tmp.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: is-7V6MF.tmp.1.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: is-DFL4O.tmp.1.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: is-56ICT.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: is-8VUCH.tmp.1.dr
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: is-853KO.tmp.1.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: is-JPUOQ.tmp.1.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: is-SF594.tmp.1.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4193839189.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000008.00000002.2084472036.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2165360601.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: is-GHBG6.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdbss' source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: System.Management.Automation.pdbrq source: powershell.exe, 00000005.00000002.2038454722.00000000076DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbcV source: powershell.exe, 00000005.00000002.2043434808.00000000087B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb"" source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5PrintSupport.pdb44 source: is-7MB5M.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdbt3 source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5WinExtras.pdb source: is-JTIOC.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000007.00000002.4194011069.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000008.00000002.2084695368.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2165556205.0000000068895000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: is-2I7SK.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5PrintSupport.pdb source: is-7MB5M.tmp.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: is-NKCKG.tmp.1.dr

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($base64Content);[System.IO.File]::WriteAllBytes($zipFileName, $decodedBytes);New-Item -ItemType Directory -Path $destinationPath;Expand-Archive -Path $zipFileName -DestinationPath $de

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11029230 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,GetProcAddress,GetLastError,_free,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,

7_2_11029230

PE file contains sections with non-standard names

Source: Advanced_IP_Scanner_2.5.4594.12.exe	Static PE information: section name: .didata
Source: Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	Static PE information: section name: .didata
Source: is-CD8F9.tmp.1.dr	Static PE information: section name: .didata
Source: is-853KO.tmp.1.dr	Static PE information: section name: .didat
Source: is-GUAOM.tmp.1.dr	Static PE information: section name: .00cfg
Source: is-CJFIB.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-T9A9E.tmp.1.dr	Static PE information: section name: .qtmetad
Source: PCICL32.DLL.5.dr	Static PE information: section name: .hhshare

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_079D9CE5 push FFFFFFE8h; ret	5_2_079D9CE9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_089538DF push 8B08953Ch; retf	5_2_089538EB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08950C50 push eax; ret	5_2_08950C63
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08950EA8 push esp; ret	5_2_08950F83
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08950FBC push esp; ret	5_2_08950F83
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1116B825 push ecx; ret	7_2_1116B838
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11166719 push ecx; ret	7_2_1116672C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11040641 push 3BFFFFFEh; ret	7_2_11040646
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C6BBF push ecx; ret	7_2_685C6BD2
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C4DF5 push 685C43F9h; retf	7_2_685C4E1F
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685B8377 push 3BFFFFFFh; retf	7_2_685B837C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685BE36C push edi; ret	7_2_685BE37B
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685BE3F7 push edi; ret	7_2_685BE3F9
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685B94C5 push ecx; ret	7_2_685B94D8
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_687E0995 push ecx; ret	7_2_687E09A8
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1116B825 push ecx; ret	8_2_1116B838
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11166719 push ecx; ret	8_2_1116672C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11040641 push 3BFFFFFEh; ret	8_2_11040646

Source: msvcr100.dll.5.dr

Static PE information: section name: .text entropy: 6.909044922675825

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\printsupport\windowsprintersupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-N93NO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-G3D36.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-VRSD9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\pcre.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-H6NSK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-SF594.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\ucrtbase.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-92959.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-3SOVH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-MMC0L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-IENMB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-IUPCJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-PIDI5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-JTIOC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-P26AP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-7V6MF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-NKCKG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-BSRNO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-DUVAI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-853KO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-IGVP5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-KNEGU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-CQ3UL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-D20H8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-46V0R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-FRMIK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-SCCPB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-O0KOL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-7MB5M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-KATLC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-NE6KC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-OJCV9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-91UK3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-PLELM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-CEPGI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-DFCT3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-JPUOQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-GUAOM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-JFL1I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-2I7SK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-OBI2J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-OT0US.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-CD8F9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-8VUCH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-56ICT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\printsupport\is-T9A9E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	File created: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-D0PHJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-4RR0D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\platforms\is-CJFIB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-IE1PQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-UUCTA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-5BCDU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-3K2R2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-V7TQP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-7B70A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\platforms\qwindows.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-15NDN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-GHBG6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-DFL4O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-DFILP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-QAUD7.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685A7030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,	7_2_685A7030
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685950E0 CreateFileA,wsprintfA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,	7_2_685950E0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68595117 GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,	7_2_68595117
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68595490 GetPrivateProfileIntA,	7_2_68595490

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Network Tools			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Network Tools\Advanced IP Scanner for Windows.lnk			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyApp			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyApp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	7_2_110251B0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	7_2_111575D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	7_2_111575D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,	7_2_11025600
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	7_2_111579D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	7_2_110238D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	7_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	7_2_11023FB0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	7_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	7_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	7_2_11110220
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	8_2_110251B0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	8_2_111575D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	8_2_111575D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,	8_2_11025600
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	8_2_111579D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	8_2_110238D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	8_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	8_2_11023FB0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	8_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	8_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	8_2_11110220

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_11029230

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685991F0		7_2_685991F0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685A4F30		7_2_685A4F30

Contains functionality to enumerate running services

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle,		7_2_11127110
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle,		8_2_11127110

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7337	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2352	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Window / User API: threadDelayed 3258	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Window / User API: threadDelayed 444	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Window / User API: threadDelayed 4944	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\printsupport\windowsprintersupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-N93NO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-G3D36.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\pcre.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-VRSD9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-H6NSK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-SF594.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-92959.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-3SOVH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-MMC0L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IENMB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IUPCJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-PIDI5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-P26AP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-JTIOC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-7V6MF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-NKCKG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-BSRNO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-DUVAI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-853KO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IGVP5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-KNEGU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-CQ3UL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-D20H8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-46V0R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-FRMIK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-SCCPB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-O0KOL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-7MB5M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-NE6KC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-KATLC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-OJCV9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-91UK3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-PLELM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-CEPGI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-DFCT3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-JPUOQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-JFL1I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-GUAOM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-2I7SK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-OBI2J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-OT0US.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-8VUCH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-CD8F9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-56ICT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\printsupport\is-T9A9E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-D0PHJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-4RR0D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\platforms\is-CJFIB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IE1PQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-UUCTA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-5BCDU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-3K2R2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-V7TQP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-7B70A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\platforms\qwindows.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-15NDN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-GHBG6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-DFL4O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-DFILP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-QAUD7.tmp	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	API coverage: 5.5 %
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	API coverage: 2.8 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_685A4F30

7_2_685A4F30

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe TID: 8064	Thread sleep time: -814500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe TID: 8068	Thread sleep time: -44400s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe TID: 8064	Thread sleep time: -1236000s >= -30000s	Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_685A3130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 685A3226h

7_2_685A3130

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	7_2_11123570
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	7_2_11069690
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	7_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	7_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	7_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	7_2_11064E30
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6882CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	7_2_6882CA9B
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68830B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	7_2_68830B33
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	8_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	8_2_11123570
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	8_2_11069690
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	8_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	8_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	8_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	8_2_11064E30

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: unins000.dat.1.dr	Binary or memory string: K33kSIWfuHhZXRVN/FJzyTDU56C+/GhzewmB5cCI4G/wVvY9gXQrVd1MMGCUnL90lf5H2Wi+g01xtobYeTu8MXHKUbuoLgE7H1VedSJqF5oRyKgjeLw+GGkgnq/3AG9Vd6j/wdIFZBUxzRk2n9tWtV3JwezlWhdVmLdhwNhOKeSc0832W1I60DbuB3QIM0g+o1BjY39EdCRcnuyjvwMPF8yKhjot428DnN6AH33lfvJzc5u3xzLPUvdZBfppf5Xfw5HGFvFsnwvh1vy73uPzfdaTR0/7k/bucOT4a+LMT2HMTPP/G/wkNFBZEBZmC3EGhoFhQUSmiy/DFX4KQvSlCOqhvCykIIYIUIRVJLdKA9CIbVSa9gENJj/ypqDXX+mnDtWnaBm0n2P6Mdk3dT3/TkukZflX71YLD64j4GanP0NdCfz/Uv+o/9Tg0Bc2L0xXIqhHqq/dmuo8epifpVbWLVjNsw0cGtYSbHmvMNlYbG43txjlgmPzmE8fMbVKznFnHbGV2NoeZ483p5kpzrxkXbJ8CDqYMeL6vNcjaAo5/ZH21MsMV9mJTgWRyh19Ou4Btqpm3sqNnLrToGee2EwKGHgFXfUZNjIjtpfKGenu8c94D743cjc1/gwecpGrJL/KCcM11cc6TxEyxB475lAj1c/uuH6hZVnIqeA9EpOyfX+H/qTqabyIuP/rxgqS/ZvY0CtoE44IZ8C1XpAY9myLkg+qdT0MCUgpnXZ80Jb3VfIlz5BmJrSXVooBY2bViQPwmqrdwNiL3uHYZuJ9br6a31qfq85WPPqZf0T/qP4BaSakLH10fp7tS3ZU7Rhk10bgP9P1L46cxwBxrzjTXQd+/Mb+byawoYI88uS7/1dEzBop/ijXjV2dPXkagYO1fO2dj2/HtxFD84XZKO7o2JCe0EkGk2/am/9radNI++/87qyG2E99J7IQ64f9nFcx/bh0fOk/hE944H/697+kycO1v5E0o8ia7lwe+sr7XFZ5qrDfb26m6gM54V7y73jM1HzEGT8BT8LQ8D1CkIm8O1pnI5yCvtsLNn4J2usff8588jkgmouDrCTKrEN5xFTVBrxVyaRTYaJG62ZQ7sk6La+Kl+CR+ioRQT6X8Cup+s5dSTbP9Bf4yf5O/C4r6LPjpkx8/yByUCMoFVYJewZBgVbBeKuqQkLsp1JzqNaSftlhbCp/+mEYYOY18eE+FjeLGdOOTUc1cZu40w630Vlb1burAl3a2pqvvmnetXCy/YoOBbCybw5awTvZQMHJ5p4ozGFH9yHnhxAQX2G5VuKpW7nBXTg3d5p5yb+DU0nge9E4/nNVuj4OLi8A1rICTKi2aiY7g3NciFrRLU1nr+SaFqlM5Q+6R2togfZQ+ASpuvr5CzTA/pT/XY1MDzNiLTqBTFScmgo+sYgwxxivOuw60fKfmARU1m5idkKn7zefmJCsDYqkwq8iqq/6Fdqw7G4UM3aVqHT9De8e1KTT3CjuD0xCOaJmz0bnk3IOODgXDyUq01dBtB5CtT9wkXnIvp5cPzFbZq+VN8zYqxojgabiLrC3DO/D+fAxydyac0F6l4h4qHRdTyO6wLPCMDjC0F7J5scjlv/TfQZVlg9qdFmwNduFNhavvWbmRka3JDPKUfCJJNB/oVwNMuUjVsRnQDTX1Zvo8fYm+8de0hrd6CDCO0iq0rrqxH0ZH0xn0d7oYOHcLuiyukcxICw71kZO1oXw3QaHFg6OJrncchXO6ZN5RiJZZKbO61norIWutqklmgv/vsig7s53b1mxm+3YRu4LdA457GfLuNLLtif3Wzqp6Fus4TZw+zki19WovcO6l09Jt5+5Qe/HuuC/cb25C6LMCXnEoNFlh0RY5dBz+Q+DkusJnj+UH4Cpq4nxmi4P+W7WvNhS8kSNgQZFgTDAZp3QIXHtR7tAJDVfaqxbpR7YhXlKrmVKFgFqVtQVQqhu1U1opvYXeFjG0Vr+o9kL3pi9oEiC+a9Q0ZhjF4eg2m/etH9D12ZgOrCkMvVCVtUGU72SPWC2waDN7pn3Ofg29EF/12rtq
Source: client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: VMware
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2094672398.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\v
Source: client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla]h*
Source: powershell.exe, 00000005.00000002.2038454722.0000000007718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: unins000.dat.1.dr	Binary or memory string: RSpS+b8h4yXu7f4F173oPnaJfdf6CO9BL0uO4v6liPWIbSKdwD5fPibLHAxNx+l4ebh4B373rfYPaIXOaJ2x332r6ezlxRLYyFCPwPH+PgKXgAAWIqPnEjjOxznIy0Xf0dvZy2U4Ywm0zzTQ0T8wyHe0t6vPcKZAe3R8Jk9GlbEe3qg0ZqSJ4UhxlFKRilSkIhWpSEUqUpGKVKQiFalIRULk+LMAcEI+Ux6Xi3GpgstIXNLfwPfjsgUur/H/w0uKIqO7BV7ifrqHQEGGzaR41HFJ/6f/AZdyuBwvI4zXHZf1GP/L+EwFXK7EpSIut8qUjlf4H/zjZex/hgncK2M/2VFQzn5V2TLiRwO6yjJW1v4fytmvX85+y3L2u5ezP7Sc/XPL2b+ynP2R5ezfWc7+4+Xsv1bO/gzcv3IUlpPELSH79TBdleJt9wm4rVC8reqA++SKt0OdMbxCcQTrvWRYZKfi4/pLcVviuQUvN8qwuYoS4WNlmHvd4m2FFBnmJGHpPXSenyS23RNl2Po6Ejt0GFsquS2SIcNCJ3upB7v4B3j4eA/V6KvZR0PdxVvg4+zh7TZUw9xsVK8fNNQDAh29nR29fLxdhmqEuQRoDNNSVhriGBDgMtnJK0wdI/AOGKoR5O89KEDg7jLZMaDXZA+Bv0+Aj2tgL4HP5EGOAZM1g/tqqE929PZwdQkInCCZmmRUo51dvAM9AsOUldRRio3qo8k/GsL9vsJTYz7+w/0F7h6BLoLAIH80zPKHASIFb8fJuG3oEmga5Ovr4x+oLjzVpq7j4+3q4Rbk7xjo4y9SDQzzRdUQD+/vvsU9vckYZ5cAgb+HbyAmrSURxzhHb0c3F391E5fJPoEuFFegv4+X5pDekvoU6ZBA/6CAQDovV8GS+VZDS2jMkAAXQZA/5l+0jXv8XfyCsMRcnMf7ewR7eLm4uQQUHZQ8PDIUg5IJY12CXbzUveh3qIZjwGjvYB9PF38N9d7FcfYuP9IhvUuYMKR3UV6EJePr4o0UCcQGFu0JHC5iUNK4slkVS8mSlzwipG+cuKA0LTy8nX1CAjTp/KaPdy9RyQeUClXkLQNKOItYvug0RYpBTl4egjEuYWZYcBRd/4H9nQb069uvn0Dg2tfZtZS6l6O3WxA6xlCN7hJHeheVZ1klVLxXINx0LD6mrCSsl11Z8SNKZERPZZnJypOZwoMzZwoX9KFd+LN/P/ZaDPiXHnDDF/ShXfgTEhISqIsSMuPXkALdRbScAXwZsmjRT8KlUYERLucW6BfMwOWin3QX0X4I1DUCXL4N1NWn5a8YDy5DKT7UF8f7hSWrplA50Wn1ibycRA2wRLvJOz5Rszto0CCmpaXFbPX7M0fDgczZeAhzNx/G+g7UZgO0RjKtYdpsmPZwNmiEARs+fDjT0R3JRo4cyUbojWF6+qPZmDFj2HC98Ux3jAnTG2/BjMYbszGmNszQ0p6ZmpoyK0sLZmFpxWxsbJjHhBFsstVI5mutx/zsDFig4zgWLBjPpriash89JrAZnpbM1EbALCa6MYeJjrh0ZzYCD+bo6MicBM5M4OrGXFxc2KRJk5ibTxALCAhgawcz9rdZA7YBS22jPmNbRiPGMbZ5jByLMpRl4caMhZvIsQgzORaJ63EmjEWZybI4c+xbTFHHXI7FW9ZhMZbyLN5Knm0wVcQwSmyDmSKLmKDAIswboJ4Ci8T1eAsFFm6lwqIslVi8tSKLslZmsbYqbKuFLNtqLc+SbJVYjF0jljJRme10qo9QYfFOzVicoC1LFjRlaS5N2B53NZbi2oKlurVk291bs7RJbVmciwZLcO/EEiZ1ZUmuHViyR0e2Z3IHluTZne3x7cJ2+PVkaX49WKJvf5YW3IftDe3HkoOGsB2hA9me6UPZoclt2CHf9uygfyeWHqDBTod2ZkeCurKjoZrsRFhPdmV6Z3ZhWg92LKwPOzW9D/vTU5vN9LRgs7yt2RxfO5YSOJxtC9Nhu37UZTtn6LMFU9zY2VkD2Nk5P7Dzs/qzCz8PYefnDmN7Zhqw3b+YsCM/jWKH5hqy
Source: client32.exe, 00000007.00000002.4192062509.0000000002F93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWLMEM
Source: client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: unins000.dat.1.dr	Binary or memory string: vlW10eg3sl+MnMZHcScibf4SsoNaBXhjfqaiZq2uyMZqTtoOoiQ5TTSA8EHmxWV5glfz70aBut44aVuefH6joNPjnBU4Zl9wq2zreHwW1Vu3XrNek+IdV7/YNetKuu8ah8w8M1OsDDXrgnw+hofDw+sB+rOTFYiY8I+9if53aqdjZl7eq1nIPpYjCveh/wvQLbPjabsJj6Mnn29mhNNVsgQwSTTmaokUXzqIh3/FBvYtV1ByFTUcWJBkQTtKBSY618iRlJpiF7+NqMQ/WstIOl+TWO0LuTGdTcRL6f5OKB0qzBzUVx6NyVFPxYIFSzh7GcvNgEU6Q7QbsktFvD01B2Fw723Sz5raknIS9+TaT3wWtk+AvDVQwATgTCKyqPA8GGKtLFQgSdAgdQYeKxmba0Tty9wMovjvkIAKoZ8OaOhW57JCT+umby7grsSkFBFXjuw6rUORNCGzJcrmxBlHi6k1/HKoe4XtG0uCwiAxe3eVm7/27kytBtrrZgVwUJO0npwO7WHnKaRgVB9mvHwNtha631VmCichLldbJOtjl0PK9UfUfwKYfhpiyOiebcpm+fwBGdKocKt0q+b9gPVdr633pVkeTbSut99cCKxPo1fuMgd44f5lb3Ip907w4CvJGRbkS3OLteIK5DueFhrp3BugEDXA8WwxUmPV+Izvn+5PKb6uccfrRXBXrb7Lf9aqD/ZykF3IP8GUL6EF5jzR7PPs6hRODLb4iCfYBAm4GgBDgt0meNu5NXc3ENNk9rmZSujQ7W5o9Spo9umb2GGn2WGn21Fgwb7XFOqHFWqXyTvbpVeEWQx2lVmoxc4Fe6Cu/+ULox39vlP8U2Zam+u+NdaRybn6MI5XWf9KcmBcofHU3d6QSSTAT6dBHPIHlvWRM4IpysYT3TneM/14F/fcqZ/jv9bj79d+LJcX4701tOKFEfKlMUct0aB6WmlRXrZ8JhCe+l0Q5VAK6Pzl+IsYrKxsb8byUtmiLzyc3lfiKS3wXBFiyJfgSPIsPHemIeejtsRFPTNuZ79eYyOfDkXItvp0T04ydoyh4yDLnxP7ZJWrCe8bGOoSV4+Tl6O4LvbQou8MeXIrDyZZuxmTo8NdSfS+1G7We6o5Yc/0S3vAmj411CcXH88ClUePZelaJ71qOTtM8AIW+S9QVuyneh309+RsUJtImpMIql6cR/u80USqeL1UukGb71ut9Y6JhsVIXcxeOQ3igy0Oowayn66hC7tq9VvbmwLCnDnPuASRuwJe7YSLNMbEVA7VZdK40xQCzCL5gFuG3CbYYjZNgOZ1iaJyQrmu/gFMh2G+b2J9zw5uIQ7CJOERTpO1qdGTk1Ykj6YSVal65mC21dPfrYNV6Jn7+jUv/G/+K242mBGwptdnkRYuBRASP+0aTjFrlYXcSCb+wDQ9XDHY24mK94GZDL6Y1IjR9CdH0xN7jEYezbEBmt/Lb9lDoD69MifjD+/Si3/aHh/L/pVH2U4bfsJ86Et2lEx48qiztRcURyxPfGHFAfgzfoadSoaZLu/E0yfJEI4a/Ky3bjEeVodHwo+JJNhpnotKZpXoj5svdlp+r7JM7vZa448o+ryGuU9kXqkWRcBwHfHTam0hCPEZANcoi0nvwPSTbVuXYVhQ0VtzntoujFsDIfG0hro8rNChFnoczbqddKl2lpM9ApVvCuDnyUtg6HNFURz5Fiirsx6afEOY1kekafyI0Hzd74U4VvpOQJIFftkMmrGE2wTMHv0f9F8rxD7E5toR4jiu1HN/4RMvRpuZIi5fbyXP0JrLNF0cAPlUN4baAgVv5PYLldGHDPzFAtYDEHWOUryNY1Be8PSjFqxezOHj6wB7OQYc9wVqq8zDGKjdH9IrbcBqE3kERemgzCiebgiSixLlOgnW8YnFzORg1Kc28gwnknazS3gnziHw5NrO3cL/FJfEQlZt4WmlrhsSozNjM1Xzff4w4xi/6aDfW2DrmSaXNTbad6K+Y+/E8P2RrtpNiQTjH70yQ44MEcczyTvViC7TdqVpBz4nT2ubupNi2QSaLvHp7dWRV
Source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: client32.exe, 00000007.00000002.4192062509.0000000002F93000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4190771017.000000000045E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: TCCTL32.DLL.5.dr	Binary or memory string: VMWare
Source: unins000.dat.1.dr	Binary or memory string: AYjgDCKVXTQPQHjASBQAWaCysPaouXOM/pZ0ZdDfofBYVFJ1CankUJIUbhxFCpMAf4OU7rMMwBx7P40K/kgYjI+igq6cD1NU0M2pIAzYzOlADg1U8HaKCr5x/ipUACQAYn+2LVHRuDCRRgmCQgk3XUnO1GlUwEng9JlL6bw2jV/gcdUY/GIBDKN7gUamDqOP2Zw+zmr7tf1IH/055+rLS/5e+qg6N6yBt/IqmnQlUCVk9+qIWYDQuSDzf7Te986OqFdB7KxsWssNG17RJFLPppBK1pu0tYTUWkLqH64i/vw/xu+nsavjF0QArzaF34z/0XqfiP0d+M38v8QvrvdhclVWKLTcRIYHrM7WB0tiqM/wusDmIATsCItEBvSReFawO0uazUdojNp6URP8KAuae7a+/Pa/d5yu+yyRaNTdzuug675Q5UJNU/7tf7vC8Cc6Xics4wIVf1e1xhHVNsFCUH87otUa12UfIiz3MWsMsCxaY4jimIJiWOjmMWu+2i2oAbkdacj9cvhsAYm+gJmaFKzC/LU/chrJgVNR5IwxjZAA7jRauv3vpaVbPh2N3JaFIFwXAH6JjnRNrNPQ0sFZP1UP1AwQ/AdBcA4hCAMEcgbHdmwI24DrnA8Aju4MjuRIt8ABytmPjekWciL2JBy//utobJsQ2wlrPPtYo3EUso+lkJ22XDr96nBKdpN96fykTiwgXt79RzpkwqxTNgDrdmkvwdcXUl8DPWlyH+cvXNirhEUFMPndeCaS9AelSFUJLUixM7TH1g7U4QSmE4SezKYj/UcLjEcuBjIpRwUIEvdyYTN32LRh1ff8NlXj/2h92i9VHzrO4BXifTer8Q3MLVoH6f6b4fVMFo8kMlhX8L+vC35ynRZm7GxtPJj4BlSaC5Xu7+8sUB8ZCGRStrm0DRls13zVOhg48FUrCtYBEqwDJFgHSLD+l2Hz4xfX35LJagsMLUvWqSXdOkPLKuDmKu0lbXxtQmn51YDQxhCGt64Gwy+uuh5yKDoGtQKHZ/dweKZGzuiYrjklDrGuSA/KQYaWEzgOjmk7U50yQemUKYYW4E+GdCFqdK4jF0fnS3VmJer5ypoFIlpMNDzzRCKNlQeIlQeIlQf0p7+dGCV/5AXjBYbQRLr9l4+bjoXMWsxsM2GMo03x4U7L7fImMsyTX72/SBWMC6vr6ndvRvuA/pk8yxg5fkFmHvMox+5NZEzQPZNZC+ogS3GNCpKbILnRPnSGLD/+V8xSgFnGiP3+2VSBzFYQjGesvpG5i5l1JvrEQQPQSDToqQY1c33nUvBCbDCug3Qj0qzWy4/1p4qUb0qDN54XqAO0MFwpmxA5M0Znl629aRmEMZNMPJuWZGwQ7r0wBMKkdBCMXwKEWZf+Jgifxf4mCEXxIRBU6SAIhtBalUIgwmrovJkcnJF1vDqQXgdSUuHVKWnCxaGesRVymhiLGPovpVGcLuAos+ZDye4iDsVYfT5zYKhka9HVISgaTKVLjm8c3nlej/zdP2WrGEqLwTadB7BeV4j29WkzAWv47m/xSrTRy7rkw3/iqvtL2YEH0L4GYKhu8bDEf3yJErOuUMJfxFVVPF5o2JZtWrIHYwz1+02W87XokwnVhG57l2Yb9mev/M8jCg+Y0fYbFYGoeWDbUMnktskKJUPDbnhZq+p5kVQz9EpbjS+nIL5mRKHp/K0m4XtiUpo+eHfm1e9f0rwhkcshh0fcteIiWcO8mNJS2HsKT6K24P6SeS+mMm9Bf0Ti3k0XyTLZRXIn/3QWsITQCcPTCaiqptfDz8jF0AaIflmlElSBMrYLSw3WLVIZGj7IxDPak3TYNVmFJ/o66KfKRV40urPhbF6ul7vyOr0jM6WhsELRUFiRrqGAL77WOaih8GLfYFJDYQkVT3Fb5+D5euNQXMVQiSjLYYn4CyWWom/rOTvaZuSq64qY1E2HkAijx+F0eZXkik61bxWUK8+diKc2Be2hF6Blqt0P/mJaLofzS+mMh8KBLJ5VzbYgbti8glDYX6Agxi6FDvMDSK7TkUosSfUXsbPaQ714
Source: unins000.dat.1.dr	Binary or memory string: ZhsEwSzDYJhtdAT+MAmFOWYnYK2RJ2w08gAFW3dYbH4MVlqEwjKrE7DKMhQkbI7AfItTMN/6HCyxOw8r7U7DCsdwWO8ZAdL2h0E16CqI8K/DKusbsMYrCjZ63QWZQ9fhgFs86PCewEa/aNgQcBf+PBwPYkGxsOXIPdh8JAH2BESB1pl42B3+GJTPPwQ9g2zQMSkE+ZhSOBBbCgfjy+HgPQGoJFSAxv0aUE0Vgk5aI2ikCUEv7TloZSDoZAiB7+YPpjbPwOJQHpg7lYGLez7YuRfCIfc68DlWDj6BdAxoBsuEfNBPF4LBEyGYEJs9FYLT0wpweVwPh542gFEmAo+Y/0wIVlnEOQi29Nk2TwiOxG6ZjeBBbFdI+YqEYF+C4FSG4Fn8HFzLEbxKhXBIQN8rEHzLn4NvpRACiQOqEY7QMbSKjvT5aiXCjQoh3Kz8by/U/+2Eb2O/2tJZwz7/rG+X9P5QGdi0eOH8mTMHDvzoow9fJvppOIgYdUUaM+cPnDt37ofDYK0BkZ6BHpGqngpHyirKO2eLzR80f24/kvN4TMYt9ChrKxNJEm2du1Ns4acs/0Zuj6aesTaXRFNTU1lSk+SzlbeLLZzWr03OEmi3JtCUVFbeOkeZEiwe+AVs5PONTbjd1BwIk2sqS+1cMmfO7DlzplF+Cz7fhM8l0DbWbsfYvn3r9p1GDN/Cgs8zaSmBlGjXgvRUVu/XImcltKV4UYamsgGTW7MEJiatGG310GYJ1Fn51lwCLolJxxSUQKNfq5wrwtS0TY1WDO3W/FwKPt/U1JTfkkKvVYuW/A4sAVeIKdOzJQVD0WvJ79BaApeA36YFKaHH6c+JrW1tbbkEHVIY63H1d6AEtlTAixStIHrGGh9yckowYYiGha1FawLTtqqqt8h7j/xu8pRVLH9bERyKMU+D+hfJf+81+cBoJdvWBLatIJTAaOCXTD5hsuL+bydacDq2g1AJPKPps0j+w1QFeVn5rz8WdXCwbyGuKKqy0fx5sNHpq5+/+VFcdu+WUc6dycnJbP4y2Lxx5eAV/Setlhu7YsNLtGbNn22DaMwv43seZePgHVHbO/n1u37u5dvmPs16LfeitNGbrKe8P+DTPr369OlHKdlC38B3zAOIP4Zevd7v/f4HvYdPX/Rer959mGbMFuxBA2yz/2/vkNnDBtiC74g+Hw748MvpC7/8RY4f8bO85aNJknqPJ0hoPv12q3rm+M2qmV+LqWSO23Qwc+wm5bfEBzPHbVZ/+o2EburnM5ezW3SGLHO4+HC54yVcbHseKV5Ciq2Q4iycoRuAFAsixYTE3n+LKb7kmGLMTr9PPuiGX2/VZnvyRqzxvonuWU3o+RaZ4h10f9qAFCviPKuzOEMnACkmxNVWx1CUjhT/4rgtGomEP4piPHTMF6JTnhDtc4RoxzhbiBRDoQ2xNTHFVWiZKUQLYj4xxWBo+kSIFI8h77EQjYgNM4RoQEyxGlKch5r3a5BiUaQ4ESkGRYqnkWJUTo8WfHWG/xXFl+hUhOhciGiXj2iTh2idi0hxHFoSm2cj8p8hmhKbZCEaZyIaPUU0eIKoR6z7GFE7A1EzHVGDWC0NkWJOlI8pw+XWJ5DiUdxz6QkutDlHNg1EipE74YsdSUCnYsIntmc6FCDaMj2YDrktOlhkt+hhxvQgHSje5PQwJD30mR6kgw6xVqse6mlCVIgp5fB105uQ4mFOh6X2F5DieJyk3AH/aAI6lxJ+CeEzHagt7Nr0eKktLFrbwqy1LXhtbdGqx4u2ECLF4hy+/uPnqJvR3K6DiNNF6g/+nfBdypBj+w46dGqL7myS1YVNWFtQP6D4H2muwenQkWkegjSv6oR/qBw5diQdHEq70aNNh9eyiRB1UhtRNbEClakdWFsoxpYhzUeQ5g34o7JbO/5mwncnbDdiZ8KnuQE6lr6qh103/bNbm5AOejQudKkttImZTfTSn6MrjcuX8T0EyLEL06G8VYee2uIlPdra4mWbGHa0CbEB6dMVvjdhexHTPAhpTvT6eryGTYw6jBOjJ13j+1Qgx+7E
Source: unins000.dat.1.dr	Binary or memory string: PVgb51/FIfmCqXE3BYOp62AOpRTcHzwmxW63FU/99o1SPDXouMKt2H4UbT8qu/RO8iK2n11KxoHRYCE7WvBZc+9fzhhHygiA4GRRePNNXHZ18m7T92x8aqae6U7qjyjDn7aY3iiDm8f4TIHesLrYVML8gCA3mv5CkJcwB7DWcQ5HO+IxKWJchvHdj/2vYDzVN8hPngQY31+tcuVVq5jRAozmxlaQ5l6hkK5CyzMKlAwjVvB2KoycxOWdHBPF7i6LVAWvwqPfyavQf16r+2T2Ba3DwBE0fr4YAVsLY8PHdXUAIEDn7uSdw8pgNTDYLVjFOxipRDNPibHXkbl/APcybC72wwg0hnJwMD9Cm3gKg6yaS8fSFj5sGiHhQza9npRMDMelv1eQll7vaBgJI5xyxI949D7iaTqkDDTrCZF4NlLiuWtuIPE8M/d/tbC5viEcfdxHPH1wSTvznYvMukK14YtiIcLbkYqzOzaLO7WtiOiTw3T5QJm5/1HfAYi24PYbgMVpdCSMwvMPhwPWL45UH/T5fx8XwfINJQl6FxMtxRyvnwSgmWMnDz/6j0Dz9hWCxuBmMQYCZjz+3EUB5msn3zyCU0fssZONB9BNaRfYavFx3gUnmqBQlR10wwMoyeNl8MSKA8+sTs2sMqwsziDPHEI45YFmP/aR1nCqCIKTYZSEX+R3DbRbnECfyX7nkh+zz/aekjAwrEezqOWRr/0K/3FNc+vCYASuSYIZW5NPoHaDr6Zn13HZDVx2rVednn9zAtNYFDHmHmbwmPlM3zGLgE3dUaEsykeLKJsaB2r0V+owoK2OrsxmtbfDV+j6ha+a5N3j04si7AXFhoISjN56fOmXqjSVyr3bUIDXyhm2FbsarIbn0I5ilrpIgqGgHm0U0pG5M4OZ4CJxzBAXiWL6uIjW4OZwJ8jcYHDvU2GsSQPGmrj2GmtK4bPj6Zqt8FFfmmZwf0TT02o+pMVqsVjNKzRTI/rIeHOz6+cWV1Wza6+mYzlMuQZPj9AHtRml3QTvoy4yjbnLRToz5gwmCQcV6yIRBje+8n2hVFWsUrHmjse9k1x5dSrWtOz+ZmG7IJSb62gMzHCaOqDD9GY5pbdUJ3rZXjzA4jVsURkBFJWMFt/a7liZjm9lG9xVaJnm1arYiJrlUE1cAmeYzRE/Gkjk6B6qhQB1LHGVhckrlH/zWPZRqWS4I2E0nl2xHZBLdnSVhUOfKq3KO86pcwyk2aP8s3WYrVF5E5yRjhE0O07J7uYqi8RstcrXm4rpQjL2K2jwHgt14x35amphe8x6dDhbyKg06agqvWMhnjfHoP6aoU/ezWVoOR2XAf/Foxsqwyi+knbffQtU06elD0mBRvFz+E23mxH3p0+ZPOGOiWYVDL4KgaA7gHwCTFeJB7BdyZffNkpXMl7D0isZc+ykl1O+zu4B/QE7ud0p8YehdpImfm9h+trJCPhe0hDuGeFGyreT/k5K3SI7iJA4gWFbhjb/x0uFGVqZnjtSeiYl+ykV6+xk0YNIxTK9VgbR73ejFfmA7nuYSu4YmMrY/XQqaKvIQuvPfQpgMxlKX2gE4znKhha2E6mg2Xj8y1vtLs7VmcIxEGd+J7LZl1FGmZ84BT6Gsj7DtokabbIwqV85G+Y9PD4/FQlbDYStA8LuNmYR+4xTM5O/kHyoz3R9x2uRI3jv4097/3DXM/cjmZIExookMNZFRjHRGcz1+COG0sOtqP/i7tMALk/vHQIWVDx/bNnPSA3e3vCrM/zai2TvjS448biWPur4c/OyvUh044vUBcVMmHeVOKLk4hQ1MEeMo8RTtOSzpchdOfrkkJF8txdniC+M1/yKVAJLy83GoEQu3ei/LHwZueFbWQhVPRAgt4PX5eEx0rpIzrfH9irQPzBfMheVN4+m+TI/EzO9PZGzbgF1IYvfxUX02wNpnE1r2sVoxOsYQWseC+s8HRYHHS3VFG9NTSj48cJVja/Fu+dT2+RxUTU4T0swpwAivcSvh8k7S1C26KBiJ7J7jwwL7x4uuzmlN1hqm/bIjTlbMGTNgbGb
Source: unins000.dat.1.dr	Binary or memory string: gg/RJs23qH4Uqt8oZPBNJc2Hde3x4biqmifzqPEtdmL0B63ScxC+fIRvh5DRnyynTvQHydVwVN+M6s9i9sfHg+oPz+Ope17lKYw9LzeOnbyeg7WpSAOpNT2Y/fLmHHDsg3NC0RJqYOKO59jxyHyEexPCvZ9g4DY4wL1mXFnNwy+oOS1h4kN2yctOFrvEG2FuQpijCBu7pNQh7qqazTRub+cDtvbbj7BYFAVBao0Ls6+DnTuQZUnN0RRalpOcD9jaEPMRzk0I536cOX6HOOsQzmQLzhJnu/l6CeGsRzhnMHGecXYoJy2pbsji/2EevVloSSiiE5izVsJC3r8LtNAssNEX8R4OaKsvr9k0H+ng4zWyfNo6MKIXg+SsIt8BUGpOQHgLEN5ttnh1Ho7n7MbntP/jYqFFcc7YIuT/IIzNCGOYgOn/uDjel8EDKBn16WInoycxC38VY0j6Ib+miW/DX0O7HOicj7EIYdiIMBzkM+Q1i5bXde3IK2mDSWrS5tFzX2zfv5cRzjqEcyafMd5SB31aswbNQc2ysfQ+iiXPg0v1w1IOXZZ8S5urQqmJ2wPrALXebYe7oiSoWvMHj1rvkI3nDQlobKUeDvbtkU6ehaoXoOpbeQya8HpSfdH0bG9vtr7mbyM9/1w7/dIH4WtG+MJ4zPnndqS7at430jT26WqH8+gTwBkKqTVPXmPgHNm1A/+3qXWt1NnjTEY4tyGcO5k4MxzgPOXstfyAoe7ULsM36Kbm/oHGFsv8MOfRUp6cw24HDBpGunvalyT+8oN7yNCnGzVPQUV7DNtKdxk6whdqh8/3mz0d1smyq3MJ+oDSUbscOsynzxiaww8YKgDP8e/22NS5+x3VjpFx7oJwpDLiyE5dBHEWjdfF0oZrK+4zgCMu/Usb3OshjnA32eGugDiqX0WHNxj5iMe73ynscOwZrnb01+wncW2CdERvlKYJpPpnweEGUCPaT6ZNTN9NhqWu1Dw1v7HbWs+SV03nFU1vm4e5UXm69LZ53pCHaFb61m6Dx+K2+Qq67pm32+ZF0Xl7V7XN09F5xJq2ebl0Xmo7eQV0XiWdh+6Pu7XSqSi5LZ0Un+62wVFP4/DZ3Ra/W3cqL7+oFf/g7q34S1Pb4m/i7CHLhTDKNbdTzpu7x6YtA91WRdc91rZyGTiIN9viiO9mi6OYxuHms6fNWCrovKB28hrovKx28jx6UHme41rlnaDPBFT3KH72bqLig5uoeCodf4sOV9Dp5XS8kg7/ptN96D23oQ+puI4Olz7sWF729rDTFS9Scl9A75kVPqLk+/AjSiZ/hBDxcMUjCncWvb+zupmKL6b3ZlY8puLv0WElHV6nQ94TqpzkCYXf/wmFf/wTCv+0J1S5ArpcIR0eotM5tC/bhw7dsAMOx0rqAPAXukJYCrxQBWXyVtvqPGwNNfYGGmczjbOB9vuesDpuA/Og2ghNour0Ax3BbCMI4h3hCLDDETXetp+nxlP99HSh+jOEDg20zZXh0nE/8+3aGDjVto38qZQcInCiw3ratkBxyzri0dMWz80ZtuOdEL3bJj8t2ja/KXp3hzwa0dOWR09M3mPY1NPVGl+N7j2wdq/XA8PGB4bgglHxSeT7uhM8XTEDwEqAjwD2ApwEuARQB/AQwKW3K9YHYCSADCAEYAbACoDNAAcBzgJUAtwAeAjQrY8r1h/gZQACQAUwGWAWwFKAtQBbAQ4CHAU4B/A3wEOAHn2hHoAGIBQgCiAGYD7AaoAdAIcAfgO4CeDiBW0BDAfQAEQAxADoALIA1gLkAxwFqACoA8D6uWJuAD4AowACAKYCJAEsBlgFsAkgH+BbgLMAZgB2f1esF8BQABFAKEACgAFgHUABwCGASwA3AVyed8UGAAwHkAGEAMwEWAywGuAjgJ0AhwDOAlwFaALo5u2KvQQgAQgBiAFYBPAOwGaAfIBDAJcAbgJgLwDdAAYDiAD8AEIAogDmACwGeAcgD2A/wCGAHwF+A6gGuAPQbYAr5gUwGIAA8AMYDzADIBVgKUAuwG6AQwBnAC4B1AE0A/R4
Source: unins000.dat.1.dr	Binary or memory string: ZtAh6BL0CPoEA6ADRgRjggnBFHiRpUHImzA1Sys3IYSRBWQZkTf4cp7RXS25ngo+c5L+VT9Oo7dER+Jkv5jJrShrDbj/lBW9I+df+3G6QK/MYHN+zeRIa2e0s9qy6/Su/cRej98r+02SuAFy64BbEhpfblrJyLOBKWSleF5hqzkzQxCzY8QEMUXMEHPEfDHLP+Nf9B+oCIkdJAnCg7TIstJB3aArYuWUmnacXOmIBMizi3hP4do/WhygR0Poe7n9MXrn7V1449wq16L3PW4Cw8pbwLdGPLW93gKGFFZ3o3VNmYltzS7mANUVPstcZK4wN5v/mLHUfveOVjfVCc6BtfdYK7yxefZV4MYLaIx8ju4UdUo5I51ZUBef8bwlkaty48wU949fM+YrQbNV4tXhrvtBp8UWCdTO7iLI2IVip9gruvvL1f7ixMiHAoEI6qiZOsmRsCEhmUkOUpAUJTVJd7iaZWQVYvM/u+KPkpOqTrgmtOgAbYW2VXugvVJ94KHI57jqi1Mb2ocuoavoBnqJvqdfaDxo7ExGdjWtuLXRQVVlyb0oZ81LZlYrl9XZ6gcXPt+6Cf/9zvrHis+yMk1VFtSFGtmtKrBkffDf4ME+UNzL7DX2A/ul/c3+CYeQxskKzdUC/HNccWJ1uPED7mU3t3fXS453b3A5n7u9GCeq+qP9Sf5Mf4W/Sc25yhv4QUPErZxOAuWaMbnyNrXJNDz1SfKAvPs1xSavVgIo0U9t/SyrV9FbQU3VwVMOpJPoSrqLHqQP1K6XzEZ+wwU6NDTaG2ONecY3oxSbpfZxnITqaGV3sMeDweXu9ZROOqccfvFJNXEhs5rjsp3vhf57z0NEIKqCwQ/Jen+SXHmbFGC2T+Shlh//7y76SH2ZvlmPQZPQ3KqHQfabHaa9zKPmE3hhebeSAgq6pjUBqn8pvNZLOMsMrBWcVh8o6OFwW7JLYSXbBjdznt1iqe38dlm7kto7NQ0KYy2YIJVjQsXWcVoCC7Y7R5BXD5y38ARJXDmdfZl7GAqsJG8J17iCb+WH+VneVO0GXSyuiQfio/iJrFqqphLFDyKCrEH+4FBwJ3ivNHnykKwxZE2KB86qTkaRDTjtdySxNlAbBhxepX1EPMXVk+hZwdKOXgJnXhe65JMeH88qe56Ww7tJtAgz5O7/68Z9qNg4JjGLmdXM0dAsH3AK8YF4nRBVc4AhslsyDHw3S/nmo/AOScAl6e0cNrEdeyLiab99x+bwyo2ddvA+fZyJQMI/nPXAv/3OY+eLU8It6x5SGzA+u+nA1EVUvXR9rwUc9BXvgffJi8UT8lCeTnlplxcES7bEyazHWz3BzwMnn/HXUPbJRSFRDa56OPDnO7RklC8nb07xV+Kk3vhJgqPB+ehYrJBczbfKSuqQTdoeqJcnWnw4lsrgdZcWhd9rihybRPfQ1UYCM6lC+yVQI1dMZjWx2lupoES6sWFsO2Kvuj3cPmNftD/Am2R1CjvFnbbOOeea8xrZksTN4GougzPZB/d0BnyfBE/QHNw5RtRVGj654qgZ2kbtonZN3RBWV/w9Bp4tksr6j1L4LV3wVk7Qc/QF3ktsIwq5LuCcKoKPBhrr4DX2Ga3MoXg3J6D0E1vlrCHWOGuFtc7aaUUh011keRt4jtX4vVfYXTUDJLBlD+diqN1j9jWg3lc7yknvtHcGAvfmgqHOwo9cdW46d50ibim3gjvKne8uhbvyvH7eTm+/99pzeSfeg+cTs8RqsVFNuHsg3iIuk/hpoCrld7QB/iLoxw3q+3p07k+EV0mtlYV3eoYnzQFFXBqKZakeRgfTJsZjM4blIq8WWsus61Y8loSlYrbqYrjIrrMMdh67Nc44idsVzn+He9J96n5x/4G2C/XSe3m9NXAtg/gouL254KIt4rDIAF3bGd6udFAvaA9VJ3fpblD9bepubkByNYtETqe9Dg31hiRTWPSbqgRtpur75A3kAm2TqvCTUxO76D2RJZlpddqSdod2mUB30svwHAmN3EYzo43RFxkjp8h8MBNZmVS/8yVgQwKWh9ViLVl7
Source: unins000.dat.1.dr	Binary or memory string: DJ3B3R9GPhM8ubX8X8uHL/qJJzFqkQsBGVT/icaPs/dju3hIJusyi1qZxbMyn87yGUfG6OdVAEFDUW0hG03ENlioZCuNOE2NXTgWNy6OHxMqTMYnxQhFcWzTeImIERcWyY/hxlnHCMIk4jhxuNQ6TBzD4MbF2CQQTPExXJEgnB+nOI1hmxJsYFN7HS08niWVxMeh7///JjU7WT1QM44fFi8RSJPlcZAi4U+NB63wed4SQYJAyI/gx3VkKme7JIGqyDtcd34CX4gXIv/Zptw4N1GCOJovMcXHCxzDkPeybNNwrjCOb2rPsv1N5c7GbX/fOsu2C68s245OgzjLVjGe9t6O3o7Ozm6eo8aPlwe64/+5cWQfR772qzdsDOPh4TARHgNHwrPgs/ANWJPQnzCWEEBIJFwn3Cc8IbwmfCf0IOoTrYkkIoPoR5xIXECsIFYRa4inibXEOmID8TnRxq7M7qVdT1IqaSlpL6mGdJakQTYg9ydbkDnkcLKQPJucRz5Afk3uS2FS+JQEynzKe4ob1ZvKpa6g7qWWUyuoVdQa6mvqJ6ouzZh2wL7Jfj5nKaeOgygF5KfiCHAAHAbHwimAxwVwMbwJ3gN/gr8DXp0IowleBH8CnhhMlBIf2b2zsyWxSK4kP1IwKYK0grSBtIt0hlRPekLSIjuSEwAn7YCLKZQLlJeUUKqImkEtoO6g7qcepV6hvqJq0fRpRjRT2jAahRZMy6EtoW2lfaC50hfQH9DXM+oZY5l8ZgJzJ/Mu8wnzNfMjE8fSYumzjFimLBsWicVijWR5svxYXFY0ayprOmsVazfrGsuQPZA9mu3J9mNHsTPZm9im9i72Xva59nn21+zv2L+1b7fHcNQ5PTkGnP6cwRxLDswhc9gcV44PJ5ATxAnlhHOEnKmcRE4KZy6nhLORs5Ozl1PBqeac4VzgXOE84jzjtHA+clBFD+1C9n14IEyBc+ClcBIhk5BHOE9oAPP4lDCU6EAMIyYQW+xopEukEjKZyqQ6UkdRPai+1IlgJiKpYmoCNZWaRZ1HLaSupG6iloFxqaCepF6k3qA+ob6gfqZCNDWaNhgfS1oMQ8rIYcxjbGDsYxxjXGDcYTxmvGVATB0mgenEHMcMZ8Yyi5hnmNeY95mqYGwSWLNYR9j+9nH2y0CPNThDOMiNJmJ8NJXItdtGaiH1J7PIJlQ23ZHuQneje9DH0f3pE+hcehr9Mn0bYy+jlvGUYc/UYfVmBbFCWWJWPCuNlc3ayDJhD2VT2SPZo9gT2GHsSHYWewG7lL2TfYbdwL7Fbma/ZqvYs+xd7YWg7fn2hfaV9lyOlJPDOc95DEYOQl9iIL8/pgX3hg1hc3giHAHkbDtYC30JzoQdxCPEd8TvRAe7sXb+duF2U+0I5JHkMWRvsj95EvkU+Tz5GbkXJZgioMykbKbspFynDKSaURlAruaC0btAbabq0RxoPrR02jraZtoR2jHaQ1oTTY9uQreie9GD6JH0WHoSPYu+nb6PfpL+jJ7JaGa8YXxl6DLNmSQmgxnM5DFTmQuZS5jFzD3Mq8x+QLbmskpZW1gVrCesFtZnFpHNBH1PZ89mL2ZDIbJ3JHYEF0IgQUCYTigh7CGcIFwlPCN8JugQBxEJRCeiPzGCmEycS0y322m3z67GromiSe1NpVNdqWOpE6gkWiAtlJZNa6BRwPgXMlYwvjCwTA3mYBaH9Y6FYWsDub1t32KvA6R1GCePc5JTy7nEuYtK4itkPMEDwlv0xsMWJsNsOAueDR+HT8MX4Qb4JnwPfgV7EcYTJgPN8o6AI/Yi9iOyAE9jiYeBTjlDvEb8TITsVO1M7OLtltqts9tsd9DuqN1Fu6t2t+2eAh3zwe6rnTpJj9SfhCdZkuxI9qRkUgFpO2knZT+lgnIPyGkrdTKNR4ulbaRV0rQYLIYfYxIjjBHJEDJiGcsYlYzbjEeMJjDKrUBeP4K+QcwxTG+mH3M8M4h5jHme2cRsYb4Fa/sLcwBrFCuZlc7KArI7j5XPKmQtZa0Eo97MamW9ZX1kQfYZ9vfsZ3LWcZAn
Source: TCCTL32.DLL.5.dr	Binary or memory string: >localhost:%d%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesvirtualVMWarevirt0000000000%02X%02X%02X%02X%02X%02XBluetoothpfntcctlex.cppRtlIpv6AddressToStringWntdll.dllntohlTCREMOTETCBRIDGE%s=%s
Source: client32.exe, 0000000A.00000003.2164009514.0000000000590000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: client32.exe, 00000008.00000003.2082979500.00000000006FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_1116A559

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_110CFCF0 _memset,_strncpy,CreateMutexA,OpenMutexA,GetLastError,wsprintfA,OutputDebugStringA,

7_2_110CFCF0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_11029230

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11178A14 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

7_2_11178A14

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11030B10 SetUnhandledExceptionFilter,	7_2_11030B10
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_1116A559
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_1115E4D1
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685B28E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_685B28E1
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685B87F5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_685B87F5
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_687E0807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	7_2_687E0807
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11030B10 SetUnhandledExceptionFilter,	8_2_11030B10
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_1116A559
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_1115E4D1

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1"

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_110F2280 GetTickCount,LogonUserA,GetTickCount,GetLastError,

7_2_110F2280

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11027BE0 keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,

7_2_11027BE0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1109D4A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,

7_2_1109D4A0

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1109DC20 GetProcAddress,GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

7_2_1109DC20

Source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWnd
Source: client32.exe, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Progman

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_11170208
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	7_2_1117053C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_11170499
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoA,	7_2_11167B5E
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_11170106
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	7_2_111701AD
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_11170011
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	7_2_111703D9
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_11170500
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	7_2_685CDB7C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_685CDC56
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_685C1CC1
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoA,	7_2_685CDC99
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_685C1DB6
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	7_2_685C1E5D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_685C1EB8
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	7_2_685C2089
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: EnumSystemLocalesA,	7_2_685C2151
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_685C2175
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_685C21DC
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	7_2_685C2218
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	7_2_687E888A
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	8_2_1117053C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoA,	8_2_11167B5E
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_11170011
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_11170500
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_11170499

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1101D180 __time64,SetRect,GetLocalTime,

7_2_1101D180

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1103B220 _calloc,GetUserNameA,_free,_calloc,_free,

7_2_1103B220

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_1109D4A0

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_6859A980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,

7_2_6859A980

Yara detected NetSupport remote tool

Source: Yara match	File source: 8.2.client32.exe.688b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.688b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.688b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.68890000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.68890000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.68890000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.68590000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1985766789.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4190638856.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2081672435.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2163165064.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2038454722.00000000076DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2042967524.000000000878D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2083140759.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2164182999.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.1.231	geo.netsupportsoftware.com	United States	13335	CLOUDFLARENETUS	false
151.236.16.15	payiki.com	European Union	29802	HVC-ASUS	true
199.188.200.195	anyhowdo.com	United States	22612	NAMECHEAP-NETUS	true

Contacted Domains

Name	IP	Active
payiki.com	151.236.16.15	true
geo.netsupportsoftware.com	104.26.1.231	true
anyhowdo.com	199.188.200.195	true

Contacted URLs

Name	Malicious	Reputation
http://151.236.16.15/fakeurl.htm	true	unknown
http://geo.netsupportsoftware.com/location/loca.asp	false	unknown
http://199.188.200.195/fakeurl.htm	true	unknown

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		7_2_110AC820
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		8_2_110AC820

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\SysHelper\client32.exe			Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\SysHelper\client32.exe			Jump to behavior

Uses 32bit PE files

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: certificate valid

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll

Jump to behavior

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000007.00000002.4194115639.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.2084821391.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2165673550.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: ws\Mion.pdb source: powershell.exe, 00000005.00000002.2038454722.00000000076C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5WinExtras.pdb00 source: is-JTIOC.tmp.1.dr
Source:	Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: is-2I7SK.tmp.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: is-7V6MF.tmp.1.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: is-DFL4O.tmp.1.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: is-56ICT.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: is-8VUCH.tmp.1.dr
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: is-853KO.tmp.1.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: is-JPUOQ.tmp.1.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: is-SF594.tmp.1.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4193839189.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000008.00000002.2084472036.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2165360601.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: is-GHBG6.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdbss' source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: System.Management.Automation.pdbrq source: powershell.exe, 00000005.00000002.2038454722.00000000076DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbcV source: powershell.exe, 00000005.00000002.2043434808.00000000087B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb"" source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5PrintSupport.pdb44 source: is-7MB5M.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdbt3 source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5WinExtras.pdb source: is-JTIOC.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000007.00000002.4194011069.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000008.00000002.2084695368.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2165556205.0000000068895000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: is-2I7SK.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5PrintSupport.pdb source: is-7MB5M.tmp.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: is-NKCKG.tmp.1.dr

Spreading

Yara detected Advanced IP Scanner Hacktool

Source: Yara match

File source: C:\Program Files (x86)\Advanced IP Scanner\is-91UK3.tmp, type: DROPPED

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	7_2_11123570
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	7_2_11069690
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	7_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	7_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	7_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	7_2_11064E30
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6882CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	7_2_6882CA9B
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68830B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	7_2_68830B33
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	8_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	8_2_11123570
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	8_2_11069690
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	8_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	8_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	8_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	8_2_11064E30

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49741 -> 199.188.200.195:443
Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49740 -> 151.236.16.15:443

Yara detected NetSupport Downloader

Source: Yara match	File source: amsi32_7872.amsi.csv, type: OTHER
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Advanced IP Scanner\unins000.dat, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.26.1.231 104.26.1.231

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HVC-ASUS HVC-ASUS
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49760

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: payiki.com
Source: global traffic	DNS traffic detected: DNS query: anyhowdo.com
Source: global traffic	DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

Source: client32.exe, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/fakeurl.htm
Source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/testpage.htm
Source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: client32.exe, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://127.0.0.1
Source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000005.00000002.2038454722.00000000076C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000005.00000002.2042967524.000000000878D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoV
Source: powershell.exe, 00000005.00000002.2038454722.0000000007718000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1989875022.0000000003124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: client32.exe, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 00000007.00000002.4192062509.0000000002FAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp=Rw
Source: client32.exe, 00000007.00000002.4192062509.0000000002F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspM
Source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: client32.exe, 00000007.00000002.4190771017.00000000004B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspp
Source: client32.exe, 00000007.00000002.4190771017.00000000004B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asptXI
Source: powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://s.symcd.com06
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://s.symcd.com0_
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000005.00000002.1992936334.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcd.com0&
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://sv.symcd.com0&
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://sw.symcd.com0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://www.advanced-ip-scanner.com0
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: is-COPMO.tmp.1.dr	String found in binary or memory: http://www.famatech.comARPHELPLINKThe
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.macrovision.com0
Source: client32.exe, 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: client32.exe, 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.netsupportsoftware.com
Source: client32.exe, 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pci.co.uk/support
Source: client32.exe, 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.radmin.com
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2099926952.0000000002D24000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ultimatenetworktool.com
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2099926952.0000000002D33000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2091844461.000000000267A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ultimatenetworktool.com/support
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2099926952.0000000002D33000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2091844461.000000000267A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ultimatenetworktool.com/update
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2091844461.000000000266C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ultimatenetworktool.com1
Source: powershell.exe, 00000005.00000002.1992936334.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, AudioCapture.dll.5.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: is-JTIOC.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0)
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Advanced_IP_Scanner_2.5.4594.12.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1723461870.000000007EF1B000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1722972586.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000000.1725364189.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	String found in binary or memory: https://www.innosetup.com/
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1723461870.000000007EF1B000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1722972586.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000000.1725364189.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

7_2_1101F360

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	7_2_1101F360
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11032930 GetClipboardFormatNameA,SetClipboardData,	7_2_11032930
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	8_2_1101F360
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11032930 GetClipboardFormatNameA,SetClipboardData,	8_2_11032930

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11031AC0 IsClipboardFormatAvailable,GetClipboardData,GlobalSize,GlobalLock,_memmove,GlobalUnlock,

7_2_11031AC0

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_11007720

Yara detected Keylogger Generic

Source: Yara match	File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: client32.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		7_2_11112840
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		8_2_11112840

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_7872.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7872, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll	Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Process Stats: CPU usage > 49%

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_110A9240: DeviceIoControl,

7_2_110A9240

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1115A340 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

7_2_1115A340

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		8_2_1102CE2D

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11029230	7_2_11029230
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11072460	7_2_11072460
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1115B180	7_2_1115B180
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1107F520	7_2_1107F520
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1101B980	7_2_1101B980
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1115F9F0	7_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1101BDC0	7_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11163C55	7_2_11163C55
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11050430	7_2_11050430
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110088DB	7_2_110088DB
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1101CBE0	7_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11032A60	7_2_11032A60
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11086DA0	7_2_11086DA0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11044C60	7_2_11044C60
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6859A980	7_2_6859A980
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C4910	7_2_685C4910
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C3923	7_2_685C3923
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6859DBA0	7_2_6859DBA0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C3DB8	7_2_685C3DB8
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685CA063	7_2_685CA063
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C4156	7_2_685C4156
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68591310	7_2_68591310
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685B43C0	7_2_685B43C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685A84F0	7_2_685A84F0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C4528	7_2_685C4528
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68591760	7_2_68591760
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68860915	7_2_68860915
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68800919	7_2_68800919
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6881EB1A	7_2_6881EB1A
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1115B180	8_2_1115B180
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11029230	8_2_11029230
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1107F520	8_2_1107F520
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1101B980	8_2_1101B980
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1115F9F0	8_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1101BDC0	8_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11163C55	8_2_11163C55
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11050430	8_2_11050430
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11072460	8_2_11072460
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110088DB	8_2_110088DB
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1101CBE0	8_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11032A60	8_2_11032A60
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11086DA0	8_2_11086DA0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11044C60	8_2_11044C60

Enables security privileges

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685A7A90 appears 62 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685930A0 appears 54 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 11142A60 appears 1055 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685BF3CB appears 33 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685A7C70 appears 36 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1116B7E0 appears 54 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 111434D0 appears 42 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 11160790 appears 64 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685A7D00 appears 135 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685B9480 appears 60 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 68596F50 appears 171 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 11080C50 appears 64 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1115CBB3 appears 92 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 110290F0 appears 1919 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1105D340 appears 492 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1109CBD0 appears 32 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1105D470 appears 41 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 11027550 appears 94 times

PE file contains executable resources (Code or Archives)

Source: Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-CD8F9.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

PE file contains more sections than normal

Source: is-CD8F9.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: Advanced_IP_Scanner_2.5.4594.12.exe	Static PE information: Number of sections : 11 > 10
Source: Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	Static PE information: Number of sections : 11 > 10

PE file does not import any functions

Source: is-V7TQP.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-OBI2J.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-D0PHJ.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-7B70A.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-NE6KC.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-8VUCH.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-KNEGU.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-PIDI5.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-5BCDU.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-DUVAI.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-CEPGI.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-G3D36.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-3SOVH.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-4RR0D.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-OT0US.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-FRMIK.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-DFCT3.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-92959.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-H6NSK.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-46V0R.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-3K2R2.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-CQ3UL.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-QAUD7.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-VRSD9.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-N93NO.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-OJCV9.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-MMC0L.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-IE1PQ.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-NKCKG.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-IENMB.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-15NDN.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-SF594.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-P26AP.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-D20H8.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-GHBG6.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-UUCTA.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-56ICT.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-DFL4O.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-JPUOQ.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-7V6MF.tmp.1.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000000.1717068008.0000000000CB9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs Advanced_IP_Scanner_2.5.4594.12.exe
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1723461870.000000007F20B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Advanced_IP_Scanner_2.5.4594.12.exe
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1722972586.00000000034DF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Advanced_IP_Scanner_2.5.4594.12.exe
Source: Advanced_IP_Scanner_2.5.4594.12.exe	Binary or memory string: OriginalFileName vs Advanced_IP_Scanner_2.5.4594.12.exe

Uses 32bit PE files

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: amsi32_7872.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7872, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal56.rans.spre.troj.evad.winEXE@10/300@3/3

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11059270 GetLastError,FormatMessageA,LocalFree,

7_2_11059270

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	7_2_1109C750
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,	7_2_1109C7E0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	8_2_1109C750
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,	8_2_1109C7E0

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11095C90 GetTickCount,CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize,

7_2_11095C90

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11088290 FindResourceA,LoadResource,LockResource,

7_2_11088290

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

File created: C:\Program Files (x86)\Advanced IP Scanner

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\SysHelper

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

File created: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: Advanced_IP_Scanner_2.5.4594.12.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

File read: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe "C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Process created: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp "C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$20466,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Process created: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp "C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$20466,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Advanced IP Scanner for Windows.lnk.1.dr

LNK file: ..\..\..\..\..\..\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Roaming\SysHelper\nsm_vpro.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: certificate valid

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static file information: File size 21426168 > 1048576

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll

Jump to behavior

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000007.00000002.4194115639.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.2084821391.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2165673550.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: ws\Mion.pdb source: powershell.exe, 00000005.00000002.2038454722.00000000076C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5WinExtras.pdb00 source: is-JTIOC.tmp.1.dr
Source:	Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: is-2I7SK.tmp.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: is-7V6MF.tmp.1.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: is-DFL4O.tmp.1.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: is-56ICT.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: is-8VUCH.tmp.1.dr
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: is-853KO.tmp.1.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: is-JPUOQ.tmp.1.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: is-SF594.tmp.1.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4193839189.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000008.00000002.2084472036.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2165360601.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: is-GHBG6.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdbss' source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: System.Management.Automation.pdbrq source: powershell.exe, 00000005.00000002.2038454722.00000000076DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbcV source: powershell.exe, 00000005.00000002.2043434808.00000000087B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb"" source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5PrintSupport.pdb44 source: is-7MB5M.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdbt3 source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5WinExtras.pdb source: is-JTIOC.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000007.00000002.4194011069.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000008.00000002.2084695368.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2165556205.0000000068895000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: is-2I7SK.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5PrintSupport.pdb source: is-7MB5M.tmp.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: is-NKCKG.tmp.1.dr

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_11029230

PE file contains sections with non-standard names

Source: Advanced_IP_Scanner_2.5.4594.12.exe	Static PE information: section name: .didata
Source: Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	Static PE information: section name: .didata
Source: is-CD8F9.tmp.1.dr	Static PE information: section name: .didata
Source: is-853KO.tmp.1.dr	Static PE information: section name: .didat
Source: is-GUAOM.tmp.1.dr	Static PE information: section name: .00cfg
Source: is-CJFIB.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-T9A9E.tmp.1.dr	Static PE information: section name: .qtmetad
Source: PCICL32.DLL.5.dr	Static PE information: section name: .hhshare

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_079D9CE5 push FFFFFFE8h; ret	5_2_079D9CE9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_089538DF push 8B08953Ch; retf	5_2_089538EB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08950C50 push eax; ret	5_2_08950C63
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08950EA8 push esp; ret	5_2_08950F83
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08950FBC push esp; ret	5_2_08950F83
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1116B825 push ecx; ret	7_2_1116B838
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11166719 push ecx; ret	7_2_1116672C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11040641 push 3BFFFFFEh; ret	7_2_11040646
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C6BBF push ecx; ret	7_2_685C6BD2
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C4DF5 push 685C43F9h; retf	7_2_685C4E1F
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685B8377 push 3BFFFFFFh; retf	7_2_685B837C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685BE36C push edi; ret	7_2_685BE37B
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685BE3F7 push edi; ret	7_2_685BE3F9
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685B94C5 push ecx; ret	7_2_685B94D8
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_687E0995 push ecx; ret	7_2_687E09A8
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1116B825 push ecx; ret	8_2_1116B838
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11166719 push ecx; ret	8_2_1116672C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11040641 push 3BFFFFFEh; ret	8_2_11040646

Source: msvcr100.dll.5.dr

Static PE information: section name: .text entropy: 6.909044922675825

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\printsupport\windowsprintersupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-N93NO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-G3D36.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-VRSD9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\pcre.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-H6NSK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-SF594.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\ucrtbase.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-92959.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-3SOVH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-MMC0L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-IENMB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-IUPCJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-PIDI5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-JTIOC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-P26AP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-7V6MF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-NKCKG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-BSRNO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-DUVAI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-853KO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-IGVP5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-KNEGU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-CQ3UL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-D20H8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-46V0R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-FRMIK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-SCCPB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-O0KOL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-7MB5M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-KATLC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-NE6KC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-OJCV9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-91UK3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-PLELM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-CEPGI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-DFCT3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-JPUOQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-GUAOM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-JFL1I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-2I7SK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-OBI2J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-OT0US.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-CD8F9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-8VUCH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-56ICT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\printsupport\is-T9A9E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	File created: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-D0PHJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-4RR0D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\platforms\is-CJFIB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-IE1PQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-UUCTA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-5BCDU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-3K2R2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-V7TQP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-7B70A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\platforms\qwindows.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-15NDN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-GHBG6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-DFL4O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-DFILP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-QAUD7.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685A7030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,	7_2_685A7030
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685950E0 CreateFileA,wsprintfA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,	7_2_685950E0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68595117 GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,	7_2_68595117
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68595490 GetPrivateProfileIntA,	7_2_68595490

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Network Tools			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Network Tools\Advanced IP Scanner for Windows.lnk			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyApp			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyApp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	7_2_110251B0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	7_2_111575D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	7_2_111575D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,	7_2_11025600
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	7_2_111579D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	7_2_110238D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	7_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	7_2_11023FB0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	7_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	7_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	7_2_11110220
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	8_2_110251B0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	8_2_111575D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	8_2_111575D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,	8_2_11025600
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	8_2_111579D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	8_2_110238D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	8_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	8_2_11023FB0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	8_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	8_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	8_2_11110220

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_11029230

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685991F0		7_2_685991F0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685A4F30		7_2_685A4F30

Contains functionality to enumerate running services

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle,		7_2_11127110
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle,		8_2_11127110

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7337	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2352	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Window / User API: threadDelayed 3258	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Window / User API: threadDelayed 444	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Window / User API: threadDelayed 4944	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\printsupport\windowsprintersupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-N93NO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-G3D36.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\pcre.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-VRSD9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-H6NSK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-SF594.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-92959.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-3SOVH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-MMC0L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IENMB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IUPCJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-PIDI5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-P26AP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-JTIOC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-7V6MF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-NKCKG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-BSRNO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-DUVAI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-853KO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IGVP5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-KNEGU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-CQ3UL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-D20H8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-46V0R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-FRMIK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-SCCPB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-O0KOL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-7MB5M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-NE6KC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-KATLC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-OJCV9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-91UK3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-PLELM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-CEPGI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-DFCT3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-JPUOQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-JFL1I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-GUAOM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-2I7SK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-OBI2J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-OT0US.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-8VUCH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-CD8F9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-56ICT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\printsupport\is-T9A9E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-D0PHJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-4RR0D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\platforms\is-CJFIB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IE1PQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-UUCTA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-5BCDU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-3K2R2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-V7TQP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-7B70A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\platforms\qwindows.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-15NDN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-GHBG6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-DFL4O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-DFILP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-QAUD7.tmp	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	API coverage: 5.5 %
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	API coverage: 2.8 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_685A4F30

7_2_685A4F30

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe TID: 8064	Thread sleep time: -814500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe TID: 8068	Thread sleep time: -44400s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe TID: 8064	Thread sleep time: -1236000s >= -30000s	Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_685A3130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 685A3226h

7_2_685A3130

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	7_2_11123570
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	7_2_11069690
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	7_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	7_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	7_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	7_2_11064E30
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6882CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	7_2_6882CA9B
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68830B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	7_2_68830B33
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	8_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	8_2_11123570
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	8_2_11069690
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	8_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	8_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	8_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	8_2_11064E30

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: unins000.dat.1.dr	Binary or memory string: K33kSIWfuHhZXRVN/FJzyTDU56C+/GhzewmB5cCI4G/wVvY9gXQrVd1MMGCUnL90lf5H2Wi+g01xtobYeTu8MXHKUbuoLgE7H1VedSJqF5oRyKgjeLw+GGkgnq/3AG9Vd6j/wdIFZBUxzRk2n9tWtV3JwezlWhdVmLdhwNhOKeSc0832W1I60DbuB3QIM0g+o1BjY39EdCRcnuyjvwMPF8yKhjot428DnN6AH33lfvJzc5u3xzLPUvdZBfppf5Xfw5HGFvFsnwvh1vy73uPzfdaTR0/7k/bucOT4a+LMT2HMTPP/G/wkNFBZEBZmC3EGhoFhQUSmiy/DFX4KQvSlCOqhvCykIIYIUIRVJLdKA9CIbVSa9gENJj/ypqDXX+mnDtWnaBm0n2P6Mdk3dT3/TkukZflX71YLD64j4GanP0NdCfz/Uv+o/9Tg0Bc2L0xXIqhHqq/dmuo8epifpVbWLVjNsw0cGtYSbHmvMNlYbG43txjlgmPzmE8fMbVKznFnHbGV2NoeZ483p5kpzrxkXbJ8CDqYMeL6vNcjaAo5/ZH21MsMV9mJTgWRyh19Ou4Btqpm3sqNnLrToGee2EwKGHgFXfUZNjIjtpfKGenu8c94D743cjc1/gwecpGrJL/KCcM11cc6TxEyxB475lAj1c/uuH6hZVnIqeA9EpOyfX+H/qTqabyIuP/rxgqS/ZvY0CtoE44IZ8C1XpAY9myLkg+qdT0MCUgpnXZ80Jb3VfIlz5BmJrSXVooBY2bViQPwmqrdwNiL3uHYZuJ9br6a31qfq85WPPqZf0T/qP4BaSakLH10fp7tS3ZU7Rhk10bgP9P1L46cxwBxrzjTXQd+/Mb+byawoYI88uS7/1dEzBop/ijXjV2dPXkagYO1fO2dj2/HtxFD84XZKO7o2JCe0EkGk2/am/9radNI++/87qyG2E99J7IQ64f9nFcx/bh0fOk/hE944H/697+kycO1v5E0o8ia7lwe+sr7XFZ5qrDfb26m6gM54V7y73jM1HzEGT8BT8LQ8D1CkIm8O1pnI5yCvtsLNn4J2usff8588jkgmouDrCTKrEN5xFTVBrxVyaRTYaJG62ZQ7sk6La+Kl+CR+ioRQT6X8Cup+s5dSTbP9Bf4yf5O/C4r6LPjpkx8/yByUCMoFVYJewZBgVbBeKuqQkLsp1JzqNaSftlhbCp/+mEYYOY18eE+FjeLGdOOTUc1cZu40w630Vlb1burAl3a2pqvvmnetXCy/YoOBbCybw5awTvZQMHJ5p4ozGFH9yHnhxAQX2G5VuKpW7nBXTg3d5p5yb+DU0nge9E4/nNVuj4OLi8A1rICTKi2aiY7g3NciFrRLU1nr+SaFqlM5Q+6R2togfZQ+ASpuvr5CzTA/pT/XY1MDzNiLTqBTFScmgo+sYgwxxivOuw60fKfmARU1m5idkKn7zefmJCsDYqkwq8iqq/6Fdqw7G4UM3aVqHT9De8e1KTT3CjuD0xCOaJmz0bnk3IOODgXDyUq01dBtB5CtT9wkXnIvp5cPzFbZq+VN8zYqxojgabiLrC3DO/D+fAxydyac0F6l4h4qHRdTyO6wLPCMDjC0F7J5scjlv/TfQZVlg9qdFmwNduFNhavvWbmRka3JDPKUfCJJNB/oVwNMuUjVsRnQDTX1Zvo8fYm+8de0hrd6CDCO0iq0rrqxH0ZH0xn0d7oYOHcLuiyukcxICw71kZO1oXw3QaHFg6OJrncchXO6ZN5RiJZZKbO61norIWutqklmgv/vsig7s53b1mxm+3YRu4LdA457GfLuNLLtif3Wzqp6Fus4TZw+zki19WovcO6l09Jt5+5Qe/HuuC/cb25C6LMCXnEoNFlh0RY5dBz+Q+DkusJnj+UH4Cpq4nxmi4P+W7WvNhS8kSNgQZFgTDAZp3QIXHtR7tAJDVfaqxbpR7YhXlKrmVKFgFqVtQVQqhu1U1opvYXeFjG0Vr+o9kL3pi9oEiC+a9Q0ZhjF4eg2m/etH9D12ZgOrCkMvVCVtUGU72SPWC2waDN7pn3Ofg29EF/12rtq
Source: client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: VMware
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2094672398.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\v
Source: client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla]h*
Source: powershell.exe, 00000005.00000002.2038454722.0000000007718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: unins000.dat.1.dr	Binary or memory string: RSpS+b8h4yXu7f4F173oPnaJfdf6CO9BL0uO4v6liPWIbSKdwD5fPibLHAxNx+l4ebh4B373rfYPaIXOaJ2x332r6ezlxRLYyFCPwPH+PgKXgAAWIqPnEjjOxznIy0Xf0dvZy2U4Ywm0zzTQ0T8wyHe0t6vPcKZAe3R8Jk9GlbEe3qg0ZqSJ4UhxlFKRilSkIhWpSEUqUpGKVKQiFalIRULk+LMAcEI+Ux6Xi3GpgstIXNLfwPfjsgUur/H/w0uKIqO7BV7ifrqHQEGGzaR41HFJ/6f/AZdyuBwvI4zXHZf1GP/L+EwFXK7EpSIut8qUjlf4H/zjZex/hgncK2M/2VFQzn5V2TLiRwO6yjJW1v4fytmvX85+y3L2u5ezP7Sc/XPL2b+ynP2R5ezfWc7+4+Xsv1bO/gzcv3IUlpPELSH79TBdleJt9wm4rVC8reqA++SKt0OdMbxCcQTrvWRYZKfi4/pLcVviuQUvN8qwuYoS4WNlmHvd4m2FFBnmJGHpPXSenyS23RNl2Po6Ejt0GFsquS2SIcNCJ3upB7v4B3j4eA/V6KvZR0PdxVvg4+zh7TZUw9xsVK8fNNQDAh29nR29fLxdhmqEuQRoDNNSVhriGBDgMtnJK0wdI/AOGKoR5O89KEDg7jLZMaDXZA+Bv0+Aj2tgL4HP5EGOAZM1g/tqqE929PZwdQkInCCZmmRUo51dvAM9AsOUldRRio3qo8k/GsL9vsJTYz7+w/0F7h6BLoLAIH80zPKHASIFb8fJuG3oEmga5Ovr4x+oLjzVpq7j4+3q4Rbk7xjo4y9SDQzzRdUQD+/vvsU9vckYZ5cAgb+HbyAmrSURxzhHb0c3F391E5fJPoEuFFegv4+X5pDekvoU6ZBA/6CAQDovV8GS+VZDS2jMkAAXQZA/5l+0jXv8XfyCsMRcnMf7ewR7eLm4uQQUHZQ8PDIUg5IJY12CXbzUveh3qIZjwGjvYB9PF38N9d7FcfYuP9IhvUuYMKR3UV6EJePr4o0UCcQGFu0JHC5iUNK4slkVS8mSlzwipG+cuKA0LTy8nX1CAjTp/KaPdy9RyQeUClXkLQNKOItYvug0RYpBTl4egjEuYWZYcBRd/4H9nQb069uvn0Dg2tfZtZS6l6O3WxA6xlCN7hJHeheVZ1klVLxXINx0LD6mrCSsl11Z8SNKZERPZZnJypOZwoMzZwoX9KFd+LN/P/ZaDPiXHnDDF/ShXfgTEhISqIsSMuPXkALdRbScAXwZsmjRT8KlUYERLucW6BfMwOWin3QX0X4I1DUCXL4N1NWn5a8YDy5DKT7UF8f7hSWrplA50Wn1ibycRA2wRLvJOz5Rszto0CCmpaXFbPX7M0fDgczZeAhzNx/G+g7UZgO0RjKtYdpsmPZwNmiEARs+fDjT0R3JRo4cyUbojWF6+qPZmDFj2HC98Ux3jAnTG2/BjMYbszGmNszQ0p6ZmpoyK0sLZmFpxWxsbJjHhBFsstVI5mutx/zsDFig4zgWLBjPpriash89JrAZnpbM1EbALCa6MYeJjrh0ZzYCD+bo6MicBM5M4OrGXFxc2KRJk5ibTxALCAhgawcz9rdZA7YBS22jPmNbRiPGMbZ5jByLMpRl4caMhZvIsQgzORaJ63EmjEWZybI4c+xbTFHHXI7FW9ZhMZbyLN5Knm0wVcQwSmyDmSKLmKDAIswboJ4Ci8T1eAsFFm6lwqIslVi8tSKLslZmsbYqbKuFLNtqLc+SbJVYjF0jljJRme10qo9QYfFOzVicoC1LFjRlaS5N2B53NZbi2oKlurVk291bs7RJbVmciwZLcO/EEiZ1ZUmuHViyR0e2Z3IHluTZne3x7cJ2+PVkaX49WKJvf5YW3IftDe3HkoOGsB2hA9me6UPZoclt2CHf9uygfyeWHqDBTod2ZkeCurKjoZrsRFhPdmV6Z3ZhWg92LKwPOzW9D/vTU5vN9LRgs7yt2RxfO5YSOJxtC9Nhu37UZTtn6LMFU9zY2VkD2Nk5P7Dzs/qzCz8PYefnDmN7Zhqw3b+YsCM/jWKH5hqy
Source: client32.exe, 00000007.00000002.4192062509.0000000002F93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWLMEM
Source: client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: unins000.dat.1.dr	Binary or memory string: vlW10eg3sl+MnMZHcScibf4SsoNaBXhjfqaiZq2uyMZqTtoOoiQ5TTSA8EHmxWV5glfz70aBut44aVuefH6joNPjnBU4Zl9wq2zreHwW1Vu3XrNek+IdV7/YNetKuu8ah8w8M1OsDDXrgnw+hofDw+sB+rOTFYiY8I+9if53aqdjZl7eq1nIPpYjCveh/wvQLbPjabsJj6Mnn29mhNNVsgQwSTTmaokUXzqIh3/FBvYtV1ByFTUcWJBkQTtKBSY618iRlJpiF7+NqMQ/WstIOl+TWO0LuTGdTcRL6f5OKB0qzBzUVx6NyVFPxYIFSzh7GcvNgEU6Q7QbsktFvD01B2Fw723Sz5raknIS9+TaT3wWtk+AvDVQwATgTCKyqPA8GGKtLFQgSdAgdQYeKxmba0Tty9wMovjvkIAKoZ8OaOhW57JCT+umby7grsSkFBFXjuw6rUORNCGzJcrmxBlHi6k1/HKoe4XtG0uCwiAxe3eVm7/27kytBtrrZgVwUJO0npwO7WHnKaRgVB9mvHwNtha631VmCichLldbJOtjl0PK9UfUfwKYfhpiyOiebcpm+fwBGdKocKt0q+b9gPVdr633pVkeTbSut99cCKxPo1fuMgd44f5lb3Ip907w4CvJGRbkS3OLteIK5DueFhrp3BugEDXA8WwxUmPV+Izvn+5PKb6uccfrRXBXrb7Lf9aqD/ZykF3IP8GUL6EF5jzR7PPs6hRODLb4iCfYBAm4GgBDgt0meNu5NXc3ENNk9rmZSujQ7W5o9Spo9umb2GGn2WGn21Fgwb7XFOqHFWqXyTvbpVeEWQx2lVmoxc4Fe6Cu/+ULox39vlP8U2Zam+u+NdaRybn6MI5XWf9KcmBcofHU3d6QSSTAT6dBHPIHlvWRM4IpysYT3TneM/14F/fcqZ/jv9bj79d+LJcX4701tOKFEfKlMUct0aB6WmlRXrZ8JhCe+l0Q5VAK6Pzl+IsYrKxsb8byUtmiLzyc3lfiKS3wXBFiyJfgSPIsPHemIeejtsRFPTNuZ79eYyOfDkXItvp0T04ydoyh4yDLnxP7ZJWrCe8bGOoSV4+Tl6O4LvbQou8MeXIrDyZZuxmTo8NdSfS+1G7We6o5Yc/0S3vAmj411CcXH88ClUePZelaJ71qOTtM8AIW+S9QVuyneh309+RsUJtImpMIql6cR/u80USqeL1UukGb71ut9Y6JhsVIXcxeOQ3igy0Oowayn66hC7tq9VvbmwLCnDnPuASRuwJe7YSLNMbEVA7VZdK40xQCzCL5gFuG3CbYYjZNgOZ1iaJyQrmu/gFMh2G+b2J9zw5uIQ7CJOERTpO1qdGTk1Ykj6YSVal65mC21dPfrYNV6Jn7+jUv/G/+K242mBGwptdnkRYuBRASP+0aTjFrlYXcSCb+wDQ9XDHY24mK94GZDL6Y1IjR9CdH0xN7jEYezbEBmt/Lb9lDoD69MifjD+/Si3/aHh/L/pVH2U4bfsJ86Et2lEx48qiztRcURyxPfGHFAfgzfoadSoaZLu/E0yfJEI4a/Ky3bjEeVodHwo+JJNhpnotKZpXoj5svdlp+r7JM7vZa448o+ryGuU9kXqkWRcBwHfHTam0hCPEZANcoi0nvwPSTbVuXYVhQ0VtzntoujFsDIfG0hro8rNChFnoczbqddKl2lpM9ApVvCuDnyUtg6HNFURz5Fiirsx6afEOY1kekafyI0Hzd74U4VvpOQJIFftkMmrGE2wTMHv0f9F8rxD7E5toR4jiu1HN/4RMvRpuZIi5fbyXP0JrLNF0cAPlUN4baAgVv5PYLldGHDPzFAtYDEHWOUryNY1Be8PSjFqxezOHj6wB7OQYc9wVqq8zDGKjdH9IrbcBqE3kERemgzCiebgiSixLlOgnW8YnFzORg1Kc28gwnknazS3gnziHw5NrO3cL/FJfEQlZt4WmlrhsSozNjM1Xzff4w4xi/6aDfW2DrmSaXNTbad6K+Y+/E8P2RrtpNiQTjH70yQ44MEcczyTvViC7TdqVpBz4nT2ubupNi2QSaLvHp7dWRV
Source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: client32.exe, 00000007.00000002.4192062509.0000000002F93000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4190771017.000000000045E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: TCCTL32.DLL.5.dr	Binary or memory string: VMWare
Source: unins000.dat.1.dr	Binary or memory string: AYjgDCKVXTQPQHjASBQAWaCysPaouXOM/pZ0ZdDfofBYVFJ1CankUJIUbhxFCpMAf4OU7rMMwBx7P40K/kgYjI+igq6cD1NU0M2pIAzYzOlADg1U8HaKCr5x/ipUACQAYn+2LVHRuDCRRgmCQgk3XUnO1GlUwEng9JlL6bw2jV/gcdUY/GIBDKN7gUamDqOP2Zw+zmr7tf1IH/055+rLS/5e+qg6N6yBt/IqmnQlUCVk9+qIWYDQuSDzf7Te986OqFdB7KxsWssNG17RJFLPppBK1pu0tYTUWkLqH64i/vw/xu+nsavjF0QArzaF34z/0XqfiP0d+M38v8QvrvdhclVWKLTcRIYHrM7WB0tiqM/wusDmIATsCItEBvSReFawO0uazUdojNp6URP8KAuae7a+/Pa/d5yu+yyRaNTdzuug675Q5UJNU/7tf7vC8Cc6Xics4wIVf1e1xhHVNsFCUH87otUa12UfIiz3MWsMsCxaY4jimIJiWOjmMWu+2i2oAbkdacj9cvhsAYm+gJmaFKzC/LU/chrJgVNR5IwxjZAA7jRauv3vpaVbPh2N3JaFIFwXAH6JjnRNrNPQ0sFZP1UP1AwQ/AdBcA4hCAMEcgbHdmwI24DrnA8Aju4MjuRIt8ABytmPjekWciL2JBy//utobJsQ2wlrPPtYo3EUso+lkJ22XDr96nBKdpN96fykTiwgXt79RzpkwqxTNgDrdmkvwdcXUl8DPWlyH+cvXNirhEUFMPndeCaS9AelSFUJLUixM7TH1g7U4QSmE4SezKYj/UcLjEcuBjIpRwUIEvdyYTN32LRh1ff8NlXj/2h92i9VHzrO4BXifTer8Q3MLVoH6f6b4fVMFo8kMlhX8L+vC35ynRZm7GxtPJj4BlSaC5Xu7+8sUB8ZCGRStrm0DRls13zVOhg48FUrCtYBEqwDJFgHSLD+l2Hz4xfX35LJagsMLUvWqSXdOkPLKuDmKu0lbXxtQmn51YDQxhCGt64Gwy+uuh5yKDoGtQKHZ/dweKZGzuiYrjklDrGuSA/KQYaWEzgOjmk7U50yQemUKYYW4E+GdCFqdK4jF0fnS3VmJer5ypoFIlpMNDzzRCKNlQeIlQeIlQf0p7+dGCV/5AXjBYbQRLr9l4+bjoXMWsxsM2GMo03x4U7L7fImMsyTX72/SBWMC6vr6ndvRvuA/pk8yxg5fkFmHvMox+5NZEzQPZNZC+ogS3GNCpKbILnRPnSGLD/+V8xSgFnGiP3+2VSBzFYQjGesvpG5i5l1JvrEQQPQSDToqQY1c33nUvBCbDCug3Qj0qzWy4/1p4qUb0qDN54XqAO0MFwpmxA5M0Znl629aRmEMZNMPJuWZGwQ7r0wBMKkdBCMXwKEWZf+Jgifxf4mCEXxIRBU6SAIhtBalUIgwmrovJkcnJF1vDqQXgdSUuHVKWnCxaGesRVymhiLGPovpVGcLuAos+ZDye4iDsVYfT5zYKhka9HVISgaTKVLjm8c3nlej/zdP2WrGEqLwTadB7BeV4j29WkzAWv47m/xSrTRy7rkw3/iqvtL2YEH0L4GYKhu8bDEf3yJErOuUMJfxFVVPF5o2JZtWrIHYwz1+02W87XokwnVhG57l2Yb9mev/M8jCg+Y0fYbFYGoeWDbUMnktskKJUPDbnhZq+p5kVQz9EpbjS+nIL5mRKHp/K0m4XtiUpo+eHfm1e9f0rwhkcshh0fcteIiWcO8mNJS2HsKT6K24P6SeS+mMm9Bf0Ti3k0XyTLZRXIn/3QWsITQCcPTCaiqptfDz8jF0AaIflmlElSBMrYLSw3WLVIZGj7IxDPak3TYNVmFJ/o66KfKRV40urPhbF6ul7vyOr0jM6WhsELRUFiRrqGAL77WOaih8GLfYFJDYQkVT3Fb5+D5euNQXMVQiSjLYYn4CyWWom/rOTvaZuSq64qY1E2HkAijx+F0eZXkik61bxWUK8+diKc2Be2hF6Blqt0P/mJaLofzS+mMh8KBLJ5VzbYgbti8glDYX6Agxi6FDvMDSK7TkUosSfUXsbPaQ714
Source: unins000.dat.1.dr	Binary or memory string: ZhsEwSzDYJhtdAT+MAmFOWYnYK2RJ2w08gAFW3dYbH4MVlqEwjKrE7DKMhQkbI7AfItTMN/6HCyxOw8r7U7DCsdwWO8ZAdL2h0E16CqI8K/DKusbsMYrCjZ63QWZQ9fhgFs86PCewEa/aNgQcBf+PBwPYkGxsOXIPdh8JAH2BESB1pl42B3+GJTPPwQ9g2zQMSkE+ZhSOBBbCgfjy+HgPQGoJFSAxv0aUE0Vgk5aI2ikCUEv7TloZSDoZAiB7+YPpjbPwOJQHpg7lYGLez7YuRfCIfc68DlWDj6BdAxoBsuEfNBPF4LBEyGYEJs9FYLT0wpweVwPh542gFEmAo+Y/0wIVlnEOQi29Nk2TwiOxG6ZjeBBbFdI+YqEYF+C4FSG4Fn8HFzLEbxKhXBIQN8rEHzLn4NvpRACiQOqEY7QMbSKjvT5aiXCjQoh3Kz8by/U/+2Eb2O/2tJZwz7/rG+X9P5QGdi0eOH8mTMHDvzoow9fJvppOIgYdUUaM+cPnDt37ofDYK0BkZ6BHpGqngpHyirKO2eLzR80f24/kvN4TMYt9ChrKxNJEm2du1Ns4acs/0Zuj6aesTaXRFNTU1lSk+SzlbeLLZzWr03OEmi3JtCUVFbeOkeZEiwe+AVs5PONTbjd1BwIk2sqS+1cMmfO7DlzplF+Cz7fhM8l0DbWbsfYvn3r9p1GDN/Cgs8zaSmBlGjXgvRUVu/XImcltKV4UYamsgGTW7MEJiatGG310GYJ1Fn51lwCLolJxxSUQKNfq5wrwtS0TY1WDO3W/FwKPt/U1JTfkkKvVYuW/A4sAVeIKdOzJQVD0WvJ79BaApeA36YFKaHH6c+JrW1tbbkEHVIY63H1d6AEtlTAixStIHrGGh9yckowYYiGha1FawLTtqqqt8h7j/xu8pRVLH9bERyKMU+D+hfJf+81+cBoJdvWBLatIJTAaOCXTD5hsuL+bydacDq2g1AJPKPps0j+w1QFeVn5rz8WdXCwbyGuKKqy0fx5sNHpq5+/+VFcdu+WUc6dycnJbP4y2Lxx5eAV/Setlhu7YsNLtGbNn22DaMwv43seZePgHVHbO/n1u37u5dvmPs16LfeitNGbrKe8P+DTPr369OlHKdlC38B3zAOIP4Zevd7v/f4HvYdPX/Rer959mGbMFuxBA2yz/2/vkNnDBtiC74g+Hw748MvpC7/8RY4f8bO85aNJknqPJ0hoPv12q3rm+M2qmV+LqWSO23Qwc+wm5bfEBzPHbVZ/+o2EburnM5ezW3SGLHO4+HC54yVcbHseKV5Ciq2Q4iycoRuAFAsixYTE3n+LKb7kmGLMTr9PPuiGX2/VZnvyRqzxvonuWU3o+RaZ4h10f9qAFCviPKuzOEMnACkmxNVWx1CUjhT/4rgtGomEP4piPHTMF6JTnhDtc4RoxzhbiBRDoQ2xNTHFVWiZKUQLYj4xxWBo+kSIFI8h77EQjYgNM4RoQEyxGlKch5r3a5BiUaQ4ESkGRYqnkWJUTo8WfHWG/xXFl+hUhOhciGiXj2iTh2idi0hxHFoSm2cj8p8hmhKbZCEaZyIaPUU0eIKoR6z7GFE7A1EzHVGDWC0NkWJOlI8pw+XWJ5DiUdxz6QkutDlHNg1EipE74YsdSUCnYsIntmc6FCDaMj2YDrktOlhkt+hhxvQgHSje5PQwJD30mR6kgw6xVqse6mlCVIgp5fB105uQ4mFOh6X2F5DieJyk3AH/aAI6lxJ+CeEzHagt7Nr0eKktLFrbwqy1LXhtbdGqx4u2ECLF4hy+/uPnqJvR3K6DiNNF6g/+nfBdypBj+w46dGqL7myS1YVNWFtQP6D4H2muwenQkWkegjSv6oR/qBw5diQdHEq70aNNh9eyiRB1UhtRNbEClakdWFsoxpYhzUeQ5g34o7JbO/5mwncnbDdiZ8KnuQE6lr6qh103/bNbm5AOejQudKkttImZTfTSn6MrjcuX8T0EyLEL06G8VYee2uIlPdra4mWbGHa0CbEB6dMVvjdhexHTPAhpTvT6eryGTYw6jBOjJ13j+1Qgx+7E
Source: unins000.dat.1.dr	Binary or memory string: PVgb51/FIfmCqXE3BYOp62AOpRTcHzwmxW63FU/99o1SPDXouMKt2H4UbT8qu/RO8iK2n11KxoHRYCE7WvBZc+9fzhhHygiA4GRRePNNXHZ18m7T92x8aqae6U7qjyjDn7aY3iiDm8f4TIHesLrYVML8gCA3mv5CkJcwB7DWcQ5HO+IxKWJchvHdj/2vYDzVN8hPngQY31+tcuVVq5jRAozmxlaQ5l6hkK5CyzMKlAwjVvB2KoycxOWdHBPF7i6LVAWvwqPfyavQf16r+2T2Ba3DwBE0fr4YAVsLY8PHdXUAIEDn7uSdw8pgNTDYLVjFOxipRDNPibHXkbl/APcybC72wwg0hnJwMD9Cm3gKg6yaS8fSFj5sGiHhQza9npRMDMelv1eQll7vaBgJI5xyxI949D7iaTqkDDTrCZF4NlLiuWtuIPE8M/d/tbC5viEcfdxHPH1wSTvznYvMukK14YtiIcLbkYqzOzaLO7WtiOiTw3T5QJm5/1HfAYi24PYbgMVpdCSMwvMPhwPWL45UH/T5fx8XwfINJQl6FxMtxRyvnwSgmWMnDz/6j0Dz9hWCxuBmMQYCZjz+3EUB5msn3zyCU0fssZONB9BNaRfYavFx3gUnmqBQlR10wwMoyeNl8MSKA8+sTs2sMqwsziDPHEI45YFmP/aR1nCqCIKTYZSEX+R3DbRbnECfyX7nkh+zz/aekjAwrEezqOWRr/0K/3FNc+vCYASuSYIZW5NPoHaDr6Zn13HZDVx2rVednn9zAtNYFDHmHmbwmPlM3zGLgE3dUaEsykeLKJsaB2r0V+owoK2OrsxmtbfDV+j6ha+a5N3j04si7AXFhoISjN56fOmXqjSVyr3bUIDXyhm2FbsarIbn0I5ilrpIgqGgHm0U0pG5M4OZ4CJxzBAXiWL6uIjW4OZwJ8jcYHDvU2GsSQPGmrj2GmtK4bPj6Zqt8FFfmmZwf0TT02o+pMVqsVjNKzRTI/rIeHOz6+cWV1Wza6+mYzlMuQZPj9AHtRml3QTvoy4yjbnLRToz5gwmCQcV6yIRBje+8n2hVFWsUrHmjse9k1x5dSrWtOz+ZmG7IJSb62gMzHCaOqDD9GY5pbdUJ3rZXjzA4jVsURkBFJWMFt/a7liZjm9lG9xVaJnm1arYiJrlUE1cAmeYzRE/Gkjk6B6qhQB1LHGVhckrlH/zWPZRqWS4I2E0nl2xHZBLdnSVhUOfKq3KO86pcwyk2aP8s3WYrVF5E5yRjhE0O07J7uYqi8RstcrXm4rpQjL2K2jwHgt14x35amphe8x6dDhbyKg06agqvWMhnjfHoP6aoU/ezWVoOR2XAf/Foxsqwyi+knbffQtU06elD0mBRvFz+E23mxH3p0+ZPOGOiWYVDL4KgaA7gHwCTFeJB7BdyZffNkpXMl7D0isZc+ykl1O+zu4B/QE7ud0p8YehdpImfm9h+trJCPhe0hDuGeFGyreT/k5K3SI7iJA4gWFbhjb/x0uFGVqZnjtSeiYl+ykV6+xk0YNIxTK9VgbR73ejFfmA7nuYSu4YmMrY/XQqaKvIQuvPfQpgMxlKX2gE4znKhha2E6mg2Xj8y1vtLs7VmcIxEGd+J7LZl1FGmZ84BT6Gsj7DtokabbIwqV85G+Y9PD4/FQlbDYStA8LuNmYR+4xTM5O/kHyoz3R9x2uRI3jv4097/3DXM/cjmZIExookMNZFRjHRGcz1+COG0sOtqP/i7tMALk/vHQIWVDx/bNnPSA3e3vCrM/zai2TvjS448biWPur4c/OyvUh044vUBcVMmHeVOKLk4hQ1MEeMo8RTtOSzpchdOfrkkJF8txdniC+M1/yKVAJLy83GoEQu3ei/LHwZueFbWQhVPRAgt4PX5eEx0rpIzrfH9irQPzBfMheVN4+m+TI/EzO9PZGzbgF1IYvfxUX02wNpnE1r2sVoxOsYQWseC+s8HRYHHS3VFG9NTSj48cJVja/Fu+dT2+RxUTU4T0swpwAivcSvh8k7S1C26KBiJ7J7jwwL7x4uuzmlN1hqm/bIjTlbMGTNgbGb
Source: unins000.dat.1.dr	Binary or memory string: gg/RJs23qH4Uqt8oZPBNJc2Hde3x4biqmifzqPEtdmL0B63ScxC+fIRvh5DRnyynTvQHydVwVN+M6s9i9sfHg+oPz+Ope17lKYw9LzeOnbyeg7WpSAOpNT2Y/fLmHHDsg3NC0RJqYOKO59jxyHyEexPCvZ9g4DY4wL1mXFnNwy+oOS1h4kN2yctOFrvEG2FuQpijCBu7pNQh7qqazTRub+cDtvbbj7BYFAVBao0Ls6+DnTuQZUnN0RRalpOcD9jaEPMRzk0I536cOX6HOOsQzmQLzhJnu/l6CeGsRzhnMHGecXYoJy2pbsji/2EevVloSSiiE5izVsJC3r8LtNAssNEX8R4OaKsvr9k0H+ng4zWyfNo6MKIXg+SsIt8BUGpOQHgLEN5ttnh1Ho7n7MbntP/jYqFFcc7YIuT/IIzNCGOYgOn/uDjel8EDKBn16WInoycxC38VY0j6Ib+miW/DX0O7HOicj7EIYdiIMBzkM+Q1i5bXde3IK2mDSWrS5tFzX2zfv5cRzjqEcyafMd5SB31aswbNQc2ysfQ+iiXPg0v1w1IOXZZ8S5urQqmJ2wPrALXebYe7oiSoWvMHj1rvkI3nDQlobKUeDvbtkU6ehaoXoOpbeQya8HpSfdH0bG9vtr7mbyM9/1w7/dIH4WtG+MJ4zPnndqS7at430jT26WqH8+gTwBkKqTVPXmPgHNm1A/+3qXWt1NnjTEY4tyGcO5k4MxzgPOXstfyAoe7ULsM36Kbm/oHGFsv8MOfRUp6cw24HDBpGunvalyT+8oN7yNCnGzVPQUV7DNtKdxk6whdqh8/3mz0d1smyq3MJ+oDSUbscOsynzxiaww8YKgDP8e/22NS5+x3VjpFx7oJwpDLiyE5dBHEWjdfF0oZrK+4zgCMu/Usb3OshjnA32eGugDiqX0WHNxj5iMe73ynscOwZrnb01+wncW2CdERvlKYJpPpnweEGUCPaT6ZNTN9NhqWu1Dw1v7HbWs+SV03nFU1vm4e5UXm69LZ53pCHaFb61m6Dx+K2+Qq67pm32+ZF0Xl7V7XN09F5xJq2ebl0Xmo7eQV0XiWdh+6Pu7XSqSi5LZ0Un+62wVFP4/DZ3Ra/W3cqL7+oFf/g7q34S1Pb4m/i7CHLhTDKNbdTzpu7x6YtA91WRdc91rZyGTiIN9viiO9mi6OYxuHms6fNWCrovKB28hrovKx28jx6UHme41rlnaDPBFT3KH72bqLig5uoeCodf4sOV9Dp5XS8kg7/ptN96D23oQ+puI4Olz7sWF729rDTFS9Scl9A75kVPqLk+/AjSiZ/hBDxcMUjCncWvb+zupmKL6b3ZlY8puLv0WElHV6nQ94TqpzkCYXf/wmFf/wTCv+0J1S5ArpcIR0eotM5tC/bhw7dsAMOx0rqAPAXukJYCrxQBWXyVtvqPGwNNfYGGmczjbOB9vuesDpuA/Og2ghNour0Ax3BbCMI4h3hCLDDETXetp+nxlP99HSh+jOEDg20zZXh0nE/8+3aGDjVto38qZQcInCiw3ratkBxyzri0dMWz80ZtuOdEL3bJj8t2ja/KXp3hzwa0dOWR09M3mPY1NPVGl+N7j2wdq/XA8PGB4bgglHxSeT7uhM8XTEDwEqAjwD2ApwEuARQB/AQwKW3K9YHYCSADCAEYAbACoDNAAcBzgJUAtwAeAjQrY8r1h/gZQACQAUwGWAWwFKAtQBbAQ4CHAU4B/A3wEOAHn2hHoAGIBQgCiAGYD7AaoAdAIcAfgO4CeDiBW0BDAfQAEQAxADoALIA1gLkAxwFqACoA8D6uWJuAD4AowACAKYCJAEsBlgFsAkgH+BbgLMAZgB2f1esF8BQABFAKEACgAFgHUABwCGASwA3AVyed8UGAAwHkAGEAMwEWAywGuAjgJ0AhwDOAlwFaALo5u2KvQQgAQgBiAFYBPAOwGaAfIBDAJcAbgJgLwDdAAYDiAD8AEIAogDmACwGeAcgD2A/wCGAHwF+A6gGuAPQbYAr5gUwGIAA8AMYDzADIBVgKUAuwG6AQwBnAC4B1AE0A/R4
Source: unins000.dat.1.dr	Binary or memory string: ZtAh6BL0CPoEA6ADRgRjggnBFHiRpUHImzA1Sys3IYSRBWQZkTf4cp7RXS25ngo+c5L+VT9Oo7dER+Jkv5jJrShrDbj/lBW9I+df+3G6QK/MYHN+zeRIa2e0s9qy6/Su/cRej98r+02SuAFy64BbEhpfblrJyLOBKWSleF5hqzkzQxCzY8QEMUXMEHPEfDHLP+Nf9B+oCIkdJAnCg7TIstJB3aArYuWUmnacXOmIBMizi3hP4do/WhygR0Poe7n9MXrn7V1449wq16L3PW4Cw8pbwLdGPLW93gKGFFZ3o3VNmYltzS7mANUVPstcZK4wN5v/mLHUfveOVjfVCc6BtfdYK7yxefZV4MYLaIx8ju4UdUo5I51ZUBef8bwlkaty48wU949fM+YrQbNV4tXhrvtBp8UWCdTO7iLI2IVip9gruvvL1f7ixMiHAoEI6qiZOsmRsCEhmUkOUpAUJTVJd7iaZWQVYvM/u+KPkpOqTrgmtOgAbYW2VXugvVJ94KHI57jqi1Mb2ocuoavoBnqJvqdfaDxo7ExGdjWtuLXRQVVlyb0oZ81LZlYrl9XZ6gcXPt+6Cf/9zvrHis+yMk1VFtSFGtmtKrBkffDf4ME+UNzL7DX2A/ul/c3+CYeQxskKzdUC/HNccWJ1uPED7mU3t3fXS453b3A5n7u9GCeq+qP9Sf5Mf4W/Sc25yhv4QUPErZxOAuWaMbnyNrXJNDz1SfKAvPs1xSavVgIo0U9t/SyrV9FbQU3VwVMOpJPoSrqLHqQP1K6XzEZ+wwU6NDTaG2ONecY3oxSbpfZxnITqaGV3sMeDweXu9ZROOqccfvFJNXEhs5rjsp3vhf57z0NEIKqCwQ/Jen+SXHmbFGC2T+Shlh//7y76SH2ZvlmPQZPQ3KqHQfabHaa9zKPmE3hhebeSAgq6pjUBqn8pvNZLOMsMrBWcVh8o6OFwW7JLYSXbBjdznt1iqe38dlm7kto7NQ0KYy2YIJVjQsXWcVoCC7Y7R5BXD5y38ARJXDmdfZl7GAqsJG8J17iCb+WH+VneVO0GXSyuiQfio/iJrFqqphLFDyKCrEH+4FBwJ3ivNHnykKwxZE2KB86qTkaRDTjtdySxNlAbBhxepX1EPMXVk+hZwdKOXgJnXhe65JMeH88qe56Ww7tJtAgz5O7/68Z9qNg4JjGLmdXM0dAsH3AK8YF4nRBVc4AhslsyDHw3S/nmo/AOScAl6e0cNrEdeyLiab99x+bwyo2ddvA+fZyJQMI/nPXAv/3OY+eLU8It6x5SGzA+u+nA1EVUvXR9rwUc9BXvgffJi8UT8lCeTnlplxcES7bEyazHWz3BzwMnn/HXUPbJRSFRDa56OPDnO7RklC8nb07xV+Kk3vhJgqPB+ehYrJBczbfKSuqQTdoeqJcnWnw4lsrgdZcWhd9rihybRPfQ1UYCM6lC+yVQI1dMZjWx2lupoES6sWFsO2Kvuj3cPmNftD/Am2R1CjvFnbbOOeea8xrZksTN4GougzPZB/d0BnyfBE/QHNw5RtRVGj654qgZ2kbtonZN3RBWV/w9Bp4tksr6j1L4LV3wVk7Qc/QF3ktsIwq5LuCcKoKPBhrr4DX2Ga3MoXg3J6D0E1vlrCHWOGuFtc7aaUUh011keRt4jtX4vVfYXTUDJLBlD+diqN1j9jWg3lc7yknvtHcGAvfmgqHOwo9cdW46d50ibim3gjvKne8uhbvyvH7eTm+/99pzeSfeg+cTs8RqsVFNuHsg3iIuk/hpoCrld7QB/iLoxw3q+3p07k+EV0mtlYV3eoYnzQFFXBqKZakeRgfTJsZjM4blIq8WWsus61Y8loSlYrbqYrjIrrMMdh67Nc44idsVzn+He9J96n5x/4G2C/XSe3m9NXAtg/gouL254KIt4rDIAF3bGd6udFAvaA9VJ3fpblD9bepubkByNYtETqe9Dg31hiRTWPSbqgRtpur75A3kAm2TqvCTUxO76D2RJZlpddqSdod2mUB30svwHAmN3EYzo43RFxkjp8h8MBNZmVS/8yVgQwKWh9ViLVl7
Source: unins000.dat.1.dr	Binary or memory string: DJ3B3R9GPhM8ubX8X8uHL/qJJzFqkQsBGVT/icaPs/dju3hIJusyi1qZxbMyn87yGUfG6OdVAEFDUW0hG03ENlioZCuNOE2NXTgWNy6OHxMqTMYnxQhFcWzTeImIERcWyY/hxlnHCMIk4jhxuNQ6TBzD4MbF2CQQTPExXJEgnB+nOI1hmxJsYFN7HS08niWVxMeh7///JjU7WT1QM44fFi8RSJPlcZAi4U+NB63wed4SQYJAyI/gx3VkKme7JIGqyDtcd34CX4gXIv/Zptw4N1GCOJovMcXHCxzDkPeybNNwrjCOb2rPsv1N5c7GbX/fOsu2C68s245OgzjLVjGe9t6O3o7Ozm6eo8aPlwe64/+5cWQfR772qzdsDOPh4TARHgNHwrPgs/ANWJPQnzCWEEBIJFwn3Cc8IbwmfCf0IOoTrYkkIoPoR5xIXECsIFYRa4inibXEOmID8TnRxq7M7qVdT1IqaSlpL6mGdJakQTYg9ydbkDnkcLKQPJucRz5Afk3uS2FS+JQEynzKe4ob1ZvKpa6g7qWWUyuoVdQa6mvqJ6ouzZh2wL7Jfj5nKaeOgygF5KfiCHAAHAbHwimAxwVwMbwJ3gN/gr8DXp0IowleBH8CnhhMlBIf2b2zsyWxSK4kP1IwKYK0grSBtIt0hlRPekLSIjuSEwAn7YCLKZQLlJeUUKqImkEtoO6g7qcepV6hvqJq0fRpRjRT2jAahRZMy6EtoW2lfaC50hfQH9DXM+oZY5l8ZgJzJ/Mu8wnzNfMjE8fSYumzjFimLBsWicVijWR5svxYXFY0ayprOmsVazfrGsuQPZA9mu3J9mNHsTPZm9im9i72Xva59nn21+zv2L+1b7fHcNQ5PTkGnP6cwRxLDswhc9gcV44PJ5ATxAnlhHOEnKmcRE4KZy6nhLORs5Ozl1PBqeac4VzgXOE84jzjtHA+clBFD+1C9n14IEyBc+ClcBIhk5BHOE9oAPP4lDCU6EAMIyYQW+xopEukEjKZyqQ6UkdRPai+1IlgJiKpYmoCNZWaRZ1HLaSupG6iloFxqaCepF6k3qA+ob6gfqZCNDWaNhgfS1oMQ8rIYcxjbGDsYxxjXGDcYTxmvGVATB0mgenEHMcMZ8Yyi5hnmNeY95mqYGwSWLNYR9j+9nH2y0CPNThDOMiNJmJ8NJXItdtGaiH1J7PIJlQ23ZHuQneje9DH0f3pE+hcehr9Mn0bYy+jlvGUYc/UYfVmBbFCWWJWPCuNlc3ayDJhD2VT2SPZo9gT2GHsSHYWewG7lL2TfYbdwL7Fbma/ZqvYs+xd7YWg7fn2hfaV9lyOlJPDOc95DEYOQl9iIL8/pgX3hg1hc3giHAHkbDtYC30JzoQdxCPEd8TvRAe7sXb+duF2U+0I5JHkMWRvsj95EvkU+Tz5GbkXJZgioMykbKbspFynDKSaURlAruaC0btAbabq0RxoPrR02jraZtoR2jHaQ1oTTY9uQreie9GD6JH0WHoSPYu+nb6PfpL+jJ7JaGa8YXxl6DLNmSQmgxnM5DFTmQuZS5jFzD3Mq8x+QLbmskpZW1gVrCesFtZnFpHNBH1PZ89mL2ZDIbJ3JHYEF0IgQUCYTigh7CGcIFwlPCN8JugQBxEJRCeiPzGCmEycS0y322m3z67GromiSe1NpVNdqWOpE6gkWiAtlJZNa6BRwPgXMlYwvjCwTA3mYBaH9Y6FYWsDub1t32KvA6R1GCePc5JTy7nEuYtK4itkPMEDwlv0xsMWJsNsOAueDR+HT8MX4Qb4JnwPfgV7EcYTJgPN8o6AI/Yi9iOyAE9jiYeBTjlDvEb8TITsVO1M7OLtltqts9tsd9DuqN1Fu6t2t+2eAh3zwe6rnTpJj9SfhCdZkuxI9qRkUgFpO2knZT+lgnIPyGkrdTKNR4ulbaRV0rQYLIYfYxIjjBHJEDJiGcsYlYzbjEeMJjDKrUBeP4K+QcwxTG+mH3M8M4h5jHme2cRsYb4Fa/sLcwBrFCuZlc7KArI7j5XPKmQtZa0Eo97MamW9ZX1kQfYZ9vfsZ3LWcZAn
Source: TCCTL32.DLL.5.dr	Binary or memory string: >localhost:%d%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesvirtualVMWarevirt0000000000%02X%02X%02X%02X%02X%02XBluetoothpfntcctlex.cppRtlIpv6AddressToStringWntdll.dllntohlTCREMOTETCBRIDGE%s=%s
Source: client32.exe, 0000000A.00000003.2164009514.0000000000590000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: client32.exe, 00000008.00000003.2082979500.00000000006FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_1116A559

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_110CFCF0 _memset,_strncpy,CreateMutexA,OpenMutexA,GetLastError,wsprintfA,OutputDebugStringA,

7_2_110CFCF0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_11029230

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_11178A14

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11030B10 SetUnhandledExceptionFilter,	7_2_11030B10
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_1116A559
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_1115E4D1
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685B28E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_685B28E1
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685B87F5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_685B87F5
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_687E0807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	7_2_687E0807
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11030B10 SetUnhandledExceptionFilter,	8_2_11030B10
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_1116A559
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_1115E4D1

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_110F2280 GetTickCount,LogonUserA,GetTickCount,GetLastError,

7_2_110F2280

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11027BE0 keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,

7_2_11027BE0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_1109D4A0

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1109DC20 GetProcAddress,GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

7_2_1109DC20

Source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWnd
Source: client32.exe, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Progman

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_11170208
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	7_2_1117053C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_11170499
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoA,	7_2_11167B5E
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_11170106
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	7_2_111701AD
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_11170011
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	7_2_111703D9
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_11170500
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	7_2_685CDB7C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_685CDC56
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_685C1CC1
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoA,	7_2_685CDC99
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_685C1DB6
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	7_2_685C1E5D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_685C1EB8
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	7_2_685C2089
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: EnumSystemLocalesA,	7_2_685C2151
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_685C2175
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_685C21DC
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	7_2_685C2218
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	7_2_687E888A
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	8_2_1117053C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoA,	8_2_11167B5E
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_11170011
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_11170500
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_11170499

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1101D180 __time64,SetRect,GetLocalTime,

7_2_1101D180

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1103B220 _calloc,GetUserNameA,_free,_calloc,_free,

7_2_1103B220

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_1109D4A0

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_6859A980

Yara detected NetSupport remote tool

Source: Yara match	File source: 8.2.client32.exe.688b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.688b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.688b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.68890000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.68890000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.68890000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.68590000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1985766789.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4190638856.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2081672435.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2163165064.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2038454722.00000000076DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2042967524.000000000878D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2083140759.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2164182999.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL, type: DROPPED

ID:	1546304
Product:	CloudBasic
Start time:	18:47:11
Start date:	31.10.2024
Sample:	Advanced_IP_Scanner_2.5.4594.12.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	446c29d515104b6752c1e9da981d4e5e
SHA1:	d52760df6b22805a4470a6b2e72654ce36577f30
SHA256:	7b13496fb45b51e821771d63bbd1d503f07710f676481ff34962b051283d8033
Filetype:	Win32 Executable (generic) a (10002005/4) 98.45%

Windows Analysis Report Advanced_IP_Scanner_2.5.4594.12.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Advanced_IP_Scanner_2.5.4594.12.exe